Wednesday, February 18, 2009

Privacy and Confidentiality: A Brief Introduction

Maintaining patient privacy and confidentiality is of the utmost importance to nurses, as it is one of our profession's core values and responsibilities. "Nurses recognize the importance of privacy and confidentiality and safeguard personal, family, and community information obtained in the context of a professional relationship" (Canadian Nurses Association (CNA), 2008, p15). As advances continue take place in communication and storage technology, the push towards electronic health records (EHR) raises concerns surrounding the protection of patient information. Although 9 in 10 Canadians support the development of EHR's (Ekos Research Associates, 2007), the issue of securing their personal information is still of concern for all. In this age of ever advancing technology, there is increased capability to collect, store, access, and share personal information. This capability is paramount to increasing the efficiency and effectiveness of our country's health care system (CNA, 2001). The central issue surrounding this technological advancement, focuses on how health care professionals can utilize these advancements to their full potential, while at the same time, maintaining privacy and confidentiality for their patients.

This blog is designed primarily to provide information on the topic of patient privacy and confidentiality through blog posts, relevant and useful links, and a comprehensive slide show. This topic is meant to stimulate discussion, comments, and feedback surrounding the issue of patient privacy and confidentiality in the context of EHR's and other forms of communication and storage technology.


Privacy: an individuals right to determine for him or herself when, how, and to what extent he will release personal information about him or herself (CNPS, 2005).

Confidentiality: the duty of someone who has received confidential information in trust to protect that information and disclose to it others only in accordance with permissions, rules or laws authorizing its disclosure (CNA, 2003).

Informed Consent: the process of giving permission or making a choice about care based on sufficient information to make a decision (CNA, 2008).

Security: safeguards to ensure that information is accessed, used, or disclosed only as authorized and to prevent unauthorized processing of heath information (CNA, 2003).

What nurses can do to safeguard patient privacy and confidentiality

Nurses have a legal and ethical responsibility to maintain the confidentiality of their patients health information. We are obliged to to keep these responsibilities in mind and act as patient advocates. Nurses can find out what these requirements are by seeking information in:

- the CNA Code of ethics
- their province or territories practice standards
- federal/provincial legislation and acts
- their own hospital or organizations policies

The rising popularity of using computer based technologies as opposed to paper based systems, brings with it new security risks. Most importantly, is the threat to breaches of patient privacy and confidentiality. This technology speeds the transmission in which information is shared with others and is convenient. Given this efficiency however, hospital staff often neglect privacy implications (Milholland, 1994). Most breaches are done inadvertently on the part of the health care workers. According to Feeg (2001), this can be attributed to the way staff members manipulate and share data without patient consideration. Potential breaches in security are considered one of the major downfalls of electronic documentation (Celia, 2002). Nurses should become educated in the ways in which they can decrease these threats, in order to better uphold their responsibilities to their patients. These safeguards include, but are not limited to:

  1. learn and follow your place of works' policy for collection, use, and disclosure of patient information

  2. do not share your access password with co-workers
  3. change your password frequently
  4. assure your password is difficult for others to guess

  5. know what steps to take to report breaches in patient confidentiality

  6. restrict access to information that is needed to do your job only

  7. familiarize yourself with privacy legislation

  8. know when it is okay to share patients information

  9. what to do if a patient asks for access to their records
  10. avoid using client names or other identifiers when faxing information

  11. make sure to log off computers when not in immediate use

It is important fro nurses to not only safeguard our patients but ourselves. Nurses who breach patient confidentiality, even if unintended may face negative consequences. These can include having their licence suspended by their licensing body, disciplinary action taken by their employer, or legal action taken by the patient (CNPS, 2005).

Nurses should also be aware of the security measures put in place by their employer to protect electronic patient information. These can include:

  1. frequent audits to monitor user activity

  2. limiting large numbers of photocopies, downloading, and printing of patient information or records

  3. use of "lock-out" systems if a staff member attempts to log on with a password more than a few times

  4. de-activation of staff passwords who are no longer employed by the hospital/institution

  5. timed log off after a certain amount of time

  6. inactivated records should be protected from loss, defacement, unauthorized disclosure

  7. installation of anti-virus software

  8. precautions against theft of computers and laptops (ie: cameras, locked doors)

  9. encryption protection for Internet transfer of patient information

  10. prohibition of uploading unauthorized software onto computers

  11. assuring access to patient information is on a need to know basis

  12. all access of all users is tracked

  13. use of secondary level authentication (ie: additional passwords, biometric identification)

(American Health Information Management Association, 2000)

What do patients need to know about their privacy and confidentiality rights?

