Sep 1, 2022

The NDECC™ Candidate’s Guide to Privacy and Confidentiality

Patients asking informations filling in privacy document

Welcome to our latest blog series, Getting Ready for Situational Judgement, designed to help you prepare for our upcoming NDECCSituational Judgement course. I thought I’d begin by giving you a little taste of some of the new subject areas that will be evaluated in this final exam in the equivalency process.

Today’s topics are privacy and confidentiality, which are essential for all practising dentists to understand. Once you’re in practice, you’ll be responsible for protecting patients’ personal health information, and we can teach you how! But first, you will need to understand the basic concepts. So when you take the course with us, you’ll learn how to apply these. 

Without further ado, let’s get into some questions you may have about these matters, shall we? 

What is the relationship between privacy and confidentiality? 

Well, you can’t have one without the other. Patients provide private and confidential information to health professionals to receive healthcare, and when health professionals provide services to their patients, they keep records that contain additional personal health information. Health professionals may need to share their patients’ confidential personal health information to diagnose the patients’ conditions and provide the proper healthcare they need. Every person who is involved in a patient’s healthcare must protect the patient’s privacy. 


As a dentist, who am I allowed to share my patients’ personal health information with? 

In order to provide dental services to patients efficiently, dentists work with other oral health professionals and administrative staff. You are permitted to share patients’ confidential personal health information with the people you work with in the dental office. Dentists submit claims for dental treatment electronically and may be asked to provide additional information about the patients’ conditions or the services they have provided. You should ensure you have your patients’ consent before providing confidential information to dental insurance companies. When you are referring patients to another health professional, you should let your patient know that you will need to share their personal health information for the purposes of their healthcare; this will enable you to obtain your patients’ consent. 


How can I protect my patients’ privacy? 

You can protect your patients’ privacy by implementing a privacy policy in your dental office; making sure everyone who works in your dental practice understands their responsibilities for ensuring patients’ privacy; and safeguarding your patients’ data against breaches, inadvertent disclosure, and loss. When contractors or service providers require access to your premises and dental records or your patients’ data in electronic records management systems, you should ask them to enter into a confidentiality agreement. You should post information about your privacy policy in your dental office and make sure that patients understand it, and the reasons for which you will be collecting, using, and disclosing their personal health information.


What about children and other patients who don’t seem capable? Who am I allowed to share their personal information with? 

In Ontario, children are presumed capable of consenting to collect, use, and distribute their personal health information at 16 under the Personal Health Information Protection Act; children younger than 16 may also be capable of providing consent. Adults are presumed capable; if there are reasonable grounds for a health professional to believe that a patient is incapable, the health professional should note the facts on which they base this conclusion in the patient’s dental record and let the patient know, as patients are entitled to contest a determination of incapacity. In Ontario, the Personal Health Information Protection Act sets out who can serve as a substitute decision-maker (SDM) and prescribes the SDM’s responsibilities.The SDM is entitled to access the dental record just as a capable patient would be entitled to access the dental record, and the SDM makes decisions regarding the collection, use, and disclosure of personal health information for the incapable patient. While the principles are the same, the details of privacy laws in other jurisdictions may be different, so dentists who practise outside Ontario should check the answer to this question with their dental regulatory authority.


Are there any circumstances where the patient’s consent (or the consent of the SDM) is not required to share their personal health information? 

Dentists are required to obtain a patient’s consent (or their SDM) to collect, use, and disclose their personal health information except if they are required to disclose it by law. Both federal and provincial statutes and regulations may compel a dentist to release personal health information. For example, if a dental regulatory authority were investigating a dentist, they would request specific patients’ dental records, and the dentist would be required to provide the dental records to the investigator. As another example, sometimes, the police will require information for a criminal investigation and will provide the dentist with a warrant. If there is a risk of serious bodily harm to a person or group of people, a health professional can also share personal health information without the patient’s (or SDM’s) consent.

Who owns the dental record, and can a patient take it with them when they leave my dental practice? 

The personal health information in a dental record “belongs” to a patient, in the sense that only the patient (or their SDM) can consent to its collection, use, and disclosure. The dental records (whether paper or digital, and in all other formats in which they are made) are owned by the dentist who owns the dental practice where the patient has been seen by the principal dentist, their associates, and other oral health professionals. The owner of the dental records is required by law to retain these for a specified period of time. The patient (or their SDM) is entitled to copies of any dental records they need and may be asked to submit a written request before these are released.


What are some of the special considerations for electronic dental records? 

If you are thinking about going “paperless” or using some combination of paper and electronic recordkeeping in your dental practice, you will need to make sure that your electronic records management systems comply with regulatory requirements where you practise. You can check with the provincial dental regulatory authority to find out what rules apply. You can also conduct cybersecurity audits and consult with your software vendors to better protect your patients’ data from being accessed or held for ransom by hackers and, in case of a systems crash, to ensure that you can restore it from your backup if required.

The bottom line is that as a dentist you are required to protect your patients’ privacy by not sharing their information with anyone who doesn’t need to have it because they aren’t involved in providing dental care (unless and as required by law). In the new NDECC™ Situational Judgement course, you will learn more about the rules you have to follow when collecting, using, and disclosing confidential personal health information and how to protect your patients’ privacy in a brand new delivery format. At Prep Doctors, we specialize in hands-on education that prepares you for the challenges you will face in dental practice.



Lesia Waschuk is the Compliance & Education Specialist at Prep Doctors with more than 20 years of experience working with the Royal College of Dental Surgeons of Ontario (RCDSO) and NDEB. You may book an appointment with her for all your compliance questions and needs here