Privacy and Confidentiality

of Electronic Health
Records: What Do Nurses
and Other Health
Professionals Need to
Know?

Virginia Dallaire
Jane Clarke
There is a new transition from paper
to electronic health records(EHR) in
Canada. Although many stakeholders
view EHR as a means to improving
the quality of health care for every
individual in Canada, the issue of
confidentiality and privacy needs to
be in the forefront for all decision
makers and health care providers(
Smit, McAllister, Slonim, 2005)
 What is Confidentiality,
Privacy and EHR?
Confidentiality addresses the
individual’s health information , the
management and protection of this
information from intentional or
accidental disclosure to unauthorized
individuals( Weitz, Drummond,
Pringle, Ferris, Globerman, Hebert et
al. , 2003).
Privacy is “ the right of an individual
to determine for himself [ or herself]
when, how and to what extent he[or
she] will release personal information
about himself[ or herself]” ( Morris,
Ferguson, Dykeman,1999, p.92)
Electronic Health Records are a
client’s entire health and health care
history that is electronically
accessed, collected and stored
( Weitz, Drummond, Pringle, Ferris,
Globerman, Hebert et al. 2003)
“Confidentiality should be protected
because it protects patients from
harm, supports access to health care
and produces better health
outcomes”( Mulligan& Braunack-
Mayer, 2004, p.48).
 What is Personal and
Confidential Electronic
Information?
 All personal information such as:
name, address, age , individual’s
educational, financial, criminal and
employment history, race, religion,
associations, personal views or
opinions, any identifying numbers or
symbols assigned to individual
 Health Information: Individual’s
health history, disabilities, inheritable
characteristics, fingerprints, blood
type( VIHA, 2002)
What Provincial, Territorial
and Federal Legislation
Exists to Protect Personal
Information?
 Federal: Personal Information
Protection and Electronic Document
Act( PIPEDA)
 PIPEDA is Federal Legislation that
protects all personal information
which includes electronic health
information
Provincial: Every Registered Nurse in
Canada is a member of a College of
Registered Nurses that sets out
standards and codes which address
confidentiality and privacy in practice
Alberta: Freedom of Information and
Protection of Privacy Act ( FOIPPA)
and Health Information Act(HIA)
http://foip.alberta.ca
BC. : Freedom of Information and
Protection of Privacy Act( FOIPPA)
Http://www.mser.gov.bc.ca/FOI_POP/
Manitoba: Freedom of Information and
Protection of Privacy Act( FOIPPA)
Personal Health Information Act
http://www.gov.mb.ca/chc/fippa/index.htm
http://www.gov.mb.ca/health/phia/index.ht
Northwest Territories: Access to
Information and Protection of Privacy
Act
http://www.justice.gov.nt.ca/ATIPP/atipp.ht
Nova Scotia: Freedom Of Information
and Protection of Privacy Act(
FOIPPA)
http://www.gov.ns.ca/just/foi/foisvcs.htm
Nunavut: Access to Information and
Protection of Privacy Act
Ontario: Freedom of Information and
Protection of Privacy Act
Municipal Freedom of Information
and Protection of Privacy Act
Personal health Information
Protection Act,2004
http://www.mgs.gov.on.ca/english/index.ht
Prince Edward Island: Freedom of
Information and Protection of Privacy
Act
http://.gov.pe.ca/foipp/index.php3
Quebec: Act respecting Access to
documents held by Public Bodies and
the Protection of Personal
Information
http://www.institutiondemocratiques.gouv
a/index_en.htm
Saskatchewan: Freedom of Information
and Protection of Privacy Act
Local Freedom of Information and
Protection of Privacy Act
Health Information Protection Act
http://www.saskjustice.gov.sk.ca/legismma
freedomofinfoact.shtml
Yukon: access to Information and
Protection of Privacy Act
http://www.atipp.gov.yk.ca/

( Office of the Privacy Commissioner Of

Canada, 2009)
 In addition to Federal,
Provincial and Territorial
Privacy Acts there is the
Canadian Standards
Association Model Code
for the Protection of
Personal Information
 It is comprised of ten principles
which guide the collection, use
and disclosure of personal
information
 Public or private facilities can use
this model to ensure privacy and
confidentially
 Chief Privacy Officer oversees the
compliance of the principles and
responds to concerns and complaints
( Canadian Standards Association,
2009)
 Ten Principles summarized:
 Purpose for collection of information
needs to be identified
 Consent required
 Clear guidelines provided for the
disclosure of information
 Collection of personal information is
limited to only pertinent information
for client’s care


 Ensures accuracy, completeness and

up-to-date
 States personal information needs to
be protected by security safeguards
 Transparency of organization’s
policies
 Addresses the clients rights around
being informed of all health
information and the right to
challenge the accuracy and
completeness of the information

