Technological advancement in the healthcare field, as well as the increase in virtual care or telepractice, has helped patients access safer, faster and more specialized care than ever before. However, these developments have also given rise to a multitude of new privacy issues, concerning loss of and unauthorized access to, use, and disclosure of a patient’s personal health information (PHI). To address these concerns, Canada has introduced privacy legislation at the federal, provincial, and territorial levels. Nurses should comply with existing legislative requirements, and aim to stay informed of new developments. Nurses should also remember that they have ethical and legal responsibilities, to protect clients’ privacy and the confidentiality of clients’ personal and health information.1
What is privacy?
Privacy may be defined in Canada as the right of the individual to determine when, how and to what extent the individual will release personal information about themselves.2 Personal information is data about an “identifiable individual”.3 In other words, it is information that on its own or combined with other pieces of data, can identify an individual.
The privacy legislation that a nurse must adhere to will depend on the jurisdiction in which they practice. Most Canadian jurisdictions have enacted a health-sector specific privacy law.
What is your professional obligation?
Nurses have an ethical and legal obligation to protect the privacy of patients’ personal information. The legal obligations are found in legislation, case law, professional codes of ethics and standards, and institutional policies. The ethical obligation, codified in the Code of Ethics for Registered Nurses, requires nurses to safeguard information learned in the context of a professional relationship and ensure it is shared outside the healthcare team only with the person’s informed consent, or as may be legally required, or where the failure to disclose would cause significant harm. 4
What are the risk areas?
The following examples demonstrate some of the most common risk areas:
- Collection: An office worker complained to the Office of the Privacy Commissioner that their employer required them to provide a medical certificate for sick leave, which had to include a medical diagnosis after taking a sick leave. The Privacy Commissioner found that requiring a medical certificate for sick leave was reasonable, but that the employer was not entitled to details about the nature of the medical condition.5
- Access: Audits at a teaching hospital revealed that a number of staff and medical residents, who were not involved directly or indirectly in the patient care of two well-known Canadian figures, accessed these patients’ computerized health records. After investigating the matter, three staff and three medical residents were disciplined. The discipline ranged from a reprimand to a fourteen-day suspension without pay and mandatory privacy education sessions. The provincial privacy commissioner was also called in to do a privacy assessment. In another case, an RN was terminated by a hospital for accessing hundreds of electronic records of patients to whom the nurse was not providing health care. It was found that the nurse violated the privacy rights of the patients by accessing the information without a professional need, even if that information was not used or shared with third parties. Further, the arbitrator in this case rejected the nurse’s argument that they should be able to access medical records for education purposes, since the hospital did not explicitly allow the nurse to do so.6
- Disclosure: Disclosure without the patient’s consent may be justified in specific limited circumstances set out in the applicable legislation. A complainant alleged that a doctor released personal health information to her family without their consent. The disclosure concerned the complainant’s condition on a specific day. It was made in general terms and there was no express instruction by the complainant not to disclose. The Privacy Commissioner found that the disclosure was authorized under s. 35(1) (a) of Alberta’s Health Information Act.7In a different case, a custodian refused to disclose the PHI of a deceased family member to an individual who stated they required the information to make decisions surrounding their own healthcare. The provincial Information and Privacy Commissioner determined that the custodian had acted appropriately, and this was not a sufficient reason which would permit disclosure of the personal health information.8
- Consent: The knowledge and consent of the patient are required for the collection, use, or disclosure of personal health information, subject to specific limited exemptions set out in privacy legislation. An employee submitted a medical certificate to his employer with a request for sick leave. The employer’s health and safety advisor called the hospital where the health examination was done, without the employee’s authorization, and asked for information about the examination. The Privacy Commissioner found that contacting the hospital for this information was in contravention of the applicable privacy law.
What are the possible outcomes?
If a nurse breaches a patient’s privacy rights, the nurse may face a number of legal consequences. The nurse may be disciplined by her employer, investigated by the Privacy Commissioner or Ombudsman, disciplined by her professional nursing licensing body, or be named as a defendant in a civil lawsuit.
Key Takeaways: What risk management steps can you take?
