Consent to disclose health information – Under the Health Information Act (HIA), as a custodian or affiliate of a custodian, you will require a legislative authority to disclose health information without consent. If there is no specific legislative authority for disclosure without consent, then you will need to obtain consent from the individual before disclosing his/her health information to someone other than the individual who is the subject of the information. The consent must be provided in writing or electronically and must include:
- an authorization for the custodian to disclose the health information specified in the consent,
- the purpose for which the health information may be disclosed,
- the identity of the person to whom the health information may be disclosed
- an acknowledgement that the individual providing the consent has been made aware of the reasons why the health information is needed and the risks and benefits to the individual of consenting or refusing to consent,
- the date the consent is effective and the date, if any, on which the consent expires, and
- a statement that the consent may be revoked at any time by the individual providing it.
The disclosure will need to be carried out in accordance with the terms of the consent.
The revocation must be done in writing or electronically.
A consent or revocation of a consent that is provided in writing must be signed by the person providing it.
A consent or revocation of consent that is provided electronically is valid only if it complies with the requirements set out in the regulations.
An example of an HIA
consent form can be found here
The HIA requirements for consent can be found in the HIA
section 34 with additional information in the HIA Guidelines and Practice Manual
on page 218 and in Appendix 1.
Consent may be exercised by other persons other than the individual who is the subject of the information -
Consent may be obtained from someone other than the individual who is the subject of the health information where another person is legally authorized to act on behalf of that individual. Examples include: a guardian for a minor, the individual’s personal representative where the individual is deceased, a power of attorney granted by the individual, etc. For more information see HIA
Disclosing Health Information without consent in compliance with the Health Information Act
– the HIA
does allow disclosure of Health Information without consent in certain circumstances.
Always consider the privacy of the individual and apply the privacy principles
, which are:
• disclose the least amount of health information required for the purpose,
• only give access to individuals who need to know the health information, and
• disclose health information at the highest level of anonymity (e.g. if the recipient of the information needs to know someone’s age, disclose the individual’s age instead of their full date of birth).
Also be sure to look at the patient file to see if they have expressed wishes
regarding the disclosure of their information, as these must be considered.
Sample of authorized disclosures without consent under the HIA:
- Under section 35(1)(a), a custodian can disclose individually identifying health information to another custodian so he/she can then use that information for a purpose authorized under the HIA. For example, this allows a custodian to disclose individually identifying health information to another custodian for the purpose of providing health services, or to provide health services provider education.
- Section 35(1)(c) allows for disclosure to family members or those in a close personal relationship so that the custodian can discuss the diagnosis or condition of a patient or their location with a patient’s relative or close friend. Information allowed for disclosure is limited (individual’s location, presence, condition, diagnosis, progress and prognosis on that day) and must not be contrary to the patient’s expressed wishes.
- Section 35(1)(d) and (d.1) allows disclosure to family members where the individual is injured, ill or deceased so that the family or to a person with whom the individual is believed to have a close personal relationship can be contacted. Information allowed for disclosure is limited and must not be contrary to the patient’s expressed wishes.
- Under section 35(1)(m), individually identifiable health information can be disclosed without consent to avert or minimize imminent danger or health or safety of any person. You must be able to satisfy the criteria for “imminent danger”.
Contact the Information and Privacy Office
for more information on disclosures with or without consent under the Health Information Act
For a complete list of HIA authorized disclosures without consent see Chapter 8 in the HIA Guidelines and Practices Manual
Consent to Email patients
- The Office of the Information and Privacy Commissioner of Alberta has a Frequently Asked Questions document that answers the question “Instead of limiting the amount of information in an e-mail to patients or encrypting the e-mail, can I mitigate risk by having patients sign a consent form or disclaimer where patients accept the risks associated with email use?”
The OIPC provides the following answer, “Custodians are responsible for ensuring reasonable safeguards are in place to protect against reasonably anticipated risks to privacy. This responsibility cannot be transferred to the patient. It is a good practice to regularly re-confirm that patients want to be contacted via email, to verify their email address and to inform them of possible risk, but this does not transfer responsibility for securing your emails to the patient.”
See the OIPC Frequently Asked Questions
on Email Communications
The Office of the Information and Privacy Commissioner has a practice note on the risks associated with emailing patients. This practice note has great information including the following:
“The Health Information Act
requires Custodians to submit a Privacy Impact Assessment (PIA) to the Information and Privacy Commissioner before implementing a new administrative practice or information system that collects, uses or discloses individually identifying health information. Completing a PIA will help you manage privacy risks when communicating with patients via email.”
See OIPC HIA Practice Note #5
Consent to participate in research
– Research studies may require informed consent to participate in the study and as part of the study the Researcher may need the individual’s health information. Refer to the U of A Research Ethics Office
webpage on informed consent for more information.
Consent to treatment and care
- Contact your physician if you need more information regarding consent to treatment and care. The College of Physicians and Surgeons and AHS may be able to provide more information in this area.
Updated January 2015