Patient Privacy

Woman working on a laptop

As you read the newspaper one morning, your eye is caught by the photo of a former patient. You read that he suffered a workplace accident that saw him transported to hospital in critical condition. That day at work, you access his hospital file to find out how he is doing.

When you are confronted the next day by the hospital’s Privacy Officer for breaching the patient’s privacy, you are horrified. You explain that, as his former physician, you were justifiably concerned about his health.

It is during this deeply uncomfortable conversation that you learn about the “need to know” principle and the “circle of care.”

As explained in a recently approved College policy, patients’ personal health information (PHI) is protected when it remains both confidential and private. And while physicians are generally familiar with the duty of confidentiality, which prohibits them from sharing information about a patient without authorization, they are less familiar with the duty of privacy, which is broader and prohibits physicians from looking at PHI where they have no authority to do so. This includes physicians who are no longer in the patient’s circle of care — the group of health–care providers who need access to the patient’s PHI in order to provide the patient with health care.

“Some health-care providers mistakenly believe that they are permitted to review a patient’s personal health information (PHI) so long as they maintain the patient’s confidentiality by not sharing it with anyone else, “ states the Advice to the Profession document, which accompanies the Protecting Personal Health Information policy. In reality, the accessing of this information is a breach of patient privacy. Physicians with technical sign-in ability to an electronic records system do not have authority to access all records in the system and may be “snooping” if they view a patient’s records where they do not need that information to provide care.

These principles of privacy and confidentiality are reflected in the Personal Health Information Protection Act, 2004 (PHIPA). This legislation sets out a framework for when health information custodians and their agents, including physicians, are authorized to collect, use, and disclose PHI. Generally speaking, physicians may only access PHI with patient consent and on a “need to know” basis, unless they are otherwise permitted or required to do so by law.

For more information, please refer to the Protecting Personal Health Information policy and its Advice to the Profession document.