Skip to primary content
Skip to main menu
Skip to section menu (if applicable)

Chapter 6 – Disclosure: Giving Personal Health Information to Someone Outside Your Agency

This chapter tells you when you can or must give (‘disclose’) a client’s PHI to someone who is not your agent. It describes when you must get a client’s express consent, when you can rely on his/her implied consent, and when you can disclose the PHI without consent.

Key Points

You have the right under PHIPA to disclose personal health information (PHI) about a client based on express (oral or written) consent, implied consent, or in some cases, without consent.

In a few cases, the consent must be express.

You should be familiar with the circumstances where you have the discretion to disclose PHI without consent, for example, when PHIPA or another law permits or requires you to do so; when you participate in a proceeding such as a court or tribunal hearing; and for the purposes of eliminating or reducing a significant risk of serious bodily harm to your client or another person.

If a client, his/her substitute decision-maker or another health information custodian gives you PHI about the client, you can rely on implied consent to disclose it for the purposes of health care or assisting in health care of the individual, unless you are aware that the client has withdrawn or withheld consent. However, clients do have the right to tell you not to disclose their PHI to other health information custodians in limited circumstances related to providing them with health care (sometimes referred to informally as a “lockbox,” a term that is not actually in PHIPA).

You may charge a fee for disclosure of a client’s PHI to someone who is not your agent, but unless and until regulations are made under PHIPA to specify the amount of that fee, you must limit it to reasonable cost recovery.

PHIPA reference:

For more complete information, you should also look at the following sections of PHIPA: 38-50


Background

By now, you should be familiar with a number of concepts that are important to the “disclosure” of PHI:

  • When is someone an “agent” of a custodian (Chapter 1)
  • The difference between “use” and “disclosure” of PHI (Chapters 5 and 6)
  • Consent for collection, use and disclosure of PHI (Chapter 3; also see Chapters 4, 5 and 6)

From time to time, your clients may ask you to release their PHI to third parties (that is, another health information custodian or a non-health information custodian). You may also receive requests directly from third parties asking that you give them your client’s PHI. The general rule is that you can only disclose your clients’ PHI to someone who is not an agent of your organization if the law either allows or requires you to do so

  • with your client’s consent (in some cases, it must be express; in others, the law permits you to rely on implied consent), or
  • without consent.

Disclosure by your agents

The general rule is that your agents may disclose PHI where you would have the authority to do so under PHIPA, as long as you have specified this as part of their duties. However, there is an exception. An agent may disclose PHI without your permission if permitted or required by law to do so, including under the regulations to PHIPA.

When do I need to get my client’s express consent?

You must get a client’s express (written or oral) consent if you are giving the PHI to someone

  • who is not a custodian (for example, an employer) and the law does not allow a disclosure without consent,
  • who is a custodian but who is not going to use the PHI for a health care purpose and the law does not allow a disclosure without consent, or
  • for marketing purposes (or if, for fundraising purposes, you plan to give more than the name and address of your client and his/her substitute decision-maker).

A written consent is always best. If the client gives you an oral consent, make sure to document it (including when and how it was given).

When can I rely on my client’s implied consent for disclosure?

Please refer to Chapter 3 of the Toolkit for the circumstances in which you can rely on an implied consent for disclosure.

Disclosing PHI without consent

There are a number of circumstances where you do not have to get consent in order to give PHI to someone outside your agency:

  • PHIPA or another law gives you the right or requires you to disclose PHI. There are a number of laws that give you the authority or require you to give PHI to someone else. (Examples include mandatory reporting of specific communicable diseases to public health authorities under the Health Protection and Promotion Act and the duty of physicians and optometrists to report the fact that a client is no longer able to drive to the Registrar of Motor Vehicles under the Highway Traffic Act.)
  • For health or other programs (including to determine or verify eligibility for health care and other services that are funded by the government; audits and accreditations of the custodian’s services)
  • In proceedings including those of a court or tribunal
  • For planning and management of the health system, to designated organizations whose information practices have been approved by the Information and Privacy Commissioner
  • For research, under specific conditions: if you are considering giving PHI to an outside researcher, you will need to make sure that you have taken a close look at the rules under section 44 of PHIPA
  • In circumstances related to risk (where it is necessary to eliminate or reduce a significant risk of serious bodily harm to your client or to another person, discussed further below)
  • To assist in a client’s placement in a facility for health care purposes
  • To assist in placing an individual into a custodial setting, such as under the Criminal Code mental disorder provisions