In general, healthcare consumers want their personal health information to be kept private and confidential. When patients enter into the healthcare system, most assume their health records and information are safe and are being accessed responsibly by members of the health care team. According to Ekos Research Associates (2007), 79% of Canadians consider their health information to be moderately secure and rate their trust in nurses and doctors as very high in respect to maintaining privacy. It is reassuring as a healthcare professional to know that patients highly esteem and trust us. However, despite this high trust level it is healthcare employees who are responsible for 80% of security breaches in the U.S (Leestma, 2003). With this being said, what do patients really know about their legal rights and privacy laws? Overall, Canadians have a minimal understanding regarding what protection is in place, and of what legislation is in place both at a federal and provincial level (Ekos Research Associates, 2007). Patients should become familiar with Federal legislation that is in place: the Privacy Act and PIPEDA. As well, they should familiarize themselves with legislation passed in their own province or territory. Most people would be unaware they have legal rights to their health information, including correction of wrong information (Privacy Commissioner of Canada, 2004). As well, patients can take legal action against a nurse or an institution that releases their health information without consent (Canadian Nurses Protective Society, 2008).

Although patients trust nurses and doctors in maintaining their confidentiality and privacy, there is still fear of security breaches in respect to electronic health records. Nurses can a play a role in helping educate patients about the benefits of electronic health records such as:
  1. increased portability
  2. access to the information at the right time by the right person
  3. aiding healthcare professionals in providing more efficient quality care
  4. faster diagnosis
  5. decreased medical errors
  6. gives patients control over their records as access would be subject to their consent


E-Liabilities: New Risks in Health Technology

With technology advancements and the computerization of health records comes a new type of medical liability being referred to as "e-liability". When breaches in confidentiality are made as a result of non-human error, such as security failures, there must be legal protection in place to cover claims falling under these types of liabilities. Given low, however, growing rates of EHR adoption, interested parties such as government agencies and hospital corporations, must seek input from liability experts to ensure their protection (Vigoda, 2008). Like federal and provincial privacy legislation and acts that protect patients privacy rights, "cyberliability" protects both patients, health institutions, and health professionals. This type of liability protection ensures that when security fails and confidentiality is breached there is away to ensure accountability and recourse (CMA, 2004). Accountability is the main issue surrounding liability. Patients and health professionals may be more accepting of EHRs knowing these types of liabilities have a way of being legally dealt with. Two types of liability that fall under the umbrella of cyberliability are:

1. E-practice liabilities: these include risks surrounding confidentiality, accuracy and user authenticity of the record, back-up systems, e-prescribing, and telehealth. For example: electronic documentation after treatment, the time entered wrongly reflects the time care was actually given.

2. System security liabilities: these risks involve security system failures, encryption errors, and hacking.

For more information regarding liabilities and the EHR, go to:

Is it every justifiable to breach confidentiality?

Is it ever justifiable to breach patient confidentiality? Yes. Although these instances are few, there are some situations in which disclosure may be required:

1. To prevent serious harm or death to the person or a third party (CNA, 2002).

2. Public Health & Safety ie: communicable diseases

3. Child Protection legislation

4. Court order or legal obligation to disclose (CNA, 2002).

5. Emergencies

Think of your own practice setting and think of a situation that would fall under one of the above categories.



American Health Information Management Association (2000). Practice brief: Information security: a checklist for healthcare professionals. Retrieved February 14, 2009, from

Canadian Medical Association (2004). Electronic Health Record. Retrieved March 13, 2009, from

Canadian Nurses Association (2008). Code of ethics for registered nurses. Ottawa: Author.

Canadian Nurses Association (2003). Privacy and health information: challenges for nurses and for the nursing profession. Ottawa: Author.

Canadian Nurses Protective Society (2008). Confidentiality of health Information. Info Law: A legal Information Sheet for Nurses, 1(2).

Canadian Nurses Protective Society (2005). Privacy. Info Law: A Legal Information Sheet for Nurses, 14(2).

Celia, L.M. (2002). Keep electronic records safe. Registered Nurse, 65(6), 69-71.

Ekos Research Associates (2007). Electronic health information and privacy survey: what Canadians think. Retrieved February 15, 2009, from

Feeg, V.D. (2001). Threats to privacy and confidentiality in today's IT culture. Pediatric Nursing, 27(2), 122-124.

Leestma, R. (2003). Implementing technological safeguards to ensure patient privacy. Caring, 22(2), 16-18.

Milholland, K. (1994). Privacy and confidentiality of patient information. Journal of Nursing Administration, 24(2), 19-24.

Siman, A.J. (1999). The Canadian health infostructure (CHI): A promising prescription for the health care system. Health care Information Management and Communications Canada, 13(2), 28-30.

Smit, M., McAllister, M., & Slonim, J. (2005). Building public trust for electronic health records. Retrieved February 15, 2009, from

Vigoda, M. (2008). E-record, e-liability: addressing medico-legal issues in electronic records. Journal of American Health Information Management Associates, 79(10), 48-52.