skip to content

Protecting Personal Health Information

Print page icon

Approved by Council: November 2000
Reviewed and Updated: November 2005, March 2020

Companion Resource: Advice to the Profession

 

Policies of the College of Physicians and Surgeons of Ontario (CPSO) set out expectations for the professional conduct of physicians practising in Ontario. Together with the Essentials of Medical Professionalism and relevant legislation and case law, they will be used by CPSO and its Committees when considering physician practice or conduct.

Within policies, the terms ‘must’ and ‘advised’ are used to articulate CPSO’s expectations. When ‘advised’ is used, it indicates that physicians can use reasonable discretion when applying this expectation to practice.

Additional information, general advice, and/or best practices can be found in companion resources, such as Advice to the Profession documents.

 

Definitions

Circle of care: the group of health care providers (e.g. nurse, physician, resident, clinical clerk, and any other health care practitioner providing care to the patient) treating a patient who need the patient’s personal health information in order to provide health care. This can also include employees and/or administrative staff who need the personal health information to carry out their duties.

A person outside a patient’s circle of care would include:

  • a person or entity who is not a health care provider (e.g. family, friends, the police, an insurance company, or the patient’s employer); and
  • another health care provider, including a physician, where the PHI is being provided for a purpose other than providing health care to the patient (e.g., for research).

For further information and examples, see the Advice to the Profession: Protecting Personal Health Information document.

E-Communications: electronic communication tools including email, messages transmitted through electronic medical record platforms, online forums, patient portals, social media applications, instant messaging and texting, and telemedicine (including audio and videoconferencing).1

Lockbox: a term used to describe a patient’s express instruction to withhold or withdraw their consent to disclose all or part of their personal health information to another health care provider.2

Mobile device: includes, for example, a mobile phone, laptop, USB drive, external hard drive, tablet, and wearable device.

Personal health information (PHI): any information relating to a person’s health that identifies the person, including, for example, information about their physical or mental health, family health history, information relating to payments or eligibility for health care, and health card numbers.3

Substitute decision-maker (SDM): a person authorized to consent on behalf of a patient to the collection, access, use, or disclosure of PHI about the patient.

 

Policy

This policy includes legislative requirements and professional obligations of physicians related to the privacy and confidentiality of patients’ PHI.  It does not, and is not intended to, set out all of the legislative requirements regarding privacy and confidentiality of PHI. Physicians are responsible for ensuring that they comply with all of the legislative requirements; the complexity of the law in this area may warrant independent legal advice in specific circumstances.

General

  1. Physicians must only collect, access, use, or disclose a patient’s PHI:
    1. in situations where:
      1. the patient or SDM has provided consent, and it is necessary for a lawful purpose;4 or
      2. it is permitted or required by law without consent;5 and
    2. where they need the PHI to carry out their duties.
  2. Physicians must not:
    1. collect, access, use, or disclose a patient’s PHI if other information will serve the purpose; and
    2. collect, access, use, or disclose more PHI than is reasonably necessary to meet the purpose.6

Obtaining Consent to Collect, Access, Use, or Disclose PHI7

Under the Personal Health Information Protection Act, 2004 (PHIPA), consent may be either express or implied.8 Physicians who have received PHI from the patient, SDM, or another health care provider for a health care purpose can rely on the patient’s implied consent to disclose the PHI within the patient’s circle of care, unless they have reason to believe that the patient has expressly withheld or withdrawn consent to do so.

The rules governing consent to decisions involving personal health information are found in PHIPA and are different from those governing consent to treatment found in the Health Care Consent Act, 1996.9

  1. Except as permitted or required by law, physicians must obtain the patient’s express consent before:
    1. collecting, accessing, or using PHI where they are outside the patient’s circle of care in the circumstances; and
    2. disclosing PHI to a person who is outside the patient’s circle of care.
  2. For consent to be valid, be it express or implied, physicians must ensure that it:
    1. is obtained from the patient, if they are capable of consenting, or the SDM, if the patient is incapable;10
    2. is reasonable to believe that the patient knows the purposes of the collection, use, or disclosure, and that they may give or withhold consent;11
    3. relates to the information; and
    4. is not obtained through deception or coercion.12

Consent from Minors

  1. Where a patient is capable of consenting to a decision about their PHI, physicians must obtain consent from the patient directly, regardless of the patient’s age.13
  2. Where a capable patient is younger than 16 years old, and the information does not relate to a treatment decision14 the patient has made, PHIPA permits the patient’s parent to also give or refuse consent to a decision about the patient’s PHI.15 However, in these cases, physicians must respect the patient’s decision over a conflicting decision by the parent.

