Skip to main content

Privacy and Confidentiality

Federal and provincial legislation legally protects a person’s right to privacy and confidentiality of personal and health information.

Practice Standards set out requirements related to specific aspects of nurses' practice. They link with other standards, policies and bylaws of the College of Registered Nurses of British Columbia and all legislation relevant to nursing practice.

Federal and provincial legislation legally protects a person's right to privacy and confidentiality of personal and health information. Health care bodies and professionals are required to exercise care in the collection, use and disclosure of personal and health information. The specific legislation that applies to a nurse's1 practice depends on the work setting and the nature of the nurse's work. Relevant legislation may include: the Freedom of Information and Protection of Privacy Act; the Personal Information Protection Act; the Access to Information Act; the Privacy Act; the Personal Information Protection and Electronic Documents Act; and the e-Health Act. CRNBC's Professional Standards require nurses to function within all relevant legislation. CRNBC registrants also take direction from the College's Bylaws, Part 7 — Registrant Records.

Nurses have an ethical responsibility to safeguard information obtained in the context of the nurse-client relationship. When clients entrust their health care and health information to a nurse, they expect and rely on it being kept confidential.

Employers are responsible for providing necessary systems and supports to meet legislated requirements for the collection, use and disclosure of personal and health information.

Principles

1.

Nurses know what specific legislation applies to their practice and follow legislated requirements.

2.

Nurses collect personal and health information on a need-to-know basis.

3.

Nurses ensure that clients are aware of their rights concerning their personal and health information and have consented to the collection, use and disclosure of this information.

4.

Nurses share relevant personal and health information with the health care team. Nurses explain to clients that this information will be shared and identify to them who is on the health care team (e.g., physicians, social workers).

5.

Nurses respect clients' rights to access their own health records and to request correction of the information.

6.

Nurses safeguard personal and health information learned in the context of the nurse-client relationship and disclose this information (outside of the health care team) only with client consent or when there is a specific ethical or legal obligation to do so.

7.

Nurses have an ethical obligation to disclose in situations that involve a substantial risk of significant harm to the health or safety of the client or others. In these situations, nurses use a process of ethical decision-making before disclosing confidential information. Whenever possible, this process involves consulting with knowledgeable colleagues.

8.

Nurses comply with any legal obligation to disclose confidential information that is imposed by legislation or required under a warrant, court order or subpoena.

9.

In all cases where disclosure of confidential information is necessary, nurses restrict the amount of information disclosed and the number of people informed to the minimum necessary to fulfill the legal and ethical obligations.

10.

Nurses access personal and health information only for purposes that are consistent with their professional responsibilities.

11.

Nurses take action if others inappropriately access or disclose a client's personal or health information.

Applying the principles to practice

Privacy Legislation, Organization Policy and You

Identify which privacy legislation applies to you or your organization. Review the CRNBC Bylaws, Part 7.

Review your organization's privacy policies. Policies address topics such as:

  • confidentiality,
  • collection, use and disclosure of personal information and relevant consent,
  • access to records,
  • storage, retention and disposal of records.

When the privacy policies are inadequate or inappropriate, participate in refining and strengthening them.

Know the policies in your organization regarding collection of personal information. Are there guidelines outlining appropriate collection of information from families or other third parties? Are there guidelines to use when explaining to clients the reason for gathering information? Are there guidelines for the use of photo and audio technology to collect information? Who is the contact person if clients have further questions about collecting personal information?

Inform clients, preferably at the outset of care, about the limits of confidentiality (e.g., explain that other members of the health care team will have access to information required for the provision of care and explain who is on the team).

Know when, how and what client information to share with health care providers outside your organization to enable continuity of care (e.g., prior to discharge). Consider what information will be required for the delivery of safe and ethical care to the client. Know what your organization policies state.

Know which legislation and policies apply to the consent for and use of personal or health information for purposes such as quality improvement or research.

Know who in your organization is responsible for making decisions about the release of information (e.g., privacy officer).

Know what to do if clients ask to look at their records or request a correction to their records. Organization policy should provide clear direction. If you are self-employed, follow the Personal Information Protection Act and Sections 7.18 and 7.07 of the CRNBC Bylaws.

Know your organization's policies for protecting against unauthorized access to records and retaining and disposing of client documentation.

