Canadian dental clinics must obtain patient consent before collecting, using, or disclosing personal health information under the Personal Information Protection and Electronic Documents Act (PIPEDA). Because dental records are classified as sensitive health information, express consent is the default requirement for collecting treatment histories, sharing records with insurers, and sending automated recall messages. This guide covers exactly what your dental patient consent form must include, how express and implied consent differ in a dental context, how provincial health privacy laws interact with PIPEDA, and a practical compliance checklist your front desk can use today.
Does PIPEDA Apply to Your Dental Practice?
Yes. Dental practices operating as private businesses are subject to PIPEDA, which governs the collection, use, and disclosure of personal information in the course of commercial activities across Canada. The Office of the Privacy Commissioner of Canada (OPC) has confirmed this in formal investigations, including PIPEDA Case #2006-325, which applied PIPEDA's consent and safeguards principles directly to a dental office's handling of patient files. The OPC ruled that dental practices must comply with Principle 3 (Consent) and Principle 7 (Safeguards) when managing patient records, even in the context of a practice sale.
Under PIPEDA, the 10 fair information principles form the baseline compliance framework. Principle 3 is the one most directly relevant to patient intake forms and recall systems. The other nine principles carry equally binding obligations: Accountability (designate a privacy officer), Identifying Purposes (state why you collect data before or at the time of collection), Limiting Collection (collect only what you need), Limiting Use and Retention (use data only for stated purposes and delete it when the relationship ends), Accuracy (keep contact details current), Safeguards (encrypt and protect patient information), Openness (maintain a publicly available privacy policy), Individual Access (respond to access requests within 30 days), and Challenging Compliance (provide a formal complaint mechanism).
Failing to comply with PIPEDA is not merely a theoretical risk. The OPC can investigate complaints from patients, issue findings, and refer matters to the Federal Court, which can order organisations to correct their practices and award damages.
What Must a Dental Patient Consent Form Include Under PIPEDA?
PIPEDA does not mandate a specific form or template. The OPC confirmed this explicitly: "There is no prescribed form in which these elements must be highlighted." However, the OPC's 2018 Meaningful Consent Guidelines (enforceable from 1 January 2019) establish four mandatory content elements that must be prominently included in any consent notice. These cannot be buried in a lengthy privacy policy or small-print terms.
In addition to these four content requirements, the consent notice must be in plain language that a patient without a legal or medical background can understand. A consent form that meets the legal letter of the OPC's guidelines but is written in dense regulatory prose fails the spirit of PIPEDA. The standard is patient comprehension, not legal defensibility.
A wet signature is not required. Oral consent (recorded by telephone or at reception), clearly ticked checkboxes, and tablet-based digital signatures are all valid, provided the four mandatory elements were communicated before or at the time of consent.
Express vs. Implied Consent: Which Does Your Dental Clinic Need?
Dental records, including examination findings, treatment histories, X-rays, and periodontal charting, are classified as sensitive health information under PIPEDA. The OPC's Interpretation Bulletin on Sensitive Information states: "Medical information is almost always considered to be sensitive, calling for a rather more explicit form of consent." Express consent is therefore the default requirement for collecting, using, or disclosing dental health information.
- Sharing records within the immediate circle of care, for example between an associate dentist and a hygienist treating the same patient in your practice
- Routine administrative details such as recording a patient's billing address for appointment correspondence
- Collecting dental health records, examination findings, and treatment histories
- Sharing records with insurance providers, specialist offices, or dental laboratories
- Sending automated recall SMS or email messages via a third-party platform
- Any marketing, promotional, or non-treatment communications
The OPC recognises a limited opt-out (negative option) consent mechanism for non-sensitive data, but only where the information is demonstrably non-sensitive, the purposes are limited and clearly disclosed at the time of collection, and a convenient opt-out with immediate effect is available. For dental health information, this threshold is rarely met. Opt-out consent should not be used as a default mechanism for patient recall systems.
Children under 13 in most circumstances require parental or guardian consent. For patients aged 13 to 17, the question of capacity to consent is assessed case by case; the treating dentist's clinical judgement of the patient's maturity is relevant. For adult patients who lack the capacity to consent, consent must be obtained from a substitute decision-maker.
The OPC's Seven Requirements for Meaningful Consent
Beyond the four mandatory disclosure elements, the OPC's 2018 guidelines establish seven guiding principles for how consent must be obtained and maintained. These apply equally to paper intake forms and any digital consent process your practice uses.
Provincial Health Privacy Laws and How They Interact With PIPEDA
In most provinces, provincial health privacy legislation applies to dental health information alongside or instead of PIPEDA. The OPC has recognised several provincial laws as "substantially similar," which means PIPEDA is partially displaced for health records in those jurisdictions. Dental clinics in Ontario, for example, are primarily governed by the Personal Health Information Protection Act (PHIPA) for dental records, with the College of Dental Surgeons providing regulatory oversight. However, PIPEDA's commercial activity provisions still apply to marketing emails, recall SMS campaigns, and other non-clinical data uses, even in provinces with substantially similar legislation.
| Province | Governing Law | Coverage |
|---|---|---|
| Ontario | PHIPA | Personal health information held by health information custodians, including dentists |
| Alberta | HIA + PIPA | Health records (HIA) plus other commercial personal information (PIPA) |
| British Columbia | PIPA | All personal information collected in the course of commercial activity |
| Quebec | Law 25 / ARPPIPS | All personal information; requires a Privacy Impact Assessment before new technology adoption |
| Manitoba | PHIA | Personal health information |
| Other provinces | PIPEDA | Federal baseline applies where no substantially similar provincial law exists |
Compliance with PHIPA in Ontario does not automatically mean PIPEDA compliance, and vice versa. Confirm with a privacy lawyer which laws apply to your specific activities if you are unsure. Quebec's Law 25 imposes additional obligations including a mandatory Privacy Impact Assessment (PIA) before adopting new technology that collects personal information. If your clinic is in Quebec and you are considering new recall software or a patient communication platform, a PIA must be completed before deployment.
Dental Practice Consent Form Audit Checklist
Use this checklist to assess whether your current patient consent form and privacy process meet PIPEDA's requirements. Each item reflects a verified obligation from the OPC's published guidance and the 2018 Meaningful Consent Guidelines.
Key Takeaways
- Dental practices in Canada are subject to PIPEDA. The OPC has directly investigated dental offices and applied PIPEDA's consent and safeguard principles to patient records.
- Dental health records are classified as sensitive information under PIPEDA. Express consent is the default requirement for collecting, using, and disclosing them.
- A PIPEDA-compliant dental patient consent form must prominently disclose four things: what is collected, who receives it, why, and any meaningful risks from cross-border data processing. These disclosures cannot be buried in a lengthy policy.
- Implied consent is acceptable only within a strictly defined circle of care (the treating clinical team directly involved in a patient's care) and for routine administrative details.
- There is no prescribed consent form template under PIPEDA. The OPC's 2018 Meaningful Consent Guidelines set seven enforceable process requirements that your form and consent mechanism must satisfy.
- Most provinces have health-specific privacy laws (PHIPA in Ontario, PIPA in Alberta and BC, Law 25 in Quebec) that apply alongside or instead of PIPEDA for dental health records. Identify which law governs your practice and verify your consent form meets that standard.
- Consent is not a one-time event. Obtain fresh consent when you change vendors, add new communication channels, or change how you use patient data.