Privacy Issues for Dentists
Privacy Issues for Dentists
Dentists may become subject to complaints involving privacy and confidentiality issues. Such complaints can be made to our dental regulatory authority and/or the Information and Privacy Commissioner of Ontario (IPC). As health-information
custodians under Ontario’s Personal Health Information Protection Act (PHIPA), dentists are responsible for ensuring that the personal health information of their patients is maintained in a private and secure manner, while also ensuring that this information is available for the effective delivery of health care.
10 privacy principles
PHIPA outlines 10 main principles with which dentists must comply. The following provides a non-exhaustive summary of how dentists may apply these principles in their practices to ensure a confidential environment for their patients:
Accountability: Dentists are required to be open and accountable about their information practices. This may include:
• Developing a policy that outlines how a dentist will take reasonable steps to ensure that records are properly protected;
• Making a written statement available to the public outlining a dentist’s privacy practices;
• Establishing procedures to ensure that patient records are retained, transferred and disposed of in a secure manner;
• Designating a contact person for privacy concerns and questions; and
• Training staff on their privacy obligations (e.g. new hires and refresher training).
Identifying purposes: Dentists must ensure that they identify their privacy practices to their patients through a written notice, which describes the purposes for the collection, use and disclosure of personal health information in the dental office.
Consent: Dentists must obtain their patients’ consent for the collection, use or disclosure of personal health information unless otherwise permitted or required
under PHIPA. Such consent may be expressed or implied unless PHIPA specifically states that express consent must be obtained (e.g. disclosure to a person who is not
a health-information custodian). While written consent is not required, our dental regulatory authority recommends written consent as a more reliable method than
verbal consent (1).
Limiting collection: Dentists must collect only the personal information that is required for the purposes outlined in their privacy notice. These purposes may include facilitating the provision of health care, treating patients and meeting legal obligations.
Limiting use, disclosure, and retention: Dentists are permitted only to use, disclose and retain personal information as outlined in their privacy notice and as required in accordance with PHIPA, the Regulated Health Professions Act (RHPA), and other relevant laws or procedural codes. Dentists must ensure they retain patient information for only as long as required and in accordance with their established retention schedule.
Accuracy: Dentists must use their best efforts to ensure that the information they collect, use, disclose or dispose
of is accurate. This may include verifying the accuracy of patient information when a patient checks in at return appointments.
Safeguards: Dentists are required to take reasonable steps to ensure that personal health information in their custody or control is protected against theft, loss,
unauthorized use, disclosure, copying, modification and disposal. This is generally achieved by adopting the following types of safeguards:
• Administrative: This includes creating privacy policies and procedures, training new staff members, developing a privacy breach protocol and establishing confidentiality agreements with independent contractors.
• Technical: Safeguards will vary based on the type of electronic records used in a dental office. These may include password management, encryption of electronic records and virus protection software.
• Physical: Some examples of physical safeguards include locking filing cabinets, controlling access to the office with access cards and maintaining a clean
Openness: Dentists must be open about their privacy practices and ensure that their privacy notice is available to the public. This may include posting the notice in the dental office and/or on the clinic’s website.
Individual access: Dentists must be prepared to handle requests from patients who wish to access their dental records in accordance with PHIPA. This may include having a procedure in place to process such requests for both access and correction, and understanding when such requests are valid and when they may be refused.
Challenging compliance: Dentists should be aware that individuals may also challenge their compliance with PHIPA, and should be prepared to handle such
complaints if they arise.
Examples of inappropriate privacy practices
Some common examples of inappropriate privacy practices include the following:
• Discussing a patient’s treatment plan with someone outside the patient’s circle of care;
• Posting identifying information about a patient on social media;
• Not obtaining fully informed consent for additional dental procedures;
• Failing to maintain proper safeguards for electronic records;
• Making identifying patient information visible to other patients (e.g. on a computer screen next to the patient’s chair); and
• Leaving a paper patient record in a non-secure and/ or unlocked location.
Privacy and confidentiality issues within a dental practice can result in legal consequences. Accordingly, dentists should maintain current knowledge of their
obligations under PHIPA. It may also be prudent for dentists to seek legal advice, either to proactively audit their practice requirements, or when responding to a complaint before the dental regulatory authority or IPC. OD
1. Royal College of Dental Surgeons of Ontario
[RCDSO]. Compliance with Ontario’s Personal Health
Information Protection Act. Toronto:RCDSO; n.d.
Josh Koziebrocki, LLB, BA (Hons), is the principal lawyer and founder of Koziebrocki Law. He represents numerous dentists and has extensive experience dealing with regulatory issues. He can be reached at 416-925-5445.
firstname.lastname@example.org | www.koziebrockilaw.com
Reprinted with permission of the Ontario Dental Association and Ontario Dentist, 2019