Privacy and Confidentiality of Electronic Health Records

Privacy and Confidentiality of Electronic Health Records: What Do

Nurses and Other Health Professionals Need to Know?

Virginia Dallaire Jane Clarke

There is a new transition from paper to electronic health records(EHR) in Canada. Although many stakeholders view EHR as a means to improving the quality of health care for every individual in Canada, the issue of confidentiality and privacy needs to be in the forefront for all decision makers and health care providers( Smit, McAllister, Slonim, 2005)

What is Confidentiality, Privacy and EHR?

Confidentiality addresses the individual’s health information , the management and protection of this information from intentional or accidental disclosure to unauthorized individuals( Weitz, Drummond, Pringle, Ferris, Globerman, Hebert et al. , 2003).

Privacy is “ the right of an individual to determine for himself [ or herself] when, how and to what extent he[or she] will release personal information about himself[ or herself]” ( Morris, Ferguson, Dykeman,1999, p.92)

Electronic Health Records are a client’s entire health and health care history that is electronically accessed, collected and stored ( Weitz, Drummond, Pringle, Ferris, Globerman, Hebert et al. 2003)

“Confidentiality should be protected because it protects patients from harm, supports access to health care and produces better health outcomes”( Mulligan& Braunack-Mayer, 2004, p.48).

What is Personal and Confidential Electronic Information?

All personal information such as: name, address, age , individual’s educational, financial, criminal and employment history, race, religion, associations, personal views or opinions, any identifying numbers or symbols assigned to individual

Health Information: Individual’s health history, disabilities, inheritable characteristics, fingerprints, blood type( VIHA, 2002)

What Provincial, Territorial and Federal Legislation Exists to Protect

Personal Information?

Federal: Personal Information Protection and Electronic Document Act( PIPEDA)

PIPEDA is Federal Legislation that protects all personal information which includes electronic health information

Provincial: Every Registered Nurse in Canada is a member of a College of Registered Nurses that sets out standards and codes which address confidentiality and privacy in practice

Alberta: Freedom of Information and Protection of Privacy Act ( FOIPPA) and Health Information Act(HIA)

http://foip.alberta.ca

BC. : Freedom of Information and Protection of Privacy Act( FOIPPA)

Http://www.mser.gov.bc.ca/FOI_POP/Manitoba: Freedom of Information and

Protection of Privacy Act( FOIPPA)Personal Health Information Act

http://www.gov.mb.ca/chc/fippa/index.htmlhttp://www.gov.mb.ca/health/phia/index.html

Northwest Territories: Access to Information and Protection of Privacy Act

http://www.justice.gov.nt.ca/ATIPP/atipp.htmNova Scotia: Freedom Of Information and

Protection of Privacy Act( FOIPPA)http://www.gov.ns.ca/just/foi/foisvcs.htmNunavut: Access to Information and Protection

of Privacy Acthttp://www.info-privacy.nu.ca/en/home

Ontario: Freedom of Information and Protection of Privacy ActMunicipal Freedom of Information and Protection of Privacy ActPersonal health Information Protection Act,2004

http://www.mgs.gov.on.ca/english/index.html

Prince Edward Island: Freedom of Information and Protection of Privacy Act

http://.gov.pe.ca/foipp/index.php3Quebec: Act respecting Access to documents

held by Public Bodies and the Protection of Personal Information

http://www.institutiondemocratiques.gouv.qc.a/index_en.htm

Saskatchewan: Freedom of Information and Protection of Privacy ActLocal Freedom of Information and Protection of Privacy ActHealth Information Protection Act

http://www.saskjustice.gov.sk.ca/legismmaries/freedomofinfoact.shtml

Yukon: access to Information and Protection of Privacy Act

http://www.atipp.gov.yk.ca/

( Office of the Privacy Commissioner Of Canada, 2009)

In addition to Federal, Provincial and Territorial Privacy Acts there

is the Canadian Standards Association Model Code for the

Protection of Personal Information

It is comprised of ten principles which guide the collection, use and disclosure of personal information

Public or private facilities can use this model to ensure privacy and confidentially

Chief Privacy Officer oversees the compliance of the principles and responds to concerns and complaints ( Canadian Standards Association, 2009)

Ten Principles summarized: Purpose for collection of information needs to be

identified Consent required Clear guidelines provided for the disclosure of

information Collection of personal information is limited to

only pertinent information for client’s care

Ensures accuracy, completeness and up-to-date

States personal information needs to be protected by security safeguards

Transparency of organization’s policies

Addresses the clients rights around being informed of all health information and the right to challenge the accuracy and completeness of the information

( Canadian Standards Association,2009)

Key Factors in Managing Privacy and Confidentiality in EHR

Development of policies and procedures that incorporate the following principles:

Transparency: Everyone has the right to know who is accessing their health information

Collection and Use of Personal Health Information: Policies must follow the federal and provincial privacy acts. All health information should be accurate and relevant to why it is being collected

Individual control: Individual can access an audit trail to see who access their personal health information; individual can also limit who can access their information

Security: all measures should exist to protect personal health information( access, collection and storage)

Audit: comprehensive audit done frequently to ensure only authorized access

Accountability and Oversight: Policies in place that will address the monitoring of confidentiality, how to disclose a breach and violations will be dealt with

Technology and Privacy: Privacy protection will be have comprehensive standards and policies

( Health Initiative Blueprint, 2009)

What is a Breach of Confidentiality?

