Privacy, Confidentiality, and Security

Jennifer Lapum; Oona St-Amant; Charlene Ronquillo; Michelle Hughes; and Joy Garmaise-Yee

In Canada, federal and provincial/territorial legislation governs privacy rights related to the protection of personal information. Two federal privacy laws are enforced by the Office of the Privacy Commissioner of Canada: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Act relates to how the government protects the privacy of a person’s information and a person’s right to access and correct personal information that the government collects, uses, or discloses (Minister of Justice, 2019). The PIPEDA applies to private-sector organizations that collect, use, and disclose personal information. While these laws provide umbrella rules about privacy and protection of personal information, specific personal health information is provincially/territorially legislated.

In Alberta, as a healthcare provider or a student in a healthcare provider program, you should familiarize yourself with the 200 Health Information Act), which legislates the collection, use, and disclosure of personal health information by health information custodians. You are bound to comply with HIA. The following definitions used in the HIA are important:

  • Personal health information is defined as identifying information about an individual in oral or recorded form that relates to physical or mental health, provision of health care (including identifying a provider of health care), a plan of service, donation of body parts or bodily substance, payments or eligibility of healthcare, health number, substitute decision-makers, and any records held by a health information custodian. See Table 6 for examples of what is/is not considered personal health information.
  • Health information custodians are defined as anyone involved in delivering healthcare services and in control of personal health information, e.g., nurses, doctors, pharmacists, physiotherapists, personal support workers, case managers, laboratory technicians.


Table 6: Personal health information

Examples of Personal Health Information 

Not Considered Personal Health Information 

  • Blood type.

  • A diagnosis.

  • X-ray results.

  • Room number.

  • Name of attending physician.

  • Payment for a procedure.

  • Aggregated data where individuals are not identified, e.g., information about an outbreak in a region.

  • Health patterns or behaviours in groups, like flu shot uptake among certain populations.

  • Identification of cases of communicable diseases without personal health information.


The HIA (2020) sets out rules to balance the need for health information with a person’s right to privacy. Importantly, the HIA applies to both health information custodians, like healthcare providers, and to persons who may receive personal health information from health information custodians. For example, a nurse may complete a form that is submitted to an insurance company: in this scenario, the nurse is the health information custodian and the insurance company is the recipient of personal health information.


The use of personal health information is restricted to members of the healthcare team involved in the client’s care. HIA (2020) specifies that consent is required for the collection, use, and disclosure of personal health information. There are a few exceptions to requiring consent, for instance when transferring care to another direct provider, or if required by law (ie. reporting suspected child abuse).

Common Violations and Ways to Avoid Them[1]

  1. Gossiping in the hallways or otherwise talking about patients where other people can hear you. It is understandable that you will be excited about what is happening when you begin working with patients and your desire to discuss interesting things that occur. As a student, you will be able to discuss patient care in a confidential manner behind closed doors with your instructor. However, as a health care professional, do not talk about patients in the hallways, elevator, breakroom, or with others who are not directly involved with that patient’s care because it is too easy for others to overhear what you are saying.
  2. Mishandling medical records or leaving medical records unsecured. You can breach HIPAA rules by leaving your computer unlocked for anyone to access or by leaving written patient charts in unsecured locations. You should never share your password with anyone else. Make sure that computers are always locked with a password when you step away from them and paper charts are closed and secured in an area where unauthorized people don’t have easy access to them. NEVER take records from a facility or include a patient’s name on paperwork that leaves the facility.
  3. Illegally or unauthorized accessing of patient files. If someone you know, like a neighbor, coworker, or family member is admitted to the unit you are working on, do not access their medical record unless you are directly caring for them. Facilities have the capability of tracing everything you access within the electronic medical record and holding you accountable. This rule holds true for employees who previously cared for a patient as a student; once your shift is over as a student, you should no longer access that patient’s medical records.
  4. Sharing information with unauthorized people. Anytime you share medical information with anyone but the patient themselves, you must have written permission to do so. For instance, if a husband comes to you and wants to know his spouse’s lab results, you must have permission from his spouse before you can share that information with him. Just confirming or denying that a patient has been admitted to a unit or agency can be considered a breach of confidentiality.
  5. Information can generally be shared with the parents of children until they turn 18, although there are exceptions to this rule if the minor child seeks birth control, an abortion, or becomes pregnant. After a child turns 18, information can no longer be shared with the parent unless written permission is provided, even if the minor is living at home and/or the parents are paying for their insurance or health care. As a general rule, any time you are asked for patient information, check first to see if the patient has granted permission.
  6. Texting or e-mailing patient information on an unencrypted device. Only use properly encrypted devices that have been approved by your health care facility for e-mailing or faxing protected patient information. Also, ensure that the information is being sent to the correct person, address, or phone number.
  7. Sharing information on social media. Never post anything on social media that has anything to do with your patients, the facility where you are working or have clinical, or even how your day went at the agency. Nurses and other professionals have been fired for violating HIPAA rules on social media.[2],[3],[4]


Points of Consideration

Who Owns the Client Record?

Clients have the right to access their own personal health information. In 1992, the Supreme Court of Canada ruled that although the institution or physician owns the physical client record, the client owns the contents of it and has the right to receive a full copy of the record, except in certain situations where the likelihood of this act would cause harm to the client (as cited by Canadian Medical Protective Association, n.d.a, 2019).


Activity: Check Your Understanding




  1. Patterson, A. (2018, July 3). Most common HIPAA violations with examples. Inspired eLearning.
  2. Karimi, H., & Masoudi Alavi, N. (2015). Florence Nightingale: The mother of nursing. Nursing and Midwifery Studies, 4(2), e29475.
  3. American Nurses Association. (n.d.). About ANA.
  4. American Nurses Association. (n.d.). Scope of practice.

About the authors


Icon for the Creative Commons Attribution-NonCommercial 4.0 International License

Privacy, Confidentiality, and Security Copyright © 2021 by Jennifer Lapum; Oona St-Amant; Charlene Ronquillo; Michelle Hughes; and Joy Garmaise-Yee is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.

Share This Book