Ontario’s Personal Health Information Protection Act, 2004 (“PHIPA”), governs the collection, use and disclosure of personal health information by dentists and other health information custodians practising within Ontario. At its core, PHIPA balances the requirement that personal health information be maintained in a private and secure fashion, with the need to make such information readily available for the delivery of effective health care.
As custodians of personal health information, dentists are held to a very strict standard of confidentiality. Unfortunately, it is all too easy to forget that even the fact that someone is a patient is private. Treatment information about one patient should not be casually shared with other family members without consent. Dentists should be very cautious when transporting computers, smartphones, and other electronic devices containing unencrypted patient information. Dentists should be cognizant of the risk of theft or loss. Some dentists engage in e-mail exchanges about treatment or even send patient records electronically, which, while convenient, is dangerous without proper safeguards. The time to change such practices is now, before reputational and financial consequences escalate.
A health information custodian may only assume a patient’s implied consent if all of the following six conditions are met:
- The health information custodian must fall within a category of health information custodians that are entitled to rely on assumed implied consent.
- The personal health information to be collected, used or disclosed by the health information custodian must have been received from the individual, his or her substitute decision-maker or another health information custodian.
- The health information custodian must have received the personal health information that is being collected, used or disclosed for the purpose of providing or assisting in the provision of health care to the individual.
- The purpose of the collection, use or disclosure of personal health information by the health information custodian must be for the provision of health care or assisting in the provision of health care to the individual.
- In the context of disclosure, the disclosure of personal health information by the health information custodian must be to another health information custodian.
- The health information custodian that receives the personal health information must not be aware that the individual has expressly withheld or withdrawn his or her consent to the collection, use or disclosure.
Circle of Care
It is important that dentists carefully consider whether an individual requesting a patient’s personal health information falls within the patient’s circle of care such that the dentist can assume the patient’s implied consent to release the personal health information in question.
When confronted with such a situation, it is helpful to be mindful of the following:
- If the circumstances of a request do not satisfy the conditions for assuming implied consent, you can contact the patient in question to obtain his or her express consent to release his or her personal health information to the requesting party.
- Even where a request satisfies the conditions for assuming implied consent, it is may be preferable to secure a patient’s explicit consent to release personal health information to a third party, if time permits and as long as it is practical.