Communications

Case of the Month

Unexpected Emails

Posted
September 17, 2025

Share

The Case 

The College received a mandatory report from a clinic owner.  

A physiotherapist, who was no longer employed at the clinic, had accessed the email addresses of dozens of patients using the clinic’s electronic medical records (EMR). The physiotherapist had been given access to the electronic medical records to complete unfinished charting.  

Using the email addresses, the physiotherapist contacted patients to tell them that they had a new job and provide the location and contact details. At the time the physiotherapist sent the emails, they hadn’t worked at the clinic in eight months.  

In addition to the College, the privacy breach was also reported to the Information and Privacy Commissioner of Ontario.  

In response, the physiotherapist said they believed they were simply informing patients in case they wanted to continue their care. The physiotherapist added that they didn’t realize that storing and using patients’ email addresses without their consent was a breach of privacy.  

The Rules 

Personal health information is protected by law in Ontario.  

Using personal health information without appropriate patient consent is illegal. 

The physiotherapist in this case was given temporary access to patient records for the sole purpose of completing charting. They didn’t have permission or patient consent to use the information any other way.   

The Personal Health Information Protection Act, dictates that personal health information should be under the care of a Health Information Custodian, who is responsible for ensuring it is securely stored and used appropriately. In this case, the Health Information Custodian was the clinic.  

When protected information is used or stored by someone other than the Health Information Custodian, there is a high risk the information could be compromised, for example through a leak or accidental disclosure.  

If you’re leaving a clinic, talk to your employer before giving any new employment information to your patients. 

Never collect or store patients’ contact information without their permission.  

The Outcome 

The physiotherapist was required to work with a practice enhancement coach and review several resources on privacy.  

Details of this case have been changed to maintain anonymity.

Learn More

Leaving a Practice Checklist 

View

College Privacy Resource 

View

Personal Health Information Protection Act 

View

Share Your Thoughts

Your email address will not be published. Required fields are marked *

More from Case of the Month

  • Case of the Month

May 20, 2025

Ghosted

Back to top