COLLEGE OF PHYSICIANS AND SURGEONS OF ONTARIO

P O L I C Y S TAT E M E N T # 8 - 0 5

Confidentiality of
Personal Health Information
APPROVED BY COUNCIL: November 2000
REVIEWED AND UPDATED: November 2005
PUBLICATION DATE: March/April 2006
TO BE REVIEWED BY: November 2010
KEY WORDS: Confidentiality, Disclosure, Consent, Professional Misconduct
RELATED TOPICS: Mandatory Reporting, Medical Records
LEGISLATIVE REFERENCES: Regulated Health Professions Act, 1991; Medicine Act, 1991, S.O. 1991, c.30,
Ontario Regulation 856/93, subsection 1(1) paragraph 10 and subsection
1(2)(a) (b); Personal Health Information Protection Act, 2004, S.O. 2004, c.3,
Sched. A
REFERENCE MATERIALS: A Medico-Legal Handbook for Canadian Physicians (1997, Canadian Medical
Protective Association); Office Practice Guidelines for the Care of Adolescents
(1994, Canadian Paediatric Society)
COLLEGE CONTACT: Physician Advisory Service
 Confidentiality of Personal Health Information

PURPOSE e) relates to the donation by the individual of any

This policy is designed to help physicians understand body part or bodily substance,
their legal and professional obligations to maintain f ) is the individual’s health number, or
patient confidentiality. It is intended to provide a gen- g) identifies an individual’s substitute decision-maker.
eral overview of the confidentiality requirements set
“identifying information” means information that
out under the Personal Health Information Protection
identifies an individual or for which it is reasonably
Act, 2004 (PHIPA)1 and to outline other professional
foreseeable in the circumstances that it could be utilized,
obligations related to patient confidentiality and the
either alone or with other information, to identify an
practice of medicine. It is not meant to be construed
individual.
as legal advice, nor does it address all matters pertain-
ing to the confidentiality of patient information. PRINCIPLES
Given the complexities of the legal requirements, 1. Physicians must act in accordance with all of their
physicians are reminded that whenever there is uncer- professional and legal obligations.
tainty, they are advised to contact the Physician 2. To establish and preserve trust in the physician-
Advisory Service at the College, their legal counsel, patient relationship, patients must be confident
the Canadian Medical Protective Association that their personal health information will remain
(CMPA)2 or the Information and Privacy confidential.
Commissioner of Ontario for further direction. 3. Maintaining confidentiality is fundamental to pro-
viding the highest standard of patient care. Patients
DEFINITIONS who understand that their information will remain
The terms noted below will appear throughout this confidential are more likely to provide the physi-
policy and have the following legal definitions under cian with complete and accurate health informa-
section 4 of PHIPA: tion, which in turn, leads to better treatment advice
“personal health information,” subject to certain from the physician.
exceptions,3 means identifying information about an
individual in oral or recorded form, if the informa- POLICY
tion, The College expects physicians to follow the regula-
a) relates to the physical or mental health of the indi- tions under the Medicine Act, 1991;4 and the rules
vidual, including information that consists of the under PHIPA when collecting, using or disclosing per-
health history of the individual’s family, sonal health information.5
b) relates to the providing of health care to the indi- While PHIPA establishes rules in relation to the “col-
vidual, including the identification of a person as a lection,” “use” and “disclosure” of personal health
provider of health care to the individual, information, this policy will focus only on those per-
taining to the “disclosure” of such information.
c) is a plan of service within the meaning of the Long-
Term Care Act, 1994 for the individual, Disclosure of personal health information
d) relates to payments or eligibility for health care in A physician can only disclose his or her patient’s personal
respect of the individual, health information:

1 S.O. 2004, c. 3 Sched. A. In force as of November 1, 2004.

2 The majority of physicians in Ontario have liability coverage with the CMPA. Any physician with liability coverage from another provider is advised to contact that provider if uncertainty arises
regarding the confidentiality of patient information.
3 Please refer to section 4 of PHIPA, which sets out the exceptions to “personal health information.”
4 Refer to section heading ‘Professional Misconduct’ for direction.
5 In this policy, the provisions in PHIPA should be considered as they apply to physicians.