Mandatory disclosure

The following chart was developed by the hospital sector and its partners in order to give an overview of when PHI may be disclosed without consent under PHIPA.1 It has been adapted for the mental health and addictions communities. This is a starting point for understanding the many disclosures without consent that PHIPA allows; however, the list is not exhaustive and you should consult the Act for further detail.

The Act specifically permits the disclosure of PHI for a number of purposes as required by other statutes. Consent is not required for these specific purposes. For example, you are required to provide the following information:

TO WHOM DISCLOSURE MUST BE MADE WHAT INFORMATION MUST BE DISCLOSED AUTHORITY
Aviation Medical Advisor (note this is a mandatory disclosure for a physician, not for a hospital) Information about flight crew members, air traffic controllers or other aviation licence holders who have a condition that may impact their ability to perform their job in a safe manner Aeronautics Act
Chief Medical Officer of Health or Medical Officer of Health Information to diagnose, investigate, prevent, treat or contain communicable diseases Health Protection and Promotion Act

Personal Health Information Protection Act

Children’s Aid Society Information about a child in need of protection (e.g., abuse or neglect) Child and Family Services Act
College of a regulated health care professional Where there are reasonable grounds to believe a health care professional has sexually abused a patient, details of the allegation, name of the health care professional and name of the allegedly abused patient

The patient’s name can only be provided with consent

You must also include your name as the individual filing the report

Regulated Health Professions Act
Coroner or designated Police Officer Facts surrounding the death of an individual in prescribed circumstances (e.g., violence, negligence or malpractice)

Information about a patient who died while in the hospital after being transferred from a listed facility, institution or home

Information requested for the purpose of an investigation

Coroners Act
Order, warrant, writ, summons or other process issued by an Ontario court Information outlined on the warrant, summons, etc. Personal Health Information Protection Act
Registrar General Births and deaths Vital Statistics Act
Registrar of Motor Vehicles (note this is a mandatory disclosure for medical practitioners and optometrists only) Name, address and condition of a person who has a condition that may make it unsafe for them to drive Highway Traffic Act
Subpoena issued by an Ontario court Information outlined in the subpoena Personal Health Information Protection Act
Workplace Safety and Insurance Board Information the Board requires about a patient receiving benefits under theWorkplace Safety and Insurance Act Workplace Safety and Insurance Act

Disclosure for health-related programs and legislation

The following tables outline examples of where PHI may be disclosed. See also the “Consent” section for additional information on permitted disclosures.

PERSON REQUESTING HEALTH RECORD OR PATIENT INFORMATION PURPOSE CONSENT NEEDED AUTHORITY TO RELEASE INFORMATION
Ambulance services operator or delivery agent or the Minister Administration/enforcement of the Ambulance Act No Ambulance Act
Cancer Care Ontario, Canadian Institute for Health Information, Institute for Clinical Evaluative Sciences or Pediatric Oncology Group of Ontario To analyze or compile statistical information No Personal Health Information Protection Actregulations
Chief Medical Officer of Health, Medical Officer of Health or a physician designated by the Chief Medical Officer of Health To report communicable diseases No Health Protection and Promotion Act
College of Pharmacists Investigator Administration/enforcement of the Drug Interchangeability and Dispensing Fee Act No Drug Interchangeability and Dispensing Fee Act
College under the Regulated Health Professions Act, or Social Work and Social Services Act, or Board of Regents under the Drugless Practitioners Act Administration/enforcement of the relevant statutes No Personal Health Information Protection Act
Individual assessing patient capacity, who is not providing care to the patient To assess capacity under the Substitute Decisions ActHealth Care Consent Act, or Personal Health Information Protection Act No Substitute Decisions Act;Health Care Consent Act;Personal Health Information Protection Act
Minister Inspector Enforcement of the Drug and Pharmacies Regulation Act No Drug and Pharmacies Regulation Act
Public Guardian and Trustee To investigate an allegation that a patient is unable to manage their property No Personal Health Information Protection Act
Public Guardian and Trustee (PGT), Children’s Lawyer, Residential Placement Advisory Committee, Registrar of Adoption of Information, Children’s Aid Societies To carry out their duties and, for the PGT, to investigate serious adverse harm resulting from alleged incapacity No Personal Health Information Protection Act


