InfoLAW: Confidentiality of Health Information

Privacy is an aspect of personal information that is legislated at a federal and provincial level. At its core, personal information implies any data that can identify an individual, such as medical history.¹ Patients have a right to control their own information based on what the law permits or requires. Maintaining confidentiality is an aspect of privacy and consists of the obligation for certain persons (e.g. regulated health professionals) not to disclose another person’s information to third parties unless there is a reasonable lawful reason to do so, such as a nurse testifying under oath at trial. 

Generally, a patient’s personal health information (PHI) is to only used for the purpose for which it was disclosed within the healthcare team and in compliance with what the law permits or requires. 

Is there a legal requirement to maintain confidentiality?

Yes. There are legal, professional, and ethical obligations that oblige healthcare professionals to maintain patient confidentiality, as an individual’s PHI is intimate and sensitive information.  

These requirements to keep patient health information confidential can generally be found in: 

• Federal, provincial and territorial legislation governing PHI, regulated health professions, health facilities, health insurance, occupational health and privacy; 

• court decisions and common law; 
• provincial and territorial nursing practice standards and guidelines (ex: from a regulatory body); 
• the Canadian Nurses Association’s Code of Ethics for Registered Nurses² and other professional ethics guidance documents or association standards; 
• information and privacy commissioners’ guidance documents; 
• employer confidentiality agreements, job descriptions and policies. 

Can the patient’s information be shared with healthcare professionals or others?  

Legislation is directed at the “custodian” or “trustee” responsible for maintaining health information, but authorizes others, including nurses, to fulfil functions on its behalf.³ In order for a patient to be cared for properly, the patient’s healthcare team members must be able to share patient information with each other in order to coordinate care. Generally, PHI should only be shared with those who are providing care or who have been consulted regarding a particular patient, on a reasonable need-to-know basis.  

Other healthcare professionals not directly involved in the patient’s care may be required to access health information. The PHI custodian or trustee may authorize certain individuals to review health information for a variety of reasons including practice support, quality assurance, and educational and learning opportunities. Nurses in such roles should consider whether there is written authorization for them to access and use PHI if this is part of their job or within their responsibility.  

Information may also be shared if the patient provides consent to disclose. A family connection or friendship does not generally entitle a person to a patient’s health information unless this is specifically addressed in the governing legislation (e.g. privacy, substitute decision making). Written consent from the patient may be required prior to disclosure of health information to a third party or to adhere to the law or policy on substitute decision-making. 

Are there exceptions to the duty to maintain confidentiality?  

Legislation may require or justify disclosure of confidential health information. Common examples include child protection legislation, public health and communicable disease legislation (such as during the COVID-19 pandemic), other mandatory-reporting legislation, and privacy legislation authorizing disclosure to protect public health and safety⁴. For example, some provinces and territories have legislation requiring health institutions to report gunshot wounds and stabbings to the police.⁵ 

Involvement in legal proceedings, either as a party or a witness, may justify disclosure of health information relevant to the legal issues. Simply being involved in legal proceedings does not provide authorization to use, access or disclose personal health information, especially where the healthcare professional in question is not the custodian or trustee of the information. When party to a legal proceeding, legal counsel may advise under what circumstances and the amount of information that can be disclosed. As a general rule, if asked to act as a witness, disclosure may be requested under the authority of a court order or subpoena.⁶ The court order or subpoena should be reviewed carefully to ensure that there is not an inadvertent disclosure of more information than what is legally permitted.  

In rare circumstances, a nurse may be justified in divulging confidential patient information for the purpose of warning others of possible danger from a patient if there is a credible, imminent risk of serious bodily harm or death to a known person or persons, perhaps to the police, out of concern for others.⁷ A nurse should first consult with the employer’s privacy officer or legal counsel before releasing any confidential patient information. Depending on the circumstances, consultation with other members of the patient’s healthcare team, such as their family doctor or psychiatrist, may be helpful in determining the best course of action. 

What are the consequences of unauthorized disclosure?

There are a number of possible consequences in the case of an improper release of information: 

• A patient may sue for negligence, breach of confidentiality or privacy, or defamation. 
• A professional nursing regulator may institute disciplinary proceedings.  

• An employer may commence an investigation. 
• The provincial or territorial privacy commissioner may investigate a complaint. 

The sanction will typically be proportionate to the infraction. For example, a Registered Nurse was discharged by their employer for repeatedly breaching patient privacy. More specifically, the nurse had accessed over 5,800 patient medical records over a seven-year period, most of them in medical units they were not assigned to. The nurse maintained that they were accessing records for the “educational or learning opportunity” exception. Ultimately, the arbitrator found that the majority of the nurse’s access was improper, as they were not caring for the patients whose information was accessed.⁸ This ruling also gave the employer just cause to terminate the nurse’s employment. 