2 CPSO POLICY STATEMENT – CONFIDENTIALITY OF PERSONAL HEALTH INFORMATION

• when he or she has the patient’s or substitute deci-
sion-maker’s consent and it is necessary for a lawful
purpose;
• where it is permitted under legislation, without the
patient’s or substitute decision-maker’s consent; or
• where it is required by law.
Consent
Generally, physicians need express or implied consent
before disclosing personal health information.6
Physicians, however, are entitled to assume that they
have the patient’s implied consent for the purposes of
providing or assisting in providing health care, unless
the physician disclosing the information is aware that
the patient has expressly withheld or withdrawn con-
sent.7 This means that, without reason to believe oth-
erwise, physicians can share information with others
involved within the patient’s circle of care8 without
asking for the patient’s consent.
The patient’s express consent is required for providing
his or her personal health information outside of the
circle of care, except where otherwise directed by
statute.
“Lock boxes”
The term “lock box” applies to situations where the
patient has expressly restricted his or her physician
from disclosing specific personal health information
to others — even to others involved in the patient’s
circle of care.
Where in the course of treatment, a physician is not
able to disclose to another physician or health care
provider all of the information reasonably necessary
for providing care, the physician must notify the
recipient of that fact. Physicians are advised to discuss
with patients the potential health risks associated with
creating a lock box. These discussions and the patient’s
decision should be well documented in the patient’s
medical record.
Alternatively, if the lock box creates a situation where
the physician feels the patient’s safety is at risk, the
physician can refuse to provide treatment when it is
not an emergency situation. The physician should
explain the reasons for his or her decision not to treat
the patient and note all relevant discussions in the
patient’s health record.
It is to be noted that patients may not prevent the
physician from disclosing personal health information
permitted or required by law.9
Permitted disclosure under PHIPA
PHIPA allows the disclosure of personal health infor-
mation without patient consent under certain circum-
stances. Physicians, however, are not prohibited from
seeking the patient’s consent. For this reason, the
College advises physicians that, whenever possible,
they should make every reasonable effort to obtain the
patient’s consent before disclosing his or her informa-
tion.
The following sections address a limited number of
situations where disclosure of personal health infor-
mation is permitted without consent under PHIPA.10
Disclosure for the provision of health care under
exceptional circumstances
If the disclosure of personal health information is rea-
sonably necessary for the provision of health care and
it is not reasonably possible to obtain the patient’s
consent in a timely manner, a physician may disclose
the relevant information, unless the patient has
expressly instructed the physician otherwise.
For example, this type of disclosure allows the physi-
cian to perform necessary medical services during
emergency situations.
Disclosure related to risks
A physician may disclose personal health information

6 Under PHIPA, whether explicit or implicit, consent must: (i) be that of the individual; (ii) be knowledgeable; (iii) relate to the information at issue; and (iv) not be obtained through deception
or coercion. Where applicable, the substitute decision-maker or authorized representative may provide consent on behalf of the individual.
7 The patient is not able to withhold or withdraw his or her consent when the disclosure of personal health information is required by law (see section on ‘Required Disclosure’).
8 PHIPA does not define “circle of care,” however, the term refers to those in the health care team who are involved in the care or treatment of a particular patient. For example, it describes
health care practitioners, public or private hospitals, pharmacies, laboratories, ambulance services, community care access corporations. This definition of “circle of care” is supported by the:
Ontario Hospital Association, Ontario Hospital eHealth Council, Ontario Medical Association, and the Office of the Information and Privacy Commissioner of Ontario.
9 This statement refers to the provisions in PHIPA where a physician is permitted or required to disclose personal health information without the patient’s consent.
10 This list is not exhaustive. For a complete list of permissible disclosures of personal health information, please refer to sections 38 – 50 of PHIPA.