Lockboxes

  1. Where a patient indicates an interest in creating a lockbox, physicians must:
    1. engage in a discussion with the patient about the potential health risks and limitations, and implications associated with lockboxes; and
    2. document this discussion and the patient’s decision in the patient’s medical record.
  2. Physicians must not disclose PHI in a lockbox unless consent is obtained or permitted or required by law (such as where there are reasonable and probable grounds to believe that the disclosure is necessary to eliminate or reduce a significant risk of serious bodily harm to a person or group of people, including the patient).16
  3. Where the patient has not consented to the disclosure of PHI that is reasonably necessary for providing care and the disclosure is not permitted or required by law, the disclosing physician must notify the recipient physician or other health care provider of the fact that there is additional relevant PHI that cannot be disclosed.
  4. Having received this notification, the recipient physician must then consider whether the lockbox prevents them from safely providing care, taking into account the patient’s best interests.
    1. Recipient physicians who provide care to the patient without access to the PHI in the lockbox must:
      1. explain to the patient the risks and limitations of proceeding without disclosure of the PHI; and
      2. document this discussion in the patient’s medical record.
    2. Where the recipient physician declines to provide care in these circumstances, the disclosing or recipient physician, as appropriate, must:
      1. explain the decision and reasoning to the patient; and
      2. document this discussion in the patient’s medical record.

Security of Communications

  1. Physicians must take reasonable steps to protect PHI, including protection against theft, loss, and unauthorized access, use, and disclosure of PHI.17
  2. In particular, physicians must take reasonable steps to protect PHI from being inadvertently disclosed without authorization through:
    1. in-person and telephone conversations, including as a result of being overheard by others (e.g., other patients in reception or emergency room areas);
    2. voicemail messages left for patients, taking into account that more than one person may have access to voicemail at the patient’s home or office;
    3. faxes, including as a result of being sent to, or intercepted by, unintended recipients; and
    4. email, telemedicine, social media, and any other form of e-communication.
  3. Physicians must use encrypted e-communication when communicating PHI to other health care providers, unless there is an emergency or other circumstance that requires the use of unencrypted e-communication.18
  4. Physicians must use encrypted e-communication when communicating PHI to patients, where possible.
    1. If encrypted e-communication is not possible (i.e., because the patient does not have access to encrypted e-communication technology), physicians must consider whether it is reasonable to communicate with patients through unencrypted e-communication, taking into account:
      1. the degree of sensitivity of the PHI being communicated;
      2. the volume of information and frequency of e-communication;
      3. the purpose of the transmission;
      4. patient expectations;
      5. the availability (or lack thereof) of alternative methods of communication; and
      6. any emergency or other urgent circumstances.
    2. Where using unencrypted e-communication to communicate PHI to patients, physicians must obtain and document the patient’s express consent to this form of communication.19
    3. When obtaining the patient’s express consent to use unencrypted e-communication, physicians must inform the patient about:
      1. how this kind of e-communication will be used;
      2. the type of information that will be communicated;
      3. how the e-communication will be processed; and
      4. the limitations and risks of using unencrypted e-communication.

Security of Mobile Devices and the Cloud

  1. When using mobile devices or cloud-based servers to access, store, or back up PHI – even temporarily – physicians must ensure that the PHI on the device or server is protected by encryption.

