“The right of an individual to access his or her records is essential to the exercise of other statutory and common law rights, including the right of an individual to determine for himself or herself what shall or shall not be done with his or her own body, the right of an individual to “informational self-determination” and the right of an individual to require the correction or amendment of personal health information about themselves. It is also vital in ensuring continuity of care, for example, where an individual has decided to seek health care from another health care provider.”

Order HO-009, (then) Assistant Commissioner Brian Beamish

One of the key privacy messages every healthcare organization needs to know is a patient has a right to access their own information. In Ontario, the Personal Health Information Protection Act, 2004 gives individuals the right to access their records. The law reflects the rights established in a court case back in 1992. So this is not new! McInerney v. McDonald – Supreme Court of Canada The right of access has a long and rich history.  The most important case on the topic is the case of McInerney v. McDonald which was decided in 1992 by the Supreme Court of Canada. A patient made a request to her doctor for copies of the contents of her complete medical file. The doctor delivered copies of all notes, memoranda and reports she had prepared herself but refused to produce copies of consultants’ reports and records she had received from other physicians who had previously treated the patient, stating that they were the property of those physicians and that it would be unethical for her to release them. The doctor suggested to her patient that she contact the other physicians for release of their records. But the court said …

• In the absence of legislation, a patient is entitled, upon request, to examine and copy all information in her medical records which the physician considered in administering advice or treatment, including records prepared by other doctors that the physician may have received.
• Access does not extend to information arising outside the doctor?patient relationship. The patient is not entitled to the records themselves.  The physical medical records of the patient belong to the physician.
• Information about oneself revealed to a doctor acting in a professional capacity remains, in a fundamental sense, one’s own.
• While the doctor is the owner of the actual record, the information is held in a fashion somewhat akin to a trust and is to be used by the physician for the benefit of the patient.
• The physician?patient relationship is fiduciary in nature and certain duties arise from that special relationship of trust and confidence.
• These include the duties of the doctor to act with utmost good faith and loyalty, to hold information received from or about a patient in confidence, and to make proper disclosure of information to the patient.
• The doctor has an obligation to grant access to the information used in administering treatment.
• This fiduciary duty is ultimately grounded in the nature of the patient’s interest in the medical records.
• The confiding of the information to the physician for medical purposes gives rise to an expectation that the patient’s interest in and control of the information will continue.
• The trust?like “beneficial interest” of the patient in the information indicates that, as a general rule, she should have a right of access to the information and that the physician should have a corresponding obligation to provide it.
• The patient’s interest being in the information, it follows that the interest continues when that information is conveyed to another doctor who then becomes subject to the duty to afford the patient access to that information.
• Further, since the doctor has a duty to act with utmost good faith and loyalty, it is also important that the patient have access to the records to ensure the proper functioning of the doctor?patient relationship and to protect the well?being of the patient.
• Disclosure to the patient serves to reinforce the patient’s faith in her treatment and to enhance the trust inherent in the doctor-patient relationship.  As well, the duty of confidentiality that arises from the doctor?patient relationship is meant to encourage disclosure of information and communication between doctor and patient.  The trust reposed in the physician by the patient mandates that the flow of information operate both ways.
• The patient’s general right of access to medical records is not absolute.  If the physician reasonably believes it is not in the patient’s best interests to inspect the medical records, the physician may consider it necessary to deny access to the information.
• Considering the equitable base of the patient’s entitlement, when a physician refuses a request for access, the patient may apply to the court for protection against an improper exercise of the physician’s discretion.
• The court will then exercise its superintending jurisdiction and may order access to the records in whole or in part.
• The onus lies on the physician to justify a denial of access. Patients should have access to their medical records in all but a small number of circumstances.
• In the ordinary case, these records should be disclosed upon the patient’s request unless there is a significant likelihood of a substantial adverse effect on her physical, mental or emotional health or harm to a third party.

The right of access to information is a founding principle of privacy. Want to read about PHIPA privacy decisions of the IPC? Click here to get my free up-to-date Summary of all the IPC’s PHIPA Decisions.

There are 4 ways to work with me when you are ready:

1. Attend one of my free Ask Me Anything about Health Privacy webinars – the first Wednesday of every month at 10am EDT/EST
2. Join me for my next Health Privacy Officer training and become even more confident in your role.
3. Join me for my next Advanced Privacy Officer training – for practicing your skills.
4. Invite me to do your team privacy training or assist you with privacy policies or privacy breach management