Personal Health Information and Consent

Executive Summary

Personal health information (PHI), also referred to as protected health information in the United States and Health Records in the United Kingdom, refers to demographic information, medical history, test and laboratory results, clinical notes, insurance information and other data that a healthcare professional collects in the process of providing care. PHI is discussed in this article within the context of privacy and consent: 

  • Understanding Consent
  • Obtaining Consent
  • Rules and Regulations for PHI
  • Electronic Health Records

Links to relevant resources including case studies, tools and related articles are also provided. 


Understanding Consent

One of the most important aspects of privacy is the concept of consent. Consent ensures individuals have control over the collection, use, disclosure and retention of their personal information. When collecting PHI and using or disclosing the information to other healthcare providers, the consent of the patient/client should be the guiding principle for decision making.

Subject to certain limited exceptions, patients must expressly consent to any proposed disclosure to third parties.

The consent of the patient is valid only if he or she understands fully how the information is to be used or disclosed.

Consent may be implied or expressed

The consent of patients to the recording or use of their PHI can be implied from the fact that the patient is clearly aware of what the healthcare provider [1] proposes to do with the information and does not indicate any objection. In addition, the fact that the patient/client has presented for the purposes of receiving a healthcare service implies consent.

As a general rule, it is likely that the consent requirements will be satisfied as long as the healthcare provider is open with patients about how their PHI is to be used. It is important to ensure there are shared expectations between the medical practitioner and the patient about this notion.

Consent by patients to the collection, use and disclosure of their PHI can be either verbal or written. There is no legal requirement for consent to be collected in writing. Where particularly sensitive information is involved, healthcare providers may wish to make a notation in the health/medical record confirming that the patient has consented to the disclosure of their information to specific individuals.

Patient can Withhold Consent

Some patients may refuse to provide certain PHI or may withhold consent for particular uses of that information.  Healthcare providers must respect their right to do so. Where there is a concern that the patient may suffer detriment if certain information is not used or disclosed to another provider, the possible consequences of withholding access to the information should be explained to the patient/client.

Use of Information Must be Relevant to Consent

Even where the patient has consented to the disclosure of his or her PHI for a particular purpose, only information relevant for that purpose should be disclosed.

Competence to Give Consent

There are some patients who, because of illness or disability, are not competent to give consent for the collection, use or disclosure of their PHI. In some states, guardianship legislation lays down special rules for consent on behalf of incompetent patients. In other cases, the healthcare provider should speak to the patient's relatives, caregivers or substitute decision-maker to obtain their agreement to the proposed use or disclosure of the PHI. The patient should be involved in the decision to the greatest extent possible.

[1] In this article, “healthcare provider” means a healthcare practitioner or a healthcare organization.

Obtaining Consent

At the time of collecting PHI, healthcare providers must take reasonable steps to ensure that the patient understands:

  • What information is being collected
  • Why the information is being collected
  • Who will have access to the information
  • How the information will be used including, where applicable, that it may be used for research purposes
  • Where relevant, the fact that there is a statutory obligation to collect and disclose the information (e.g., disease notification requirements)
  • Any proposed disclosure of the information to third parties
  • He/she has access to PHI, once collected;
  • The potential consequences of not providing the information;
  • If relevant, that the information will be collected and stored on computerized systems


The PHI collected must be necessary for the purpose for which it is being collected, and must be collected in a way that is lawful, fair and not unreasonably intrusive.

Wherever it is reasonable and practicable to do so, PHI about a patient must be collected directly from the patient rather than from third parties.

At the time of providing PHI to a healthcare provider, patients must understand how their information may be used or disclosed, and what rights of access will apply. Only then can they make an informed decision about whether to provide the information and/or to disclose the information to others. Openness on the part of the healthcare provider about how the information will be used can also assist in better understanding by the patient of his or her health-related condition and promote shared expectations and a relationship of trust between doctor and patient.

Importance of Written Policy

A healthcare provider must have a written policy that outlines how it manages PHI in its custody or control and make this information readily available to all patients/clients. It will assist patients in understanding how their PHI may be used if the key elements of the policy, including the matters listed above, are outlined in a patient information leaflet, or newsletter, or on an organization’s Web site.

Considerations Before Sharing Health Information

Whenever PHI is to be made available to a person other than the treating healthcare provider, particular care should be taken to ensure that the patient understands that this will occur. For example, patients should understand that practice staff may have access to their records for billing or other administrative purposes.

Some patients have particular concerns about computerized records because of a perception that these are less secure. Where the record system is computerized, this fact should be disclosed to patients. It may be helpful to allay patients' concerns by providing a written information sheet or a sign in the waiting room that explains how computers are used in the record keeping of the practice and what safeguards are in place to ensure the confidentiality and privacy of their PHI.

Health Information from Third Parties

While healthcare providers obtain most PHI directly from the patient (and must do so wherever practicable), they may also receive some PHI from third parties, such as family. In the case of information received from third parties, healthcare practitioners must take reasonable steps to ensure that the patient is made aware of this fact, except where doing so would pose a serious threat to the life or health of either the patient/client or another individual.

Rules and Regulations for PHI

Organizations are limited to the types of PHI they can collect from an individual, share with other organizations or use for marketing purposes under relevant legislation. The organization is obligated to provide PHI when requested by the patient. The organization is also not allowed to sell PHI except in the case of public health activities, research, or treatment. Other rules and regulations are determined by the location in which the organization offers it's services. In Ontario, Canada, for example, the relevant privacy legislation is the Personal Health Information Protection Act (PHIPA). 

Electronic Health Records

An electronic health record (EHR) is a secure, integrated collection of a person's encounters with the health care system; it provides a comprehensive digital view of a patient's health history.7 Information is one of the most valuable resources for caring for patient's health. EHRs have the potential of making exchanging and recording information much more useful and complete. This is one of the most common forms of PHI found in the health system in Canada today. The EHR must reflect legal obligations in its privacy requirements in all of their relative sophistication in this area. The ultimate obligation is to meet the wishes of the patient/person in those circumstances where he or she can place specific instructions on the allowable uses and disclosures of his or her PHI.

Key Takeaways:

Privacy and security management in relation to PHI is critical in healthcare settings, particularly when dealing with sensitive information. Understanding relevant legislation in relation to PHI in your jurisdiction is required. Educating all employees about privacy and security practices, roles and responsibilities in relation to the collection and use of PHI is key to this endeavour. Need more information? Have some resources to share? Please visit the Healthcare Privacy Community of Practice and ask a question in the discussion space and/or upload files to share with your colleagues. 

Related Article: Privacy Issues & Technology in Healthcare Organizations