Photographs and Video Recordings

  1. If photographs or video recordings of a patient are required for providing care and/or for documentation,20 physicians must:
    1. inform the patient about the purpose of the photograph or recording;
    2. include a copy of the photograph or recording in the patient’s medical record; and
    3. permanently delete and/or destroy any back-up copy of the photograph or recording in accordance with PHIPA.21

Privacy Breaches

  1. Physicians must comply with all applicable legislative and regulatory requirements in the event of a privacy breach, including notification and reporting requirements.22
 

Endnotes

1. See the CPSO’s Virtual Care policy for additional expectations regarding telemedicine.

2. The concept of a lockbox is also sometimes referred to as “masking.” When proclaimed in force, Part V.1 of the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A (hereinafter “PHIPA”) will govern “consent directives” and “consent overrides,” which are similar concepts to the lockbox in the context of the provincial Electronic Health Record.

3. This list is non-exhaustive; a full legislative definition, along with certain exceptions, is found s. 4 of PHIPA.

4. Generally speaking, activities associated with the normal course of a physician’s practice as they relate to the provision of health care will be for a “lawful purpose”.

5. These situations include specific permissions and requirements set out in PHIPA and other legislation, such as reporting requirements outlined in CPSO’s Guide to Legal Reporting Requirements. See the Advice to the Profession: Protecting Personal Health Information document for further guidance.

6. See s. 30 of PHIPA. It is also an act of professional misconduct for a physician to give “information concerning the condition of a patient or any services rendered to a patient to a person other than the patient or his or her authorized representative except with the consent of the patient or his or her authorized representative or as required by law”: O. Reg. 853/96, “Professional Misconduct,” s. 1(1)10.

7. While PHIPA establishes rules about the collection, use, and disclosure of PHI, this policy largely focuses on expectations related to disclosure given the particular relevance to physicians’ practice.

8. Express consent is direct, explicit, and unequivocal, and can be given either verbally or in writing. Implied consent is inferred from the words or behaviour of the patient, or surrounding circumstances, such that a reasonable person would believe that consent has been given, although no direct, explicit, and unequivocal words of agreement have been given.

9. Health Care Consent Act, 1996, S.O. 1996, c. 2, Sched. A (hereinafter “HCCA”).

10. Patients are capable of consenting if they are able to understand information relevant to deciding whether to consent to the collection, use, or disclosure of their PHI, and to appreciate the reasonably foreseeable consequences of giving, not giving, withholding, or withdrawing their consent.

11. Section 18(1)(b) of PHIPA describes this component of valid consent as “knowledgeable”.

12. See sections 18 to 28 of PHIPA for further information regarding the tests for consent and capacity to make decisions regarding the collection, use, and disclosure of PHI.

13. In doing so, physicians are entitled to presume capacity unless there are reasonable grounds to believe otherwise.

14. This includes “treatment” as defined in accordance with the HCCA and counselling provided under the Child, Youth, and Family Services Act, 2017, S.O. 2017, c. 14, Sched. 1.

15. PHIPA specifies that “parent” in this context does not include a parent who has only a right of access (i.e. visitation) to the child and not decision-making authority.

16. The Advice to the Profession: Protecting Personal Health Information document provides additional examples of disclosures that can be made without consent.

17. Section 13(1) of PHIPA also requires physicians acting as health information custodians to ensure that records of PHI in its custody or control are retained, transferred, and disposed of in a secure manner.

18. See the Advice to the Profession: Protecting Personal Health Information document for further information about encrypted e-communication tools.

19. As a way of recording the patient’s express consent, consult the written consent form template prepared by the Canadian Medical Protective Association.

20. Different considerations will apply where the photograph or video recording is not for the purpose of providing care; e.g. where it is for educational purposes (see the Advice to the Profession: Protecting Personal Health Information document) or advertising purposes (see Part II of O. Reg. 114/94 made under the Medicine Act).

21. This will include any digital copies stored in the cloud. For further information, see s. 13(1) of PHIPA and the IPC’s Fact Sheets on Secure Destruction of Personal Information and Disposing of Your Electronic Media.

22. See the CPSO’s Guide to Legal Reporting Requirements for physicians’ reporting requirements around privacy breaches.