Skip to Main Content
Follow us

3.3 Duty of Confidentiality

Tracey M. Bailey, BA, LLB

Educational Objectives

  1. To confirm that a physician owes a duty of confidentiality to his/her patient and to understand the ethical and legal bases of this duty.
  2. To understand that, at times, ethics and/or the law will require or allow disclosure of confidential patient information without the consent of the patient.
  3. To identify some scenarios that would require and/or allow such disclosure; and to appreciate that because the law varies across the country, it is essential to be knowledgeable about the laws in the jurisdiction in which a physician practices.


Michael Worth, 28 years old, presents to his family physician with a variety of symptomatic issues. He describes anxiety and trouble sleeping, and requests an anxiolytic. Pressed for possible causes of the anxiety (e.g., situational, psychiatric, endocrine, drug use), he is evasive and becomes increasingly uncomfortable. The physician attempts to gather relevant information, but Mr. Worth is reluctant to provide further details that are essential to making a diagnosis and creating a plan for treatment. The physician reassures Mr. Worth that the private information he shares will be treated as confidential and more information is needed to be able to assist him. A short course of anxiolytics is prescribed and he is asked to follow-up, which he says he will do.

Over time, the physician develops a relationship of trust with Mr. Worth. At an appointment, Mr. Worth discloses a long-standing addiction to cocaine. This is a breakthrough as it provides the information needed to try to help Mr. Worth in his efforts to deal with his health problems. While he is intent on seeking treatment, he is not yet ready to share this information with his wife. He alludes to marital problems and asks if the information he has shared would ever be disclosed to her. He specifically requests that she not be told.

Mrs. Worth sets up an appointment to meet with the physician. She is extremely anxious and upset and is seeking advice regarding the recent behaviour of her husband. She says he is moody and prone to violent outbursts. While he has not physically harmed their child, she is worried that he will. She is also concerned because they continue to have no money to pay for necessities such as groceries and their mortgage. Although she and Mr. Worth both work full-time, their bank account is depleted almost immediately following deposits from their employers. In addition, an account they had established to fund their child's education was recently emptied. Her husband has given her a variety of excuses for this, but she doesn't know whether she should believe him. It is clear from the discussion that she is not aware of Mr. Worth's cocaine habit.


  1. Why is it important to keep patient information confidential?
  2. When can information be disclosed to family members?
  3. When must confidential information be disclosed?
  4. Is this a case where disclosure must be made? When might a physician have discretion to disclose confidential information?


Q1. Why is it important to keep patient information confidential?

Physicians owe a duty of confidentiality to each of their patients. There are important ethical and professional reasons to treat patient information as confidential. Physicians need accurate and complete information to appropriately assess and treat a patient. Many patients will be reluctant to share necessary information unless they have a relationship of trust with their doctor and are confident that their information will be protected. Trust is essential to a sound patient�physician relationship.

Another important ethical foundation for this duty is that of respect for patient autonomy. Given the increased involvement of patients in the decision-making surrounding their care, they should have considerable input as to how and with whom information about them is shared.

The Canadian Medical Association (CMA) Code of Ethics addresses this duty by instructing physicians to "Protect the personal health information of your patients."1 It also cautions that even necessary discussions about the care of patients should be conducted in an appropriate setting to protect the confidentiality of the information: "Avoid public discussions or comments about patients that could reasonably be seen as revealing confidential or identifying information."

The law also imposes a duty of confidentiality on physicians. This duty has been discussed in many cases. One example is the Supreme Court of Canada decision in McInerney v. MacDonald,2 in which the court said this duty is based on the fiduciary relationship that exists between doctor and patient. Justice La Forest noted that:

"Certain duties do arise from the special relationship of trust and confidence between doctor and patient. Among these is the duty of the doctor to act with utmost good faith and loyalty, and to hold information received from or about a patient in confidence."

This duty is also set out in many pieces of legislation, both federal and provincial. Statutes governing such things as hospitals, mental health and public health, to give a few examples, set out this obligation. In addition, federal and provincial legislation now exists governing the collection, use and disclosure of personal information (including health information), and such a duty is often explicitly stated.

The Canadian Charter of Rights and Freedoms also provides some protection for the preservation of confidential health information.3 Privacy rights are not explicitly mentioned. However, interpretation of certain sections of the Charter, including section 7 ("Everyone has the right to life, liberty and security of the person and the right not to be deprived thereof except in accordance with the principles of fundamental justice") and section 8 ("Everyone has the right to be secure against unreasonable search and seizure"), has created rights in this regard.

In addition to the law, consideration should be given to standards, guidelines, policies and procedures in a given setting (i.e., those set out by a college of physicians and surgeons, a regional health authority or a hospital). These may also be considered by a court in determining the legal standards that should be met.

Q2. When can information be disclosed to family members?