Disclosure to lawyers, insurance companies, adjusters and investigators

PERSON REQUESTING HEALTH RECORD OR PATIENT INFORMATION PURPOSE CONSENT NEEDED AUTHORITY TO RELEASE INFORMATION
Lawyers, Insurance Companies, Adjusters on behalf of a patient To assist a patient with a claim or proceeding Yes Express consent
Lawyers, Insurance Companies, Adjusters, Investigators on behalf of a third party, if the third party is an agent or former agent of the custodian To assist the third party with a proceeding No Personal Health Information Protection Act

Disclosure to legal authorities and law enforcement

PERSON REQUESTING HEALTH RECORD OR PATIENT INFORMATION PURPOSE CONSENT NEEDED AUTHORITY TO RELEASE INFORMATION
Head of penal or custodial institution or an officer in charge of a psychiatric facility where the patient is being lawfully detained To assist with health care or placement decisions No Personal Health Information Protection Act
Investigator or Inspector To conduct an investigation or inspection authorized by a warrant or law No2 Personal Health Information Protection Act
Police without a warrant Legal authorities and law enforcement Yes3 Express consent
Police without a warrant Where there are reasonable grounds to believe that the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm No Personal Health Information Protection Act
Probation and Parole Services Legal authorities and law enforcement Yes Express consent

What is a “lockbox”?

Background and timing

The term “lockbox” does not appear in PHIPA, but is widely used to refer to the ability of clients to control their PHI. The lockbox is now available to clients of community mental health and addictions programs and services. The lockbox does not apply to public hospitals until November 1, 2005, but does apply to mental health and addictions centres, programs or services.

In spite of the fact that the lockbox will not apply to public hospitals until November 1, 2005, clients in all health settings (including hospitals) have the right to “lock” their PHI by expressly withdrawing their implied consent for its collection, use and disclosure. They may only do this where they are entitled to give consent under PHIPA.

When does it apply?

The lockbox only applies in limited circumstances under PHIPA, and does not affect the numerous circumstances in which a custodian has the right to use or disclose a client’s PHI without consent. The default is that you have the right to give a client’s PHI to another custodian for the purpose of providing health care. You cannot do so, however,

  • unless it is reasonably necessary to do so, and
  • it is not reasonably possible to get your client’s consent in a timely way, or
  • if a client instructs you not to.

For example, a client may tell you not to disclose specific PHI to anyone who is providing him/her with health care, or more likely, that it not be given to a particular health care practitioner, such as a therapist or counsellor.

When does it not apply?

In spite of the lockbox, if another part of PHIPA allows or requires you to share or give this information, the client cannot use the lockbox. A few examples are where another law requires you to disclose specific information, such as to public health authorities under the Health Protection and Promotion Act, to consider whether your agency may be part of a community treatment plan under the community treatment order provisions of the Mental Health Act, or to comply with a duty to report suspected child abuse under the Child and Family Services Act. You also have the right (but are not required under PHIPA) to disclose PHI where the disclosure is necessary to eliminate or reduce a significant risk of serious bodily harm. (See below for more on this issue.) A third example is the disclosure of PHI where you or your agent will be a party or a witness in some type of proceeding, such as a court or tribunal hearing, or a coroner’s inquest. The definition of “proceeding” in the Glossary provides further detail on this issue.

The lockbox has no impact on these and other permitted or required disclosures under PHIPA.

Do I need to inform clients of the ability to “lock” their PHI?

PHIPA does not require that you provide this information to your client, but does require you to respond to his/her request if the Act permits your client to ask that you “lock” specific information. Again, this can only happen in the context of health care, and does not affect the many other uses and disclosures that PHIPA permits without consent.