Unauthorized viewing of any client’s health information

Accessing information about yourself, family or friends

Asking co-workers about confidential information that is not pertinent to your care role

Discussion of confidential information in a public area

Unauthorized sharing and disclosure of confidential health information other than authorized by Federal and Provincial Privacy Act s

Lending your keys to someone else to access filing cabinets, file storage rooms where confidential information is stored

Telling your co-worker your password

Using a co-workers password to log in to a computer

Failing to log off your computerFailure to report any breach of

confidentiality(VIHA, 2002)

Breaches of Confidentiality: Where do the most commonly occur?

81% occur in the health care settingUsually occurred during informal conversation

among health care employeesWhile on the telephone

Between health care providers and a clientConversations with family friends and people

outside the health care agency( Nursing, 2004)

How Can Nurses Safeguard the Privacy and Confidentiality of

their Clients EHR?Ensure passwords are kept confidentialUse passwords that can not be deciphered and

change regularlyDo not share passwords and sign off

immediately before leaving the computerNever delete information

Routinely ask “ Do I need to know this information?”

Report any suspicious or actual breaches of confidentiality

( College of Nurses of Ontario, 2006, VIHA, 2002).

What is the role of the Officer of the Privacy Commissioner of

Canada?The Commissioner is an advocate for the privacy

rights of Canadians. She[he] works independently from the government and her[his] role includes:

Investigating complaints in regards to the federal public sector and the private sector

Complaints may come from the public sector if personal information is being held by Government of Canada institutions

Promotes public awareness and understanding of privacy rights

Reports on public and private sector’s handling practices around protection of client’s privacy ( Office of The Privacy Commissioner of Canada, 2009)

What is your role as a nurse or health care professional in ensuring confidentiality and privacy for every client in the health care system?How are you going to meet the challenges of confidentiality and privacy with EHR?

“All that may come to my knowledge in the exercise of my profession or outside my profession or in daily commerce with men, which ought not be spread abroad, I will keep secret and will never reveal”( Hippocratic Oath, circa 4th century BC. as cited in Weitz, Drummond, Pringle et al. , 2003, p.292).

ReferencesCanadian Standards Association. ( 2009) About

the privacy code. Retrieved February 7, 2009 from http://www.csa.ca/standards/privacy/code/Default.asp?articleID=5286&language=english

College of Nurses of Ontario(2006). Documentation Practice Standards: Electronic health records. Retrieved February 7, 2009 from http://www.cno.org/prac/learn/modules/documentation/index.htm

References con’t

Health Initiative Blueprint( 2009). Key elements: Managing privacy, security& confidentiality.Retrieved January 10, 2009 fromhttp://www.ehealthinitiative.org/blueprint/keyPrivacy.mspx

References con’t

Mulligan, E. & Braunack- Mayer, A. ( 2004). Why protect confidentiality in heath records? A review of research evidence. Australian Health Review, 28(1), 48-55.

Morris, J., Ferguson, M., & Dykeman, M.J. ( 2nd ed.). ( 1999). Canadian nurses and the law. Canada: Butterworths

References con’t

Nursing( 2004). Privacy breaches: All too common . 34(9), 35. Retrieved February 17, 2009 from Proquest Nursing Journals database

Office of the Privacy Commissioner of Canada( 2009). Provincial/Territorial Privacy Laws.Retrieved February 10, 2009 fromhttp://www.privcom.gc.ca/prov/index_e.asp

References con’t.Office of Privacy Commissioner of Canada

(2009). Mandate and Mission of the OPC. Retrieved February 17, 2009 from http://privcom.gc.ca/aboutUs/index_e.asp

Privacy Commissioner Of Canada( 2004) PIPEDAawareness raising tools(PARTs) initiative for health sector retrieved February 5, 2009 fromhttp://e-com.ic,gc.ca/epic/internet/inecic-ceac.nsf.en/gv00235e.html

References con’tSmit, M., McAllister, M., & Slonim, J.( 2005)

Building public trust for electronic health records. Retrieved January 25 , 2009 from http://www.lib.unb.ca/Texts/PST/2005/pdf/smit.pdf

Vancouver Island health Authority(2002). General Administration: Confidential information- privacy rights of personal information policy. Section number 1.0, subsection number 1.5, policy number 1.5.1.

References con’t

Weitz, M., Drummond, N., Pringle, D., Ferris, L.E., Globerman, J., Hebert, P., et al. ( 2003). In whose interest? Current issues in communicating personal health information: A Canadian perspective. Journal of Law, Medicine & Ethics, 31, 292-301.