In general, information can be disclosed with the consent of your patient (assuming it is information received from your patient and that they have the capacity/right to make this decision) in all Canadian jurisdictions. This supports the ethical principle of autonomy, as well as taking care to do good and avoid harm vis-�-vis the physician�patient relationship (beneficence and non-maleficence).

If you do not have a patient's consent to disclose information to others, including family members, disclosure should not usually occur. However, ethics and the law will require or allow disclosure without consent in some circumstances. The CMA Code has this to say regarding disclosure to third parties generally1:

"Disclose your patients' personal health information to third parties only with their consent, or as provided for by law, such as when the maintenance of confidentiality would result in a significant risk of substantial harm to others or, in the case of incompetent patients, to the patients themselves…."

With respect to disclosure of information to family members specifically, the common law does not provide for this. Although information is often shared with family, there is no common-law legal basis to do this without the patient's consent. As a result, consent should normally be sought.

In some provinces, legislation allows for certain types of disclosure to family members in certain situations. For example, under the Health Information Act in Alberta, there is legislative discretion to disclose certain information to family members without the patient's consent.4 However, it is important to note that in these instances, a patient's express request to the contrary will prevail. For example, the Act says that information may be disclosed:

"To family members of the individual or to another person with whom the individual is believed to have a close personal relationship, if the information is given in general terms and concerns the presence, location, condition, diagnosis, progress and prognosis of the individual on the day on which the information is disclosed and the disclosure is not contrary to the express request of the individual."

Another section provides that disclosure may be made:

"Where an individual is injured, ill or deceased, so that family members of the individual or another person with whom the individual is believed to have a close personal relationship or a friend of the individual can be contacted, if the disclosure is not contrary to the express request of the individual."

In this case, as Mr. Worth has expressly asked that the information not be shared with his wife, sections such as these would not allow for such disclosure without his consent.

Q3. When must confidential information be disclosed?

The CMA Code of Ethics states: "Consider first the well-being of the patient."1 This is at the heart of the duty to protect patient confidentiality. Mr. Worth is the patient; his wife and child are not patients of the physician, and therefore it is to Mr. Worth that a duty of loyalty is owed. At times, however, a physician may encounter circumstances where he/she questions whether the ethical duty to protect confidential information may be overridden by concerns for the health and safety of others. It may seem reasonable that serious threats of harm to others that may be avoided by disclosure of confidential information may ethically justify such a disclosure. In this case, the potential of physical harm to the child may be appropriate justification to provide some information to the wife on an ethical basis, as may disclosure regarding serious financial harm to the family caused by the cocaine habit of Mr. Worth.

As previously mentioned, however, the Code states that if a physician is to disclose confidential information without the consent of the patient, it must be "as provided for by law, such as when the maintenance of confidentiality would result in a significant risk of substantial harm to others…"

The law has some guidance to offer in deciding whether circumstances exist to justify such disclosure. In common law, one recognized exception to disclosure without consent is for public safety purposes. One US case that is often discussed in this context is that of Tarasoff v. Regents of the University of California.5 In that case, a psychologist was advised by a patient that he intended to kill his ex-girlfriend when she returned from her summer vacation. The psychologist believed that he needed to breach his duty of confidentiality in this case and contacted the local authorities, who spoke to the man but did nothing further as he appeared to be clear-thinking. The man went on to kill the woman and her family sued as a result. In the decision of the Supreme Court of California, Justice Tobriner stated that:

"When a therapist determines, or pursuant to the standards of his profession should determine, that his patient presents a serious danger of violence to another, he incurs an obligation to use reasonable care to protect the intended victim against such danger. The discharge of this duty may require the therapist to take one or more of various steps, depending upon the nature of the case. Thus it may call for him to warn the intended victim or others likely to apprise the victim of the danger, to notify the police, or to take whatever other steps are reasonably necessary under the circumstances."

Thus, the court here found that the health care professional in question had not only a discretion to disclose in these circumstances, but a positive duty to do so. They found that while he had taken the step of alerting the local authorities, that was insufficient and further steps should have been taken.

The Tarasoff decision is not binding on Canadian courts, but was discussed favourably by the Supreme Court of Canada in the decision of Smith v. Jones, a case considering whether a psychiatrist who had been retained by the defence counsel in a criminal matter could breach solicitor–client privilege (the most protected form of privilege in law) if he was concerned that the accused posed a serious threat of harm to others.6 In this case, the accused had related a detailed plan to rape, kidnap and murder prostitutes from a particular area in Vancouver. The majority of the Supreme Court found that danger to public safety could form the necessary basis for a breach of the privilege. They set out three factors that must be considered in deciding whether such a justification to disclose exists:

  1. Clarity: is there a clear risk to an identifiable person or group of persons?
  2. Seriousness: is there a risk of serious bodily harm or death?
  3. Imminence: is the danger imminent?
Q4. Is this a case where disclosure must be made? When might a physician have discretion to disclose confidential information?