CPSO POLICY STATEMENT – CONFIDENTIALITY OF PERSONAL HEALTH INFORMATION 3

 Confidentiality of Personal Health Information
about an individual if the physician believes, on rea-
sonable grounds, that the disclosure is necessary to
eliminate or reduce a significant risk of serious bodily
harm to a person or group of persons. The disclosure
may be made to police, and in some instances, to the
intended victim(s).
Physicians are expected to use their best judgment in
these situations; however, physicians are advised to
contact the College’s Physician Advisory Service, their
lawyer, the CMPA, or the Information and Privacy
Commissioner of Ontario whenever they are uncer-
tain whether the disclosure is appropriate. Physicians
should also document all activities in the patient’s
medical record, and when appropriate, advise the
patient of their decision to disclose the relevant infor-
mation.
Disclosure for the purpose of regulating the medical
profession
Disclosure of personal health information to the
College is permitted for the purposes of administering
and enforcing the Regulated Health Professions Act,
1991 (RHPA). This includes disclosing personal health
information for the purpose of carrying out the regu-
latory duties in the RHPA (i.e., Registrar’s
Investigations and Quality Assurance peer assess-
ments).
Required disclosure
Physicians may be required by law, in a variety of cir-
cumstances, to disclose personal health information
without the consent of the patient.
Mandatory reports
Certain statutes have reporting provisions that may
require the physician to provide information about a
patient. Examples of legislation requiring mandatory
reports include the Regulated Health Professions Act,
1991; the Highway Traffic Act; the Child and Family
Services Act; the Health Protection and Promotion Act;
the Aeronautics Act; the Coroners Act; and the Health
Professions Procedural Code (see College policy on
Mandatory Reporting).
11 Under section 43(1)(h), PHIPA, whereby a physician can disclose personal health information where permitted or required by law.
4 CPSO POLICY STATEMENT – CONFIDENTIALITY OF PERSONAL HEALTH INFORMATION
Monitoring of claims for payment
In circumstances where the Ministry of Health and
Long-Term Care is monitoring or verifying claims for
payment for health care, or for goods used for health
care that are funded wholly or in part by the Ministry,
the physician must provide the patient’s personal
health information to the Minister, upon his or her
request.
Summonses, subpoenas and court orders
In the course of litigation, physicians may be required
by a summons, subpoena or a court order to disclose a
patient’s personal health information and patient
records. The physician should read the summons, sub-
poena or court order carefully and not do more than
it requires. For example, a summons may require a
physician to attend a court at a particular time and to
take a specific patient chart. The summons does not
authorize the physician to discuss the patient’s care
with, or show the record to, anyone in advance of the
court appearance.
Reports under the Workplace Safety and Insurance Act
Under the Workplace Safety and Insurance Act, a physi-
cian who is providing health care to a worker claiming
benefits under the workplace’s insurance plan must
promptly give the Workplace Safety and Insurance
Board (WSIB) the relevant personal health informa-
tion that the WSIB may require or that the patient
requests that the physician provide to the WSIB.
PHIPA permits the physician to report the required
information to the WSIB and/or the employer, with-
out the patient’s consent.11 If, however, the physician
takes the position that the patient ought to be aware
that his or her personal health information is being
provided to the WSIB and/or the employer, the physi-
cian ought to notify his or her patient of that fact.
Professional expectations regarding
disclosure
Physicians are expected to act in accordance with all legal
requirements, but must also use their best judgment to
practise medicine in a safe and humane manner.
Disclosure with respect to incapacity
When physicians have reasonable grounds to believe
that another physician or health care professional is
incapacitated,12 the College expects physicians to
behave ethically and in the public interest by taking
appropriate action.
Appropriate action may include, depending on the
circumstances, contacting the Physician Health
Program at the Ontario Medical Association, the
Registrar of the CPSO or other relevant regulatory
college, or the individual’s friends and family. Since
this action will likely require physicians to disclose the
individual’s personal health information, physicians
are advised to exercise caution and ensure that they
uphold their obligations under PHIPA.
Where disclosures are necessary to reduce or eliminate
a significant risk of serious bodily harm to a person or
a group of persons, or for the provision of care, physi-
cians may be able to disclose the individual’s personal
health information without contravening PHIPA. In
addition, physicians may be permitted to disclose
information to relatives or friends of the incapacitated
individual in order to obtain consent for treatment.13
Physicians carry this ethical obligation to take action
irrespective of whether there is a physician-patient
relationship with the incapacitated physician or health
care professional. Physicians may wish to contact their
legal counsel or the CMPA for guidance in these
situations.
Disclosure to a family member or friend
Situations may arise where physicians are asked by a
family member or friend about the condition of a
patient. Patients are permitted to restrict the disclo-
sure of such information. For this reason, physicians
will be required to obtain express consent from the
patient before they are able to disclose the patient’s
personal health information. Where the patient is not
capable to provide the required consent, physicians
must seek consent from the patient’s substitute deci-
sion-maker.
12 ‘Incapacitated’ as defined in section 1(1) of the Health Professions Procedural Code, Schedule 2 of the RHPA, S.O. 1991, c. 18 means that the member is suffering from a physical or
mental condition or disorder that makes it desirable in the interest of the public that the member no longer be permitted to practise or that the member’s practice be restricted.
13 Further details of these permitted disclosures can be obtained by consulting PHIPA directly.
CPSO POLICY STATEMENT – CONFIDENTIALITY OF PERSONAL HEALTH INFORMATION
The College, however, recognizes that there may be
situations where it will not be possible to obtain con-
sent from the patient or the substitute decision-maker.
In this situation, the College advises physicians to
exercise caution and to use their best judgment when
providing information. Discussions with friends and
