We are modernizing the Good Practices Guide. Learn more

Privacy and confidentiality

Protecting patient information


  • Most breaches of confidentiality are unintentional
    • unguarded conversations
    • misdirected documents
  • Some breaches are deliberate
    • unauthorized access

A healthcare provider who is unclear about whether she should access patient information should ask herself two questions:

  • "Do I need this information to provide care to this patient?"
  • "Do I have the patient's consent, implied or expressed, to access this information?"

If the answer to either question is not certain, it would be prudent to obtain express consent
Express consent:  May be in oral or written form. It should be obtained when the treatment is likely to be more than mildly painful, when it carries appreciable risk, or when it will result in ablation of a bodily function.

Although orally expressed consent may be acceptable in many circumstances, frequently there is need for written confirmation. As health professionals have often observed, patients can change their minds or may not recall what they authorized; after the procedure or treatment has been carried out, they may attempt to take the position it had not been agreed to or was not acceptable or justified. Consent may be confirmed and validated by means of a suitable contemporaneous notation by the treating physician in the patient's record.

Express consent in written form should be obtained for surgical operations and invasive investigative procedures. It is prudent to obtain written consent also whenever analgesic, narcotic or anaesthetic agents will significantly affect the patient's level of consciousness during the treatment.

Possible consequences of breaches:

  • for the patient:
    • embarrassment, social stigma, loss of job, increased stress, and in some cases worsening mental illness
  • for the physician:
    • complaints to hospital, College, privacy commissioner
    • legal action
  • for students:
    • complaint to your medical school
    • legal action

Physicians in Canada are required by law to maintain their patients' health information in confidence. The specific privacy legislation varies by jurisdiction. It is important to know the law in your province or territory.

Case: Treating multiple members in a family
Male physician on phone in front of computer


A young woman is applying for insurance. She asks her family physician to complete the attending physician's statement, as requested by the insurance company.

In the statement, the physician includes the family history of diabetes, as he knows the patient's mother suffered from the condition.

The insurance company writes back asking for more information, specifically for the diabetic family member's relationship to the applicant.

Think about it

Would providing the information about this patient's mother breach the mother's confidentiality?


If the patient had not revealed the family history of diabetes but the physician was aware of the mother's diabetes only because the mother was also his patient, he cannot reveal the information to the insurance company without the mother's consent.

In this case, the family physician was free to release the information to the insurance company because the daughter had informed him about her mother's condition and he had placed the information in the daughter's file.

Lessons learned

A significant advantage in family medicine is that the physician is often aware of the medical histories and social circumstances of each member of a family. However, when releasing an individual patient's health information — with the consent of the patient — to a third party, the family physician can reveal only information obtained directly from that patient.

Healthcare facilities  are also governed by privacy legislation. Most facilities have specific policies to protect patient privacy. Doctors and others working in the facility (including students) are expected to comply with those policies.

Explore an eLearning activity on Medical certificates, forms, notes, legal reports. Opens in new window
A Statement of Completion or CME credits are available.