The Practice holds a great deal of information which is confidential, namely:

  • Patients' records
  • Staff records
  • Information about the Practice (e.g. finance, partnership details)

It is essential that employees, and other staff who work at the Practice and have access to confidential information, understand their responsibilities regarding confidential information. Contracts of employment and/or a separate policy should state the responsibilities of staff re confidentiality, and the penalties for breaches.

Any breach of confidentiality will be treated as a disciplinary matter, and may lead to dismissal, depending on the seriousness of the breach. Breaches of confidentiality of patient information are usually classed as gross misconduct which result in instant dismissal - in such cases an investigation must be carried out and a formal dismissal procedure followed - more on instant dismissal.

Confidentiality clause for contracts of employment

Confidentiality Policy and Agreement for staff

Confidentiality Policy for third parties

Confidentiality Policy for Dispensers

Transfer of patient information

In cases where patient information has to be transferred to another health professional on a need-to-know basis, or where the patient has given consent, care must be taken to ensure that the data is transferred safely and securely. In cases of electronic transfer of data, strict procedures should be followed, refer to the draft Electronic Transfer of Patient Data Procedure.

In all cases where patient data is transferred, Personal Health Information Protection Act  (PHIPA) regulations should be followed.

If disclosure is essential

If a patient or another person is at grave risk of serious harm which disclosure to an appropriate person would prevent, the relevant health professional can take advice from colleagues within the Practice, of from a professional/regulatory/defence body, in order to decide whether disclosure without consent is justified to protect the patient or another person. If a decision is taken to disclose, the patient should always be informed before disclosure is made, unless to do so could be dangerous.

Confidentiality continues after employment has ended

Employees, and anyone else who works at the Practice and has access to confidential information, must keep information confidential both during and after employment. This should be spelt out in the Practice's Confidentiality Policy. After employment has ended, the Practice's Disciplinary Procedure cannot be applied for breaches of confidentiality, so the Policy should stipulate that any breach, or suspected breach, of confidentiality after employment has ended will be passed to the Practice’s lawyers for action.

Related policies and protocols

Transfer patient records to/from another Practice protocol

Confidential waste (shredding) protocol

Office of the Privacy Commissioner of Canada