Respecting Client Confidentiality

Be aware of other people in your work environment and make sure that confidential conversations cannot be overheard. Withholding the client's name is often not sufficient to maintain confidentiality.

Do not discuss clients or care-related events on a social networking website. Descriptions of client care situations that contain information about time, place and client characteristics may breach client confidentiality even if a client's name is not mentioned.

Cell phones with cameras and audio recorders make it easy to capture a client's image and voice. They also make it easy to show to others or post online. However, collecting information without consent or for an inappropriate purpose and then disclosing it are serious breaches of client privacy and confidentiality.

Be aware that it can be more challenging to keep information confidential when you work and live in the same community (e.g., rural and remote communities; small, discrete communities within urban centres).

To address these challenges:

  • Review CRNBC's Nurse-Client Relationships Practice Standard and booklet.
  • Discuss confidentiality with your colleagues to raise awareness about the ethical obligations related to confidentiality and to address specific concerns about confidentiality.
  • Contact CRNBC Practice Support for advice or education.

Store client records in your custody or control safely and securely. Take special care when transporting client records to ensure they are not lost, stolen or accessed by unauthorized persons.

Keep client information confidential when transmitting information electronically (e.g., avoid using client names if possible; check fax number and mark "Confidential" before sending).

If computerized charting is used, follow your organization's policies to ensure the privacy and security of the information (e.g., use passwords as directed; log off when leaving the computer).

Ensure that client information displayed on a computer monitor remains confidential (e.g., use a screen saver; locate the monitor in a secure area).

In the event of a security breach, take appropriate measures to address the issue as soon as possible after the breach is discovered. Know what your organization policies state. Review the CRNBC Bylaws, Part 7. If required, seek additional information from other sources (e.g., COACH Guidelines for the Protection of Health Information).

Intervene if others fail to maintain client confidentiality. Consider if the most appropriate action is for you to discuss your concerns directly with the person. If your concerns are not addressed or if you decide it is not prudent to discuss your observations and concerns directly, use the reporting mechanisms in your workplace so others can take action.

Accessing Information

Do not access personal and health information for any purpose that is inconsistent with your professional responsibilities. This includes your own, a family member's or any other person's information.

Disclosing Information

Do not disclose information without client consent or a legal obligation to do so unless there is a substantial risk of significant harm to the health or safety of the client or others.

Use the following questions to assist you in making decisions about disclosing confidential information without the client's consent:

  • Does a law require me to disclose this information?
  • Is this a situation in which I should encourage and support the client to disclose the information before I do? What reason do I have for not doing so?
  • If I am concerned about the risk of harm to clients or others, what justifiable weight can I attach to both the magnitude and the probability of harm?
  • To whom can I legitimately turn to discuss this issue?
  • If, after analysis, I believe there is a substantial risk of significant harm, to whom do I disclose the information (i.e., who is the most appropriate person to receive this information)? Do I have the authority to disclose this information or do I need to involve the designated individual in my organization?
  • Am I disclosing the least information possible to the fewest number of people possible?
  • Do I have enough information and the appropriate skills to act on my decision or do I need further advice or consultation?

Be sure you know who your client is (e.g., know if there is a substitute decision-maker involved for an adult client and who that person is; know the decision-making status of a child requiring health care).

Ensure that you have consent from the client or substitute decision- maker before sharing information with family or friends of the client.

When disclosure is necessary, restrict the amount of information you disclose and the number of people you inform to the minimum necessary to fulfill the legal and ethical obligations.

Legal Obligation to Disclose

Identify which legislation is most relevant to the disclosure of confidential information in your practice setting. Legislation that may require you to disclose information includes: the Adult Guardianship Act; Child, Family and Community Service Act; Coroners Act; Health Care (Consent) and Care Facility (Admission) Act; Infants Act; Workers Compensation Act; and the Communicable Disease Regulation under the Public Health Act.