Thus, it would be prudent to become familiar with the applicable legislation and sources of legal, professional and ethical obligations to maintain the confidentiality of PHI at all times.  

Is an occupational health nurse required to disclose employee health information to the employer?

An occupational health nurse is obliged, upon the request of the employer, to release certain health information, but only to the extent required to advise the employer whether the employee is fit, unfit, or fit within limitations, to perform a particular job. Before releasing any further information, the employee must provide explicit written consent. 

When an employer asks for confidential health information about an employee beyond what is required to determine their fitness to work, a conflict may arise between the obligation to maintain confidentiality and the duty of loyalty to the employer. If this conflict arises, the legal and professional duty remains to maintain employee confidentiality. In fact, some Canadian jurisdictions have legislation preventing an employer from gaining access to an employee’s health information, in the absence of the employee’s written consent.⁹

Is a nurse under an obligation to release health information to the police?  

There is no requirement to release health information to actively assist police in investigating a crime, although it is a criminal offence to obstruct police. Police officers who question a nurse about a patient’s medical condition or health record should be referred to the appropriate administrator within the institution, such as the privacy officer, who will then decide the best course of action. Police must obtain legal authority to access health information, such as a court order or subpoena. When a nurse is subpoenaed to give evidence at a hearing, the nurse must comply with the terms of the subpoena and be careful not to provide more information than is permitted.¹⁰ 

Key Takeaways 

• Respecting the confidentiality of a patient’s PHI is an important component of a nurse’s professional, legal and ethical obligations.  
• A nurse should thus strive to maintain the patient’s privacy at all times, unless they are faced with an exception, such as those listed above.  
• Some exceptions to maintaining confidentiality include: child protection legislation, public health and communicable disease legislation, other mandatory-reporting legislation, and privacy legislation authorizing disclosure to protect public health and safety.  
• In a case where the duty of disclosure is unclear, it would be prudent to contact the employer, privacy officer, nursing regulator or legal advisor for more information. 
• Police officers who question a nurse about a patient’s medical condition or health record should be referred to the appropriate administrator within the institution, such as the privacy officer or health information custodian or trustee, who will then decide the best course of action. 

For more information, please consult our infoLAW on Communicating with the Police and Privacy. CNPS beneficiaries can contact CNPS at 1-800-267-3390 to speak with a member of CNPS legal counsel. All calls are confidential. 

1. Office of the Privacy Commissioner of Canada, Summary of privacy laws in Canada, January 2018, online : https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/02_05_d_15/.
2. Canadian Nurses Association, Code of Ethics for Registered Nurses, 2017, online: https://hl-prod-ca-oc-download.s3-ca-central-1.amazonaws.com/CNA/2f975e7e-4a40-45ca-863c-5ebf0a138d5e/UploadedImages/documents/Code_of_Ethics_2017_Edition_Secure_Interactive.pdf
3. For more information, see “Are you a custodian or trustee of health records?” article: https://cnps.ca/index.php?page=429
4. For example, see Alberta’s Health Information Act, R.S.A. 2000, c. H-5, s. 37.3.
5. Examples include mandatory reporting of gunshot or stab wounds to police, and reporting adverse events to a central government body. Ontario health care facilities, for example, are required by the Mandatory Gunshot Wounds Reporting Act, 2005, S.O. 2005, c. 9, s. 2(1) to “disclose to the local municipal or regional police force or the local Ontario Provincial Police detachment the fact that a person is being treated for a gunshot wound, the person’s name, if known, and the name and location of the facility.” Several other Canadian jurisdictions have enacted similar legislation. Some also require the reporting of stab wounds.
6. A subpoena is a written command or summons requiring the attendance of someone as a witness at a legal proceeding. For more information, please consult our infoLAW on Communicating with the Police.
7. For example, see Nova Scotia’s Personal Health Information Act, S.N.S. 2010, c.41, s.38(1)(d) or Ontario’s Personal Health Information Act, S.O. 2004, c.3, Sch. A, s.40 (1).
8. North Bay Health Centre v Ontario Nurses’ Association, 2012 CanLII 97626 (ON LA)
9. For example, the Ontario Occupational Health and Safety Act (OHSA), in section 63(2), indicates that “no employer shall seek to gain access, except by an order of the court or other tribunal or in order to comply with another statute, to a health record concerning a worker without the worker’s written consent.” Occupational Health and Safety Act, RSO 1990, c O.1, s. 63 (2).
10. For more information on the subject, please consult our article on Communicating with the Police.

Reviewed in July 2021  

THIS PUBLICATION IS FOR INFORMATION PURPOSES ONLY. NOTHING IN THIS PUBLICATION SHOULD BE CONSTRUED AS LEGAL ADVICE FROM ANY LAWYER, CONTRIBUTOR OR THE CNPS. READERS SHOULD CONSULT LEGAL COUNSEL FOR SPECIFIC ADVICE.