In the present case, the physician would have to ask whether all three of these factors are present.

Is there clarity? It is clear that the wife believes there is an identifiable person (the child) that she is concerned about. However, is there anything further to suggest that the child is at risk? A prior history of such violence, or a specific threat, for example, would be relevant factors to consider.

Is the risk serious? The court discussed justification if the danger was of serious bodily harm or death. It is important to note that they stated that "serious psychological harm may constitute serious bodily harm."

Is the risk imminent? To be imminent, the Supreme Court of Canada said that the risk must create a sense of urgency.

There may or may not be sufficient circumstances in the present case to justify disclosure on this basis. The physician should ask for further details to help in the assessment. As the wife already perceives a threat of harm, there may be no further information that can be provided that would assist in averting a danger.

However, it is important to keep in mind other legislation that may provide a duty or discretion to disclose confidential information in circumstances such as these. For example, provincial child welfare legislation (which varies from province to province) provides for a mandatory reporting obligation in circumstances that may not involve an "imminent danger" but require action nonetheless. The threshold for reporting is often a reasonable belief that a child (defined by statute) is in need of protection or intervention. This is also set out by definition and will include much more than suspected abuse. However, under legislation such as this, the duty is to report to the designated authorities who will then investigate. It does not provide for disclosure of information to the wife. What about the concern regarding financial harm to the family? Does such a threat justify disclosure under the exception regarding public safety? While the harm is real, it does not come within the harm discussed by the Supreme Court (i.e., serious bodily harm, which can include serious psychological harm, or death). As a result, there appears to be no legal justification for disclosure of confidential patient information on this basis. If this is of concern on an ethical analysis, it is relevant to note that the wife is already aware of the financial harm and can take steps to protect her own finances, at least to some extent, whether or not she knows the cause of the depleted funds. For example, she could have her own salary deposited into a new account in her own name.

In the event that the physician concludes that disclosure to a third party, whether that be a spouse or the authorities, is justified both ethically and legally, one more section of the CMA Code of Ethics must be considered. The Code sets out a duty to the patient where a physician decides to disclose confidential information without his/her consent. The Code states that in such cases a physician must "take all reasonable steps to inform the patients that the usual requirements for confidentiality will be breached."

The circumstances of the case should be considered in formulating a plan that will best serve to disclose the relevant information while either helping the patient or avoiding harm as far as possible. In this case, harm to the physician–patient relationship will be a relevant consideration.

A final note about disclosure of confidential information on the basis of public safety. The Supreme Court of Canada has noted that even in cases where disclosure is justified in an attempt to avert an imminent danger to a person or an identifiable group, the disclosure must be limited to information that is necessary—in other words, the physician should disclose the least amount of information necessary to attempt to avert the danger. Information about the patient that will not aid the attempt to avert harm should remain confidential.

There are instances other than disclosure to protect public safety when the reporting of confidential patient information is obligatory (e.g., reporting certain diseases under public health legislation, reporting unfit drivers in some provinces, disclosure pursuant to a court order). Again, it is important to be up-to-date on disclosure obligations within the jurisdiction in which you practice.

It is also crucial to be up-to-date on local requirements regarding discretion to disclose (where a physician may disclose but is not required by law to do so). In reaching a decision about whether discretion exists, a careful weighing of a physician's ethical and legal duties to the patient should be undertaken. Where appropriate and reasonable, legal advice in this and other cases should be sought.


  1. Canadian Medical Association (CMA). CMA Code of Ethics. Ottawa: CMA; 2004. Available from: Accessed January 24, 2009.
  2. McInerney v. MacDonald (1992), 93 DLR (4th) 415 (SCC).
  3. Department of Justice Canada. Canadian Charter of Rights and Freedoms. Ottawa: Department of Justice Canada; 1982.
  4. Government of Alberta. Health Information Act. Edmonton: Queen’s Printer; 2001.
  5. Tarasoff v. Regents of the University of California, 551 P. 2d 334 (Cal. 1976).
  6. Smith v. Jones, [1999] 1 SCR 455.

Further Reading

  • Kleinman I, Baylis F, Rodgers S, Singer P. Bioethics for clinicians: 8. Confidentiality. Canadian Medical Association Journal 1997; 156: 521–4.
  • Picard EI, Robertson GB. Legal Liability of Doctors and Hospitals in Canada, 4th edn. Toronto: Thomson Carswell; 2007.
  • Re Inquiry into the Confidentiality of Health Records in Ontario (1979), 98 DLR (3d) 704 at 714 (Ont. C.A.) (this was quoted with approval by the SCC at (1981), 38 NR 588 at 608 based on the fiduciary obligation of physicians to their patients.