family ought to be limited to basic information about
the patient’s general state of health.
Other topics related to disclosure
Disclosure to custodial and/or access parents
There may be instances when a physician receives a
request to disclose personal health information to a
patient’s parents or a third party where the parents
have separated or divorced. If the child-patient has the
capacity to provide consent, the physician must first
seek the consent of the patient before any disclosure is
made.
In dealing with requests from parents to disclose
information to the parent or a third party, physicians
should be aware that, under provincial legislation,
there are different rights for the custodial parent and
the non-custodial/access parent. The law, a court
order or the terms of a separation agreement may
prevent one of the parents from making decisions
with respect to the personal health information about
their child. Physicians are advised to act with sensitiv-
ity and request a copy of the applicable separation
agreement or court order prior to releasing any infor-
mation.
When releasing a child’s medical record or disclosing
the information in the record, physicians should
exclude any reference or information pertaining to
other family members and/or third parties. In addi-
tion, physicians are encouraged to keep copies of rele-
vant agreements or court orders in the patient’s
medical record.
Disclosure to police
It is not mandatory for physicians to provide confi-
dential material to the police in the absence of a legal
5
 Confidentiality of Personal Health Information
obligation. At these times, the general rules regarding
consent and disclosure apply, meaning that express
consent, either from the patient directly, or the substi-
tute decision-maker, will be required before the police
are provided with personal health information.
When personal health information is disclosed to the
police, physicians are encouraged to record the offi-
cer’s name and badge number, the request for infor-
mation, the information provided, and the authority
for the disclosure (e.g., consent, reporting obligation,
search warrant or summons). A photocopy of any
search warrant or summons should be included in the
patient’s medical record. The police or Crown attor-
ney will usually take the originals but leave the physi-
cian with copies of the record so that ongoing care
can be given.
Proper information practices
Physicians have always been obligated to keep their
patients’ personal health information confidential,
however, the introduction of PHIPA has also imposed
a legal obligation on physicians to maintain and com-
ply with information practices that, among other
things, keep their patients’ personal health informa-
tion:
• accurate, current and complete; and
• protected against theft, loss or unauthorized use or
disclosure.
If personal health information is stolen, lost or
accessed by, or disclosed to an unauthorized person,
patients must, subject to specific exceptions,14 be noti-
fied at the first reasonable opportunity.
Conversations with, or about, patients in the
health care setting
As a matter of practising medicine, physicians are
required to ask many questions and/or discuss person-
al health matters with patients, other
physicians/health care professionals and/or office/hos-
pital staff. For this reason, it is essential that physi-
14 Exceptions include if the information is being held for research purposes as permitted under PHIPA or other prescribed exceptions under the Act.
6 CPSO POLICY STATEMENT – CONFIDENTIALITY OF PERSONAL HEALTH INFORMATION
cians and all staff take every precaution to ensure that
conversations regarding patient information are not
inadvertently overheard by others. Extra sensitivity is
required by physicians and staff when discussing
patient matters, either on the telephone or in person
within hearing distance of others. For example, physi-
cians should be cautious if discussing matters of per-
sonal health with patients in emergency room areas,
or if a conversation is taking place with staff close to a
reception area.
Technology
Technology has provided physicians and patients alike
with a more efficient way of maintaining and commu-
nicating personal health information. There are, how-
ever, several ways in which a physician using modern
technology may inadvertently breach patient confi-
dentiality, for example: wireless network connections
can pose security problems; e-mails can be inadver-
tently sent to the wrong recipient; inappropriate read-
ers may access computer files; and erased hard drives
may contain private information. The College encour-
ages physicians to capitalize on the advantages that
electronic record keeping and other technological
advances have to offer, however, it is always the
responsibility of the physician to ensure that appropri-
ate security provisions have been made.
The College strongly advises that physicians obtain
patient consent to use electronic means for communi-
cating personal health information. As part of obtain-
ing consent, physicians must explain to patients the
inherent risks of using this form of communication.
As a way of recording the patient’s express consent,
the CMPA has provided a written consent form that
can be used whenever possible. Completed consent
forms should be included in the patient’s medical
record.
Voice messaging
Physicians may sometimes wish to communicate with
patients by telephone, and should confirm and obtain
consent to use this method of communication with
patients.
On certain occasions, it may be necessary to leave a
voice message on a machine or with a third party.
Physicians should be aware that when leaving voice
messages for patients, more than one person in a
home or an office may access messages. For this rea-
son, physicians are advised to exercise caution regard-
ing the content of any messages left for patients.
While it is acceptable for messages to contain the
name and contact information of the physician or the
physician’s office, the College advises that messages
should not contain any personal health information of
the patient, such as details about the patient’s medical
condition, test results or other personal matters.

PROFESSIONAL MISCONDUCT
Under the regulations to the Medicine Act, 1991, it is
an act of professional misconduct for a physician to:
“[give] information concerning the condition of a
patient or any services rendered to a patient to a
person other than the patient or his or her author-
ized representative except with the consent of the
patient or his or her authorized representative or as
required by law.” 15

15 Ontario Regulation 856/93, as amended (made under the Medicine Act, 1991) s. 1(1) paragraph 10.

CPSO POLICY STATEMENT – CONFIDENTIALITY OF PERSONAL HEALTH INFORMATION 7

CONFIDENTIALITY OF PERSONAL HEALTH INFORMATION

COLLEGE OF PHYSICIANS AND SURGEONS OF ONTARIO

80 COLLEGE STREET, TORONTO, ONTARIO M5G 2E2