About This Page
This is a clinician-written, evidence-based guide aligned to the MCC Examination Objectives. It is structured by clinical presentation — the way the MCCQE tests and the way patients actually present. Management reflects current Canadian guidelines (CMA, CFPC, CPS). Always cross-reference with institutional protocols and clinical judgment.
The Bottom Line
- Confidentiality is the default: access, use, and disclosure of personal health information require consent or clear legal authority
- Exceptions include mandatory reporting, public health, child protection, fitness to drive, serious imminent threat, court orders, and statutory duties
- Duty to warn is limited and fact-specific: serious imminent risk to an identifiable person/group can justify disclosure
- Tell patients about mandatory disclosures when safe and appropriate; disclose the minimum necessary information
- Privacy breaches require containment, notification according to local law/policy, documentation, and prevention steps
Approach to the Presentation
Confidentiality scenarios test balancing patient trust with legal and public-safety duties. Ask what information is requested, who is requesting it, whether the patient consented, whether a legal duty/permission exists, and what the minimum necessary disclosure is. Privacy legislation varies across Canada; Ontario PHIPA is a common example but exam answers should recognise provincial/territorial variation.
Differential Diagnosis
| diagnosis | likelihood | key features | distinguishing test |
|---|---|---|---|
| Duty to warn / serious imminent threat | must-not-miss | Specific threat of serious harm toward identifiable person/group | Assess risk; disclose limited information to appropriate authority/potential victim |
| Mandatory child protection report | must-not-miss | Reasonable grounds to suspect child abuse/neglect/risk | Report promptly to child protection authority |
| Public health reporting | must-not-miss | Reportable communicable disease/outbreak/exposure risk | Report to public health as required |
| Fitness-to-drive reporting | must-not-miss | Medical condition may make driving dangerous | Advise patient; report to licensing authority as required |
| Privacy breach | must-not-miss | Lost device, misdirected fax/email, wrong portal message, inappropriate chart access | Contain, notify privacy officer, follow notification law/policy |
| Permitted disclosure with consent | common | Patient authorises sharing with family, clinician, insurer, employer, school, or third party | Confirm scope, purpose, recipient, and minimum necessary disclosure |
| Unauthorised family request | common | Family asks for diagnosis/results/prognosis without consent; patient capable | Do not disclose; ask patient whom they want involved |
| Police/employer request | common | Third party requests information without consent or legal authority | Do not disclose; request written authority; seek advice |
| Circle-of-care sharing | common | Information shared among providers for patient care | Share only necessary care information |
| Mature minor confidentiality | less common | Adolescent seeks contraception/STI/pregnancy/mental health/substance care | Assess capacity; respect confidentiality unless safety exception |
Red Flags & Key History
Symptoms
Specific threat to identifiable person/group
Child abuse or neglect suspicion
Unsafe driver with syncope, seizure, cognitive impairment, hypoglycaemia, substance use, or visual deficit
Reportable communicable disease or outbreak
Lost device or inappropriate chart access
Family asks for information without patient consent
Patient requests record transfer
Signs
Patient capable but not asked if family may receive information
Staff discuss patient details publicly or use non-secure messaging
EMR access without clinical need
Written consent specifying recipient and purpose
Minimum necessary disclosure used
Approach to Assessment
First-line
Identify authority for disclosureConsent, circle-of-care, statutory duty, court order, emergency safety exception — if none, do not disclose
Assess capacity and consentA capable patient controls disclosure
Determine mandatory reportingChild protection, public health, fitness to drive, misconduct/impairment, wounds, or other duties vary
Minimum necessary principleEven required disclosure should be limited
Second-line
Risk assessment for duty to warnSpecificity, imminence, severity, identifiable target, means, mental state, protective factors
Privacy breach assessmentContain, retrieve, assess sensitivity/risk, notify privacy officer
Review local legislationProvincial/territorial privacy statutes differ
Specialist
CMPA/privacy officer/legal adviceFor police requests, subpoenas, media, serious threats, breaches, uncertain reporting
Psychiatry/security/policeFor credible imminent violence risk
Management Principles
CMPA privacy and confidentiality guidance + provincial privacy legislation1
Default
- Protect confidentiality
- Obtain express consent unless legal authority/implied consent applies
- Use secure channels and verify identifiers
- Disclose minimum necessary
2
Mandatory/permitted disclosure
- Report child abuse and notifiable diseases
- Report unsafe driving where required/permitted
- Warn appropriate parties for serious imminent identifiable threat
- Inform patient when safe
3
Privacy breach
- Contain breach
- Assess notification duties
- Tell affected patients as required
- Document prevention steps
4
Third-party requests
- Police/employer/school/insurer/lawyer/family usually require consent or authority
- Seek advice if unclear
Complications & Pitfalls
- Family has a right to know: not without capable patient consent.
- Over-disclosure: reporting does not mean sending the whole chart.
- Duty to inform: tell patients about mandatory reports when safe.
- Duty to warn: needs serious imminent identifiable risk.
- Electronic convenience: misdirected messages are common breaches.
MCCQE1 Exam Tips
- 1Confidentiality is default; disclose only with consent or legal authority
- 2Child abuse suspicion is reported — do not prove it first
- 3Duty to warn is limited to serious imminent identifiable risk
- 4Capable adolescents may have confidentiality rights with safety exceptions
- 5Tell patient about mandatory reports when safe
- 6Police/employer/family requests are not automatically valid
- 7CanMEDS Professional: privacy and trust are core
practicetest your knowledge on confidentiality & privacyApply what you've learnt with MCCQE1-style questions from the iatroX Q-Bank — ethics & communication and beyond.
open q-bank