Health Privacy and Confidentiality

Physicians are obligated to keep all patient information confidential. Confidentiality encourages the patient to provide the physician with all relevant information so that they can diagnose and treat the patient. 


Physicians in Canada are required by law to maintain their patients’ health information confidentially. The specific privacy laws vary by province / territories. However, similar confidentiality oaths and ethical expectations apply across Canada. We will use Ontario as an example for the discussion below broadly, which is not meant to replace conversations with your own physician and/or lawyer.


Ontario’s Personal Health Information Protection Act (PHIPA) gives you the right to:


  • be made aware of the reasons for the use of your personal health information;
  • be alerted of unauthorized disclosure of your personal health information;
  • refuse or consent to the use of your personal health information;
  • withdraw your consent;
  • complain to the privacy office about a privacy breach or potential breach; and
  • begin a legal process for damages for harm suffered after an order has been issued or a person has been convicted of an offence under PHIPA.

What is my personal health information?


Personal health information includes any identifiable information about your health or health care history.


This includes your medical history, healthcare provider visit details, test results and your health card number.


Who has records and which records can be accessed?


Under the Personal Health Information Protection Act, “you have the right to request access to your own personal health information held by healthcare providers, called health information custodians, such as physicians and nurses.”


People have many healthcare providers involved in their care, such as physicians, pharmacists and therapists. This is called a circle of care. The ability for healthcare professionals to share information with any provider within this circle of care is assumed.


If a patient does not want this, a specific request must be submitted. A health information custodian – such as a physician, nurse, or pharmacist – may not assume your consent in disclosing your health information to a person who is not in the circle of care (e.g. not a health information custodian).


How is my health information kept secure if an electronic health record is used?


Electronic health records can use a variety of technical safeguards to protect your personal health information. You can also limit access to your personal health information even more by creating a “lockbox” in your electronic health record. In addition, many hospitals and clinics have mandatory confidentiality agreements and training to protect patient’s privacy. 


Here is a short video from the Ottawa Hospital on patient privacy and electronic health records: