What is privacy?
Privacy is “the right of the individual to determine for himself when, how and to what extent he will release personal information about himself.”1
What is your professional obligation?
Nurses have an ethical and legal obligation to protect the privacy of patients’ personal information. The legal obligation is found in legislation, case law, professional codes of ethics and standards, institutional policies, and publications produced by organizations such as the Canadian Health Record Association and the Canadian Council on Health Services Accreditation. The ethical obligation, codified in the Code of Ethics for Registered Nurses, requires nurses to “safeguard information learned in the context of a professional relationship and ensure it is shared outside the health care team only with the person’s informed consent, or as may be legally required, or where the failure to disclose would cause significant harm.”2
What are the risk areas?
The following examples demonstrate some of the more common risk areas:
An office worker was required to provide a medical certificate for sick leave he had taken. The doctor’s certificate was addressed to the employer’s occupational health and safety adviser and was supposed to include a diagnosis. The Privacy Commissioner found the requirement of the certificate was reasonable, but, the employer was not entitled to details about the nature of the illness.3
Audits at a teaching hospital revealed that a number of staff and medical residents, who were not involved directly or indirectly in the patient care of two well known Canadian figures, accessed these patients’ computerized health records. After investigating the matter, three staff and three medical residents were disciplined. The discipline ranged from a reprimand to a fourteen day suspension without pay and mandatory privacy education sessions. The provincial privacy commissioner was also called in to do a privacy assessment.4
A complainant alleged that a doctor released personal health information to her family without her consent. The disclosure concerned the complainant’s condition on a specific day, it was made in general terms and there was no express instruction by the complainant not to disclose. The Privacy Commissioner found that the disclosure was authorized under s. 35(1)(a) of Alberta’s Health Information Act.5
An employee submitted a medical certificate to his employer with his sick leave request. The employer’s health and safety adviser called the hospital where the health examination was done, without the employee’s authorization, and asked for information about the examination. The Privacy Commissioner found that contacting the hospital for this information was in contravention of the Personal Information and Protection of Electronic Documents Act.6
What are the possible outcomes?
If a nurse breaches a patient’s privacy rights there are a number of legal consequences which may impact on the nurse. The nurse may be disciplined by her employer, investigated by the Privacy Commissioner or Ombudsman, disciplined by her professional nursing licensing body, or sued civilly. All of these consequences could result from the same breach of the patient’s privacy rights.
What risk management steps can you take?
To protect yourself you should:7
- review relevant privacy legislation and your organization’s privacy policies
- know and follow your organization’s policies for collection, use and disclosure of personal information
- know when and how to share client information
- know who in your organization is responsible for making decisions about release of information (e.g., Chief Privacy Officer)
- know what to do if a client asks for access to his records
- know and follow your organization’s policies for protection against unauthorized access, retention, and disposal of client documentation
- follow your organization’s policies to ensure privacy and security when using computerized documentation systems (e.g., use of passwords)
- follow your organization’s policies when transmitting client information electronically
- understand and follow legislated requirements and professional standards/guidelines, if you are engaged in research?
If you have questions or concerns relating to privacy issues, the following resources are available to assist you: your employer’s Chief Privacy Officer, provincial/territorial privacy offices or ombudsman’s offices, the federal privacy commissioner’s office, your professional nursing association or college, and the Canadian Nurses Protective Society.
- R. v. Duarte,  1 S.C.R. 30 at para. 25.
- Canadian Nurses Association, Code of Ethics for Registered Nurses (Ottawa: Author, 2002), p. 14.
- Office of the Privacy Commissioner of Canada, Case Summary No. 233 (2003), online: www.privcom.gc.ca.
- Ontario Information and Privacy Commissioner, Privacy Assessment: The University Health Information Network’s Response to Recent Breaches of Patient Privacy (2002), online: http://www.ipc.on.ca/images/Resources/073002.pdf.
- Alberta Information and Privacy Commissioner, Investigation No. H0057 (2003), online: www.oipc.ab.ca. (PDF document)
- Office of the Privacy Commissioner of Canada, Case Summary No. 235 (2003), online: www.privcom.gc.ca.
- College of Registered Nurses of British Columbia, Privacy Legislation (Practice Standard – pub. 335), (Vancouver: Author, 2005), p. 2.
N.B. In this document, the feminine pronoun includes the masculine and vice versa.
THIS PUBLICATION IS FOR INFORMATION PURPOSES ONLY. NOTHING IN THIS PUBLICATION SHOULD BE CONSTRUED AS LEGAL ADVICE FROM ANY LAWYER, CONTRIBUTOR OR THE CNPS®. READERS SHOULD CONSULT LEGAL COUNSEL FOR SPECIFIC ADVICE.
Vol. 14, No. 2, September 2005