I’m Kate Dewhirst.

My team and I write about legal issues affecting healthcare in Canada.

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

COVID-19: Privacy Tips for the Ontario Health Sector

Posted by

I am a calm and logical person. We are facing unprecedented impact in our world and that causes uncertainty and instability for everyone.  I have felt a bit unsettled for a few days now. When I feel like that, I need practical, concrete information to help me make informed choices.  If I am feeling like this, I know others are feeling like this too.

As leaders of the healthcare system, you have the responsibility to earn and build trust in this uncertain environment. I know that is what you do every day under usual circumstances. Now even more so.

Here are my initial thoughts about how to address the privacy issues at hand. If you need legal advice, please contact me directly.

  1. Mandatory reporting of communicable diseases to the Medical Officer of Health

The Health Protection and Promotion Act trumps privacy considerations. It is mandatory to report individuals tested for COVID-19, possible carriers and those diagnosed with it to your local public health unit.  There is a link to finding your local public health unit by postal code or municipality: https://www.phdapps.health.gov.on.ca/phulocator/

If someone asks you not to report them to public health, you will need to explain that the report is mandatory.  It is possible someone could complain to the Information and Privacy Commissioner about your mandatory report. The IPC already deals with complaints about other kinds of mandatory reports (like to a Children’s Aid Society for a child in need of protection or reports of individuals who are unfit to drive) and will support healthcare organizations that follow the public health mandatory reporting guidelines.

  1. Sending COVID-19 informational emails to all patients

I have been asked if it is permitted for healthcare organizations to use email addresses to send COVID-19 information to all patients. I think this is a great idea with a few considerations:

  • There is a declared pandemic and concrete information from health experts is useful for people to receive.
  • You are allowed to communicate with anyone you provide service to in ways in which they have given you their contact information (unless you bought those email addresses).
  • Ensure the communication is not specific to any patient. Ensure the email contains general information and not identifying information and it will be a low risk communication.
  • When sending batch or mass emails be very careful not to attach anything clinical to the email. For example, do not accidentally attach a PDF of a specific patient’s health information. Take extra time before sending a mass email. Do a “preview” of the email before sending it so you can see what recipients will receive.
  • If you have not used email very often (or ever) such an email mail out will help you weed out old email addresses because you will get a bounce back from people who no longer work at that email address or for addresses that have expired. Given the communication will not include names – any misdirected emails will have no information (other than the person was on your mailing list).
  • If you have the express consent of patients to communicate important information to them by email they will be anticipating this communication.
  • Be prepared that individuals may want to start emailing you back. Be clear how recipients can receive information from you and whether you will respond to emails.

Please note: Communicating with patients by email is not totally without risk. It is possible that you will send a message to an email address that is no longer in use or is read by the wrong recipient and someone receiving will make a privacy complaint that they learned an individual is affiliated as a patient of your team.  I think that is a low risk.

Exercise more caution over using email  if you provide very specific health services where even your name affiliated with an individual could be providing highly sensitive health information.

  1. Telehealth and remote clinical meetings

Telehealth and telephone consultations can be vital strategies to assist with social distancing and reduce the negative impacts of COVID-19 on our strained healthcare organizations.  If your team has the capacity to do scheduled appointments through Ontario Telehealth Network or over the phone, those options may be lifesaving. I understand the Ontario government is clarifying billing codes and options for delivering service remotely.

It is not illegal to use other digital services or platforms for communicating with patients remotely.  However, there are precautions you should take before using digital communication tools:

  • Not all clinical appointments are appropriate for remote consultation – exercise caution and judgment from a patient safety lens.
  • If you work for an organization, you should clarify with your supervisor or Privacy Officer if you are authorized to use digital tools to communicate with patients and if so, their preferred tools.
  • If your organization has never used digital tools before but are doing so because of the pandemic, be transparent about that with your participating clinicians and patients.
  1. Explain that the situation is in response to urgent need.
  2. Do not commit to using them indefinitely.
  3. Explain that the tool may not be secure (unless you know it is secure).
  4. Explain who on your team can use them, and who cannot.
  5. Provide alternatives for how to engage with your team in person, by phone or other means during the pandemic.
  6. Seek consent (oral consent is fine – you write down that you received the patient’s consent).
  • If you have used the tools before, you may wish to remind your patient community that the tools are available to them as an alternative from attending in person.
  • Make sure to record all clinically relevant information in your traditional health records.
  • Be clear about boundaries of using the technology (such as: not for an emergency, hours of service, types of consultations, response times etc.).
  • Implement as many privacy protections as you can using the technology. Read the privacy policies of the digital tools and activate all their privacy recommendations.
  1. Snooping

Snooping by staff becomes a real risk during any kind of emergency, including a pandemic. Tell your team not to read patient files unless they need to do so as part of their job and if patients are assigned to them to provide care.

Health information custodians are permitted to use identifiable patient information without patient consent in order to: plan programs, address errors or quality issues, teach staff, and for research (with research ethics board approval) among other purposes. However, individual staff members should not create self-initiated learning projects about COVID-19. Explain how staff can learn about COVID-19. You want to avoid their temptation to read files out of curiosity.

You may choose to flag the records of any patients tested for or diagnosed with COVID-19 for additional auditing by your Privacy Office to ensure you detect and deter unauthorized access to those records.

Please let me know if I can be of assistance to you.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our 2025 program is now live.
Full details of the 2025 webinar series and registration here.

Mental Health webinars: Legal issues for mental health and addictions agencies and teams
Annual membership 2025

For managers and other leaders from mental health and addictions agencies, hospitals, CMHAs, CHCs, school boards, FHTs and Indigenous health services

This is an annual membership program with monthly webinars.
Full details and registration here.

Health Privacy Officer Foundations training
starts Spring 2025

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2025

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Team Privacy Training Events

For Primary Care clinics, Hospitals, Community Agencies, Mental Health Teams, Public Health Units, School Boards, Police departments

Scheduled to your team's needs for comprehensive or refresher training More details...

Free summary of all PHIPA IPC decisions

Want to read privacy breach stories to learn how to improve your work? We have summarized all the Information and Privacy Commissioner's health privacy decisions for you Download here...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

  • Our twitter feed is unavailable right now. Follow us on Twitter
  • contact details

    P.O. Box 13024, RPO Bradford Centre
    Bradford, ON, L3Z 2Y5

    (416) 855 9557

    .