Duty to inform another custodian

If you are giving PHI to another custodian and believe that the PHI that the client has “locked” is reasonably necessary for the client’s health care, you must notify the other custodian of that fact. You must do so without telling the other custodian what information is missing.

Keeping the lines of communication open

It is always wise to talk to your clients about why they are reluctant to share potentially important information with others in your agency for health care purposes, or with their health care providers outside the agency. Of course, this should be done in a way that does not coerce the client into withdrawing the request for the lockbox.

You should explain to the client the potential impact of not allowing those who provide him/her with health care to have the information that allows them to provide better care. This could include: limits on the type of services the client will be able to receive, duplication of services, and a greater number of health care providers collecting the same information from the client. It is important, however, that these discussions not be, or be seen as, an attempt to coerce clients into accepting health care or services that they do not wish to have.

How specific can my clients’ requests be to “lock” their PHI?

At the time this Toolkit went to press, work was ongoing through the Office of the Information and Privacy Commissioner and its stakeholders to make decisions on this and other questions related to the “lockbox” issue. This Toolkit will be updated in due course, but in the meantime, you should also visit the Commissioner’s website at www.ipc.on.ca for any updates. For the time being, you should be proactive and consider how you would handle a very detailed request from a client to shield some but not all of his/her PHI; shield certain encounters and not others; or shield from some health care providers and not others.


Questions and Answers

Q: Does PHIPA create a duty to warn?

A: No. PHIPA gives custodians the right to disclose PHI if the disclosure is necessary to reduce or eliminate a significant risk of serious bodily harm to the individual or to another person.

It is not mandatory. However, health care practitioners should also be familiar with the requirements of the health regulatory bodies that govern their practice, some of which have adopted a duty to warn in specific circumstances as a standard of practice.

Custodians should consider in advance when they might anticipate having to rely on their discretion to warn under PHIPA. These are decisions that you should make in consultation with a clinician, if time permits.

Q: What steps should I take when I get a request from a third party to disclose my client’s PHI?

A: You should satisfy yourself that the person who is asking for the information has the legal authority to obtain it.

PHIPA does give you the right to assume that consent given to you is valid. For example, if the person says he/she is the client’s highest-ranking substitute decision-maker under the Health Care Consent Act, you have the right to rely on the consent. Nonetheless, many custodians take further steps, such as asking for written documentation such as a power of attorney for personal care if one has been given by your client. In all cases, documenting from whom you obtained consent, and what authority that person provided, is important.

If this is a situation that requires the express consent of your client, you should confirm that the client or his/her substitute decision-maker has consented to release the information.

If the third party provides you with the client’s signed consent, you may rely on it. Again, many custodians do take the extra steps to ensure that it is in fact the client’s consent by checking the signature against one on file and/or by contacting the client or substitute decision-maker if appropriate.

In cases where PHIPA gives you the right to rely on implied consent, some custodians use a callback system to test whether callers requesting information are who they say they are. While this is not a foolproof system, it is one step of several to gather the information you need before you can release information.

Even if you are required to produce a record of your client’s PHI for a proceeding (such as a court or tribunal hearing), you should never send it by mail. Instead, you should take it to the proceeding and wait for direction from the court or tribunal.


Other important things to know

Fees

You can only charge a fee for disclosing PHI to third parties that amounts to cost recovery (what it cost you to process the request), unless the government writes a new rule about these fees. (To date, no regulations under PHIPA are in place.) Also, you cannot charge a fee where the disclosure is required.


1 Ontario Hospital Association (OHA), Publication #314, September 2004. Reproduced with the permission of OHA and its partners, the Ontario Ministry of Health and Long-Term Care; the Ontario Hospital eHealth Council; the Ontario Medical Association; and the Office of the Information and Privacy Commissioner.

2 There has been considerable debate about the ability of health information custodians to disclose PHI to police. The Information and Privacy Commissioner has noted that a warrant is not necessary if the information is being given in the course of a police investigation. However, some custodians are taking the position that express consent or a warrant is the best approach, with very limited exceptions (for example, where there would be true obstruction of police, such as when they are about to make an arrest). This Toolkit will be updated electronically as consensus on how best to deal with requests from police. If you remain uncertain about your ability to provide client information to police, you should consider obtaining legal advice.

3 See footnote 2.