( Canadian Standards
Association,2009)
Key Factors in Managing
Privacy and
Confidentiality in EHR
Development of policies and
procedures that incorporate the
following principles:
 Transparency: Everyone has the
right to know who is accessing their
health information
 Collection and Use of Personal Health
Information: Policies must follow the
federal and provincial privacy acts.
All health information should be
accurate and relevant to why it is
being collected
 Individual control: Individual can
access an audit trail to see who
access their personal health
information; individual can also limit
who can access their information
 Security: all measures should exist to
protect personal health information(
access, collection and storage)
 Audit: comprehensive audit done
frequently to ensure only authorized
 Accountability and Oversight: Policies
in place that will address the
monitoring of confidentiality, how to
disclose a breach and violations will
be dealt with
 Technology and Privacy: Privacy
protection will be have
comprehensive standards and
policies
( Health Initiative Blueprint, 2009)
 What is a Breach of
Confidentiality?
 Unauthorized viewing of any client’s
health information
 Accessing information about
yourself, family or friends
 Asking co-workers about confidential
information that is not pertinent to
your care role
 Discussion of confidential information
in a public area
 Unauthorized sharing and disclosure
of confidential health information
other than authorized by Federal
and Provincial Privacy Act s
 Lending your keys to someone else
to access filing cabinets, file storage
rooms where confidential information
is stored
 Telling your co-worker your password
 Using a co-workers password to log
in to a computer
Failing to log off your computer
Failure to report any breach of
confidentiality
(VIHA, 2002)
Breaches of Confidentiality:
Where do the most
commonly occur?
 81% occur in the health care setting
 Usually occurred during informal
conversation among health care
employees
 While on the telephone
 Between health care providers and a
client
 Conversations with family friends
and people outside the health care
agency
( Nursing, 2004)
 How Can Nurses
Safeguard the Privacy
and Confidentiality of
their
 Ensure Clients
passwords EHR?
are kept
confidential
 Use passwords that can not be
deciphered and change regularly
 Do not share passwords and sign off
immediately before leaving the
computer
 Never delete information
 Routinely ask “ Do I need to know
this information?”
 Report any suspicious or actual
breaches of confidentiality

( College of Nurses of Ontario, 2006,

VIHA, 2002).
 What is the role of the
Officer of the Privacy
Commissioner of
Canada?
The Commissioner is an advocate for
the privacy rights of Canadians.
She[he] works independently from
the government and her[his] role
includes:
 Investigating complaints in regards
to the federal public sector and the
private sector
 Complaints may come from the
public sector if personal information
is being held by Government of
Canada institutions
 Promotes public awareness and
understanding of privacy rights
 Reports on public and private
sector’s handling practices around
protection of client’s privacy ( Office
of The Privacy Commissioner of
What is your role as a nurse or health
care professional in ensuring
confidentiality and privacy for every
client in the health care system?
How are you going to meet the
challenges of confidentiality and
privacy with EHR?
“All that may come to my knowledge
in the exercise of my profession or
outside my profession or in daily
commerce with men, which ought
not be spread abroad, I will keep
secret and will never reveal”(
Hippocratic Oath, circa 4th century
BC. as cited in Weitz, Drummond,
Pringle et al. , 2003, p.292).
 References
Canadian Standards Association.
( 2009) About the privacy code.
Retrieved February 7, 2009 from
http://www.csa.ca/standards/privacy/cod
College of Nurses of Ontario(2006).
Documentation Practice Standards:
Electronic health records. Retrieved
February 7, 2009 from
http://www.cno.org/prac/learn/modules/d
 References con’t
Health Initiative Blueprint( 2009). Key
elements:
Managing privacy, security&
confidentiality.
Retrieved January 10, 2009 from
http://www.ehealthinitiative.org/blueprint/k
 References con’t
Mulligan, E. & Braunack- Mayer, A.
( 2004). Why protect confidentiality
in heath records? A review of
research evidence. Australian Health
Review, 28(1), 48-55.

Morris, J., Ferguson, M., & Dykeman,

M.J. ( 2nd ed.). ( 1999). Canadian
nurses and the law. Canada:
Butterworths
 References con’t
Nursing( 2004). Privacy breaches: All
too common . 34(9), 35. Retrieved
February 17, 2009 from Proquest
Nursing Journals database
Office of the Privacy Commissioner of
Canada
( 2009). Provincial/Territorial Privacy
Laws.
Retrieved February 10, 2009 from
 References con’t.
Office of Privacy Commissioner of
Canada
(2009). Mandate and Mission of the
OPC. Retrieved February 17, 2009
from
http://privcom.gc.ca/aboutUs/index_e.asp
Privacy Commissioner Of Canada(
2004) PIPEDA
awareness raising tools(PARTs)
initiative for health sector retrieved
 References con’t
Smit, M., McAllister, M., & Slonim, J.(
2005) Building public trust for
electronic health records. Retrieved
January 25 , 2009 from
http://www.lib.unb.ca/Texts/PST/2005/pd
Vancouver Island health
Authority(2002). General
Administration: Confidential
information- privacy rights of
personal information policy. Section
number 1.0, subsection number 1.5,
 References con’t
Weitz, M., Drummond, N., Pringle, D.,
Ferris, L.E., Globerman, J., Hebert, P.,
et al. ( 2003).
In whose interest? Current issues in
communicating personal health
information: A Canadian perspective.
Journal of Law, Medicine & Ethics, 31,
292-301.