Can I access my own personal health information through my employer’s electronic health records system?
Every Canadian province and territory imposes a legal obligation on health-care custodians to protect personal health information (“PHI”). Typically, institutions or health authorities are considered the health information “custodians” or “trustees” of PHI. As custodians, institutions and health authorities are legally required to have policies in place regarding collection, use and disclosure of PHI. An employed nurse is considered the custodian’s “affiliate” meaning that it is legally recognized that a nurse will also be required to collect, use and disclose PHI on behalf of the custodian in accordance with their employment duties.
Although a patient owns the PHI contained within the personal health records, it is the custodian who owns the actual records and is ultimately responsible for implementing measures to safeguard the information. With few exceptions, a patient has a right of access to their own PHI. If a patient wishes to review their own health record, the custodian will normally require the patient to comply with a specific process or policy in order to do so, such as making a written request to the custodian’s privacy officer.
If an employed nurse wished to access their own PHI, it would be considered outside the scope of employment and they would not be acting in the capacity of affiliate. The nurse would be in the same position as any other patient wishing to access their own records. The nurse should become familiar with the custodian’s policies and procedures regarding access. The failure to comply with an employer’s policies regarding confidentiality and access may result in disciplinary action against the employee. Employers periodically conduct audits of their electronic health record systems and are able to investigate whether health records have been inappropriately accessed.
Can I access the personal health information of my family members through my employer’s electronic health records system if they ask me to?
An employed nurse may have access to a patient’s personal health information (“PHI”) in accordance with their employment duties. A nurse wishing to access the records of a family member, even with the required consent, should familiarize themselves with the employer’s policies relating to accessing PHI. The employer, or “custodian” of the health records, will have established a formal process and procedure for requesting access to the PHI that it holds. An employee who does not comply with an employer’s policies regarding access to PHI may be the subject of disciplinary action.
In the case Newfoundland and Labrador Nurses’ Union v. Newfoundland and Labrador (Treasury Board),1 two nurses were separately disciplined by their employer for inappropriately accessing the personal health records of various family members and a co-worker at the request of the family members and the co-worker. The Court upheld the arbitrator’s finding that not only had the nurses breached the hospital’s policy but had also inappropriately accessed electronic information, which constituted a breach of patient confidentiality. The employer’s policy required that an employee, when not fulfilling a duty and responsibility of employment, obtain written informed consent from the patient to permit access to their PHI. The nurses did not comply with the hospital’s policies and procedures that were in place at the time. One nurse received a twelve-day suspension and the other received a five-day suspension.
Nurses should review the relevant privacy legislation, their professional standards, and institution or health authority’s policies concerning confidentiality and PHI. They must also be careful to practise in accordance with their employer’s code of ethics and the Canadian Nurses Association’s Code of Ethics for Registered Nurses.
CNPS beneficiaries can contact CNPS at 1-800-267-3390 to speak with a member of CNPS legal counsel. All calls are confidential.
1. 2009 NLTD 168 (CanLII).
Revised April 2018
THIS PUBLICATION IS FOR INFORMATION PURPOSES ONLY. NOTHING IN THIS PUBLICATION SHOULD BE CONSTRUED AS LEGAL ADVICE FROM ANY LAWYER, CONTRIBUTOR OR THE CNPS. READERS SHOULD CONSULT LEGAL COUNSEL FOR SPECIFIC ADVICE.