To ensure all appropriate steps are taken to protect a patient’s privacy, a nurse should:
- Review relevant privacy legislation and their organization’s privacy and confidentiality policies;
- Know and follow their organization’s policies for collection, use and disclosure of personal information;9
- Be aware of when and how they are allowed to share patient information, including if a patient asks for a copy of their own records;
- Only access PHI, including electronic health records, for purposes that are consistent with their professional responsibilities;10
- Recognize who in their organization is responsible for making decisions about the release of personal information (e.g., Chief Privacy Officer);11
- Know and follow their organization’s policies for protection against unauthorized access, retention, and disposal of client documentation. For example, you may be required to notify your nursing regulator in certain privacy breach scenarios;12
- Follow their organization’s policies to ensure privacy and security when using computerized documentation systems (e.g., use of passwords), or when transmitting client information electronically;
- If speaking to a patient, ensure they are taking reasonable measures to prevent confidential information from being overheard;13
- Understand and follow legislated requirements and professional standards/guidelines, if you are engaged in research;
- Report any inappropriate access or disclosure of PHI of individuals that are receiving care in accordance with applicable legislation, practice standards, and employer policies;14
- Safeguard the privacy and confidentiality of persons and other colleagues while using social media or other emerging technologies.15
If you have questions or concerns relating to privacy issues, the following resources are available to assist you: your employer’s Chief Privacy Officer, provincial/territorial privacy offices or Ombudsman’s offices, the federal privacy commissioner’s office, your professional nursing association or college, and the Canadian Nurses Protective Society. If you have any concerns regarding privacy, CNPS beneficiaries can contact CNPS at 1-800-267-3390 to speak with a member of CNPS legal counsel. All calls are confidential.
CNPS beneficiaries can contact CNPS at 1-800-267-3390 to speak with a member of CNPS legal counsel. All calls are confidential.
- BCCNM, Privacy and Confidentiality, online : https://www.bccnm.ca/LPN/learning/confidentiality/Pages/Default.aspx
- R. v. Duarte,  1 S.C.R. 30 at para. 25.
- Office of the Privacy Commissioner of Canada, Summary of privacy laws in Canada, Jan 2018, online : https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/02_05_d_15/
- Canadian Nurses Association, Code of Ethics for Registered Nurses, 2017, online.
- Office of the Privacy Commissioner of Canada, Case Summary No. 233, 2003, online: https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2003/pipeda-2003-233/
- Ontario Nurses’ Assn v Norfolk General Hospital (Oliveira Grievance),  OLAA No 353, 2015 Carswell Ont 14487, 124 CLAS 218, 262 LAC (4th) 273
- Alberta Information and Privacy Commissioner, Investigation No. H0057, 2003, online: https://oipc.ab.ca/wp-content/uploads/2022/01/H2002-IR-03.pdf.
- Information and Privacy Commissioner of Ontario, PHIPA Decision 21, January 2016, online: https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/item/134894/index.do
- BCCNM, Privacy and Confidentiality, online: https://www.bccnm.ca/LPN/learning/confidentiality/Pages/Default.aspx
- CARNA, Privacy and Management of Health Information Standards, March 2020, online: https://www.nurses.ab.ca/media/4rip5x2o/privacy-and-management-of-health-information-standards-mar-2020.pdf.
- For example, here is a resource for what to do when a health privacy breach occurs: Information and Privacy Commissioner of Ontario, Responding to a Health Privacy Breach: Guidelines for the Health Sector, October 2018, online: https://www.ipc.on.ca/wp-content/uploads/2018/10/health-privacy-breach-guidelines.pdf
- Canadian Nurses Association, Code of Ethics for Registered Nurses, 2017, online.
Reviewed December 2021.
THIS PUBLICATION IS FOR INFORMATION PURPOSES ONLY. NOTHING IN THIS PUBLICATION SHOULD BE CONSTRUED AS LEGAL ADVICE FROM ANY LAWYER, CONTRIBUTOR OR THE CNPS. READERS SHOULD CONSULT LEGAL COUNSEL FOR SPECIFIC ADVICE.