Ontario’s Personal Health Information Protection Act, 2004, governs the collection, use and disclosure of personal health information by dentists and other health information custodians practising within Ontario. At its core, PHIPA balances the requirement that personal health information be maintained in a private and secure fashion with the need to make such information readily available for the delivery of effective health care.
As custodians of personal health information, dentists are held to a very strict standard of confidentiality. Unfortunately, it is all too easy to forget that even the fact that someone is a patient is private. Many dentists casually share treatment information about one person with other family members without consent. Ignoring the risk of theft or loss, some dentists still transport computers, smartphones, and other electronic devices containing unencrypted patient information. Some dentists engage in e-mail exchanges about treatment or even send patient records electronically, which, while convenient, is dangerous without proper safeguards. The time to change such practices is now, before the reputational and financial consequences escalate.
Circle of Care
It is important that dentists carefully consider whether an individual requesting a patient’s personal health information falls within the patient’s circle of care such that the dentist can assume the patient’s implied consent to release the personal health information in question.
When confronted with such a situation, it is helpful to be mindful of the following:
- If the circumstances of a request do not satisfy the conditions for assuming implied consent, there is nothing preventing you from contacting the patient in question to obtain his or her express consent to release his or her personal health information to the requesting party.
- Even where a request satisfies the conditions for assuming implied consent, it is always preferable to secure a patient’s explicit consent to release personal health information to a third party, if time permits and as long as it is practical.
A health information custodian may only assume a patient’s implied consent if all of the following six conditions are met:
- The health information custodian must fall within a category of health information custodians that are entitled to rely on assumed implied consent.
- The personal health information to be collected, used or disclosed by the health information custodian must have been received from the individual, his or her substitute decision-maker or another health information custodian.
- The health information custodian must have received the personal health information that is being collected, used or disclosed for the purpose of providing or assisting in the provision of health care to the individual.
- The purpose of the collection, use or disclosure of personal health information by the health information custodian must be for the provision of health care or assisting in the provision of health care to the individual.
- In the context of disclosure, the disclosure of personal health information by the health information custodian must be to another health information custodian.
- The health information custodian that receives the personal health information must not be aware that the individual has expressly withheld or withdrawn his or her consent to the collection, use or disclosure.