  • When a child who is deemed capable of making health care decisions has consented to health care, do not release health care information to others (including the parents) without the child's consent unless there is a legal obligation or a risk of significant harm to health or safety. These issues are often complex. If you are in doubt, contact CRNBC Practice Support.
  • Report a child in need of protection under the Child, Family and Community Service Act. Use professional judgment in deciding the need to report abuse, neglect or self-neglect of vulnerable adults under the Adult Guardianship Act, Part 3. The decision to report may not be straightforward. When this is the case, consult with knowledgeable colleagues (if at all possible) before proceeding.
  • Know and follow your organization's policies and procedures for assessing and reporting situations in which you suspect abuse or neglect of children or adults.
  • Follow the regulation under the Public Health Act that requires disclosure of health information without consent for reporting and treating individuals with communicable diseases.

If you are subpoenaed to give evidence in court or at an inquest under the Coroners Act, restrict the amount of information disclosed to the minimum necessary to fulfill your legal obligations. The following tips for providing evidence may be helpful:

  • Answer only as to the facts as you know them, not as someone else observed or your impressions of what occurred.
  • Do not exaggerate or embellish testimony. If you need to refer to the chart during testimony, ask for permission from the court.
  • Don't draw conclusions or offer opinions unless you are instructed otherwise. If you are asked for an opinion, make sure you have the competence to provide it.
  • Answer only the specific question asked of you. Don't try to anticipate questions, answer a different question or offer responses to questions that have not been asked.

The Health Professions Act imposes a duty to report the unsafe or incompetent practice or sexual misconduct of another health professional. Formal written reports to the health professional's regulatory body should be as complete as possible, without infringing on the privacy rights of anyone else who may be involved. If concerns about sexual misconduct are based on information from a client, you must obtain the client's consent before making a report.

Special Considerations

If you are self-employed or work on contract, be clear about which legislation applies to your practice. Make sure your practice complies with that legislation and with Part 7 of the CRNBC Bylaws. Self- employed nurses are governed by the Personal Information Protection Act. Nurses working under contract will have to refer to their contract. For example, if a nurse is under contract to a public body, the contract will state that the Freedom of Information and Protection of Privacy Act applies. If the contract is silent, the Personal Information Protection Act applies.

If you are an occupational health nurse, work with your employer to develop policies that clarify what client information is confidential and what may be disclosed under what circumstances. Inform employees of these policies at the outset of the nurse-client (employee) relationship.

If you are engaged in research, understand and follow legislated requirements and use guidelines that address the ethical conduct of research to inform your practice.

Glossary

Privacy is the right of individuals to determine how, when, to whom and for what purposes any personal information will be divulged.

Confidentiality is a type of informational privacy in which one individual or organization agrees to safeguard information about another individual or organization.

For more information​

Standards o​f Practice

CRNBC's Standards of Practice (Professional Standards, Practice Standards, Scope of Practice Standards) assist you in understanding important issues to consider in discussions about nursing practice. They are available from the Nursing Standards section of the CRNBC website www.crnbc.ca

Other CR​NBC resources

For more information on this or any other practice issue, contact CRNBC's Practice  Support Services at 604.736.7331 ext. 332, toll-free 1.800.565.6505 or practice@crnbc.ca.

Other r​esources

  • Canadian Nurses Association. (2008). Code of Ethics for Registered
    Nurses. Ottawa: Author. www.cna-aiic.ca
  • Canadian Nurses Association. (2002). Ethical Research Guidelines for
    Registered Nurses. Ottawa: Author. www.cna-aiic.ca
  • Canadian Institutes of Health Research, Natural Sciences and Engineering Research Council of Canada, Social Sciences and Humanities Research Council of Canada. Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans. (1998 with 2000, 2002 and 2005 amendments). www.pre.ethics.gc.ca

Federal Legislation

Provincial Legislation

Information to help registered nurses and others interpret and implement privacy legislation

  • Office of the Information & Privacy Commissioner for British Columbia
    http://www.oipc.bc.org
  • Office of the Privacy Commissioner of Canada
    www.priv.gc.ca
  • COACH: Canada's Health Informatics Association. (2009). Guidelines for the Protection of Health Information.
    www.coachorg.com

 

Footnotes

1 "Nurse" refers to the following CRNBC registrants: registered nurses, nurse practitioners, licensed graduate nurses.

back to top

 

 Related

 Need help?

For further information on the Standards of Practice or professional practice matters, contact us:

  • Telephone 604.736.7331 ext. 332
  • Toll-free in Canada 1.800.565.6505
  • Email practice@crnbc.ca
Home > Nursing standards > Practice Standards > Privacy and Confidentiality