Health information holds a particular place under Law 25. It falls among the most sensitive categories of personal information, which places heightened obligations on clinics, hospitals, physicians, psychologists, physiotherapists, and any other professional who handles it day to day.
Why Health Information Is Treated Differently
Law 25 (Act respecting the protection of personal information in the private sector, R.S.Q., c. P-39.1) recognizes that certain categories of information deserve special attention. Health information is one of them: inappropriate disclosure can cause serious harm, including employment discrimination, social exclusion, or a profound violation of personal dignity.
In practice, the general rules apply in full, but the expected standard of care is higher. Consent must be explicit for secondary uses of the information. The justification for each collection must be clear. Retention periods must be defined and respected.
Patient Rights
Under Law 25, your patients have specific rights:
- Right of access: a patient can request to review the personal information you hold about them, including their clinical file, within 30 days.
- Right of rectification: if information is inaccurate or incomplete, the patient can request a correction.
- Right to portability: since September 2023, a person can request to receive their information in a commonly used technological format, or to have it transferred to a designated third party.
- Right to withdraw consent: a patient can withdraw consent for certain uses, within the limits permitted by law.
These rights are in addition to the protections already provided by professional codes of ethics and, for the public sector, the Act respecting health services and social services.
Common Scenarios in Healthcare Settings
Sharing Records Between Professionals
Transmitting a patient's file to another healthcare professional (family physician, specialist, laboratory) is generally permitted within the context of treatment, without requiring additional explicit consent. However, this sharing must remain limited to the information that is necessary. Sending a complete file when a summary would suffice is not justified.
Electronic Health Records
Adopting clinical records management software raises specific questions: who has access to which information in your system? Are accesses logged? Does your software vendor act as a subcontractor, and have you signed a contract that reflects your personal information protection obligations?
Telemedicine and Remote Consultations
Telemedicine multiplies the touchpoints for sensitive information. Is the platform you use hosted in Canada or abroad? Does information pass through servers located outside Quebec? If so, a privacy impact assessment (PIA) may be required before deploying that type of tool.
Interaction with Professional Codes of Ethics
Law 25 does not replace the ethical obligations of healthcare professionals; it adds to them. Professional secrecy as defined in the codes of ethics for physicians, psychologists, nurses, and other professionals remains in force. Law 25 adds specific obligations regarding the collection, retention, communication, and security of personal information.
In practice, complying with your code of ethics does not automatically guarantee compliance with Law 25, and vice versa. Both frameworks must be considered.
Incidents Specific to Healthcare Settings
Two scenarios come up frequently:
A misdirected fax: sending a clinical file to the wrong fax number constitutes a confidentiality incident. If this presents a serious risk of harm, you are required to notify the Commission d'accès à l'information (CAI) and the affected person within 72 hours of becoming aware of the incident.
Unauthorized access to patient files: an employee who views a patient's file without a valid professional reason is a security incident. Your internal policy must specify how such situations are detected, documented, and addressed.
Practical Steps for Clinics
- Designate a person responsible for personal information protection: this role can be held by an existing manager, but it must be formalized and the person's name must be published on your website.
- Build an inventory of health information collected: what information, for what purpose, for how long.
- Review your consent forms: they must clearly explain why you collect the information and how you use it.
- Train your team: both administrative and clinical staff must understand the basic confidentiality rules and how to report an incident.
- Establish an incident response plan: before an incident occurs, not after.
Observantia is designed to support healthcare organizations through this process, with tools adapted for managing access requests, documenting incidents, and tracking compliance obligations.
This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.