a hand holding a guitar

Insights

ARTICLE

A Primer on Disclosing Personal Health Information to Police

It’s one of the most common questions our health lawyers hear from clients: “The police are demanding patient information…what do we do?” This article sets out some best practices for health sector clients, especially health information custodians (HIC1) when faced with the question of whether to disclose personal health information (PHI2) about a current or former patient to police.

The first principle to keep in mind is clear: there is no obligation to disclose PHI to police unless there is a legal authority requiring disclosure (mandatory reporting, warrants or court orders). The courts have been clear that public hospitals and health care providers should not be seen to be an arm of the police so that everyone is able to seek necessary health care.

There may, however, be instances where there is a known risk of harm or urgency to a police investigation that will favour a discretionary and permitted disclosure of PHI.

Standard Bases for Disclosure

When considering whether a HIC should disclose PHI to police, one of the basic guiding principles is that there is no positive obligation to report a crime or assist in a police investigation. However, the Criminal Code does create a legal obligation not to obstruct an investigation. (s. 129(a)) This means that a HIC cannot deceive or mislead law enforcement, nor hinder their investigation attempts.

PHIPA provides four grounds for disclosure that apply to police.

1. Patient Consent

The starting point for disclosing PHI to any person, including police, is explicit consent from the patient. Disclosure of PHI to a non-health information custodian requires express consent, not implied. (PHIPA, s. 18(3))

2. Disclosure Specifically Authorized by Law

PHIPA allows for disclosure if specifically authorized by law. Disclosure authorized by law can include the following: search warrants (s. 43(1)(g)); pursuant to a proceeding (e.g., court order or subpoena) (s. 41(1)(a)&(d); as permitted pursuant to other Acts (s. 43(1)(h)).

3. Permissible Disclosure

PHIPA outlines a number of circumstances in which a HIC is allowed, but not required, to disclose PHI. These permissible disclosures provide a HIC with significant discretion to disclose PHI, but do not mandate disclosure. While these permissible disclosures are not specific to disclosing PHI to police, they can provide a basis for such disclosure.

One of the broadest permissible disclosures authorized by PHIPA is where the HIC believes on reasonable grounds that the disclosure is necessary for the purposes of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons. (s. 40(1)).

Other permissive or discretionary disclosures include for example:

  • Where an individual is deceased or reasonably suspected to be deceased for the purposes of (a) identifying the individual; (b) informing any person whom it is reasonable to inform in the circumstances of the fact the individual is deceased/reasonably suspected of being deceased; and (c) circumstances of death. (s. 38(4))
  • For the purpose of contacting a relative, friend or potential substitute decision maker, if the individual is injured, incapacitated or ill and unable to give consent personally. (s. 38(1)(c))
  • If the individual is lawfully detained in a penal or custodial institution or in a psychiatric facility pursuant to the Mental Health Act, then a HIC may disclose PHI about that individual to the head of the penal or custodial institution or the officer in charge of a psychiatric facility for the purpose of making a decision related to providing health care to the individual or, the placement of the individual in custody, detention, release, conditional release, discharge or conditional discharge under certain specified statutes, including the Mental Health Act, Part XX.1 of the Criminal Code or the Youth Criminal Justice Act. (s. 40(2) & (3))

4. Mandatory Disclosure

Finally, PHIPA specifically permits disclosure pursuant to the other Acts which mandate disclosure of specific information in specific circumstances. (PHIPA, s. 43(1)(h))

For instance, the Mandatory Gunshot Wounds Reporting Act, 2005, SO 2005, c.9 provides that every facility who treats a person for a gunshot wound must disclose to law enforcement the following information: the fact a person is being treated for a gunshot wound; the person’s name, if known; and the name and location of the facility. (s. 2(1))

A more recent mandatory disclosure is provided for in the new Missing Persons Act, 2018, SO 2018 c.3, Sch 7 (MPA). For a more complete discussion of the MPA, please read our recent Health Law Monitor article on the new legislation.

Special Considerations for Mental Health Patients

If the PHI pertains to a patient, outpatient or former patient of a psychiatric facility, disclosures will need to be considered in light of s. 35 of the Mental Health Act (MHA), which will prevail if there is any conflict with PHIPA. According to Section 35, if a patient’s attending physician has concerns, stated in writing, that disclosure pursuant to a summons or court order is likely to result in harm to the treatment or recovery of the patient, or result in injury to the mental condition of, or bodily harm to, a third person, the HIC shall not disclose the PHI until a hearing has been had on the issue and further order for disclosure made.

While s. 35 of the MHA does not specifically apply to permissive disclosures, when considering whether PHI pertaining to a psychiatric patient should be disclosed, the HIC may want to consider the factors which apply to disclosure pursuant to court order or summons (i.e. disclosure likely to result in harm to patient or third person).

Conclusion

When determining if PHI should be disclosed, a HIC should consider whether there is a permissible basis for disclosure. If not, police need to get patient consent or other appropriate legal authority to access PHI in order to ensure that the confidentiality and privacy of an individual’s PHI is protected.


1 Person or organization who has custody or control of personal health information as a result of in or in connection with performing the person’s or organization’s powers or duties. (PHIPA, s .3)

2 Identifying information about an individual in oral or recorded form if the information relates to physical/mental health or to providing health care. (PHIPA, s .4)

Related Contacts