Main Text

Privacy, Confidentiality, and Security

In Canada, federal and provincial/territorial legislation governs privacy rights related to the protection of personal information. Two federal privacy laws are enforced by the Office of the Privacy Commissioner of Canada: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Act relates to how the government protects the privacy of a person’s information and a person’s right to access and correct personal information that the government collects, uses, or discloses (Minister of Justice, 2019). The PIPEDA applies to private-sector organizations that collect, use, and disclose personal information. While these laws provide umbrella rules about privacy and protection of personal information, specific personal health information is provincially/territorially legislated.

In Ontario, as a healthcare provider or a student in a healthcare provider program, you should familiarize yourself with the 2004 Personal Health Information Protection Act (PHIPA), which legislates the collection, use, and disclosure of personal health information by health information custodians. You are bound to comply with PHIPA. In circumstances where there may be conflict between the PHIPA and your Ontario College of Nursing standard, you must legally comply with the Act.

The following definitions used in the PHIPA are important:

  • Personal health information is defined as identifying information about an individual in oral or recorded form that relates to physical or mental health, provision of health care (including identifying a provider of health care), a plan of service, donation of body parts or bodily substance, payments or eligibility of healthcare, health number, substitute decision-makers, and any records held by a health information custodian. See Table 6 for examples of what is/is not considered personal health information (PHIPA, 2004, S.O. 2004, c. 3, Sched. A).
  • Health information custodians are defined as anyone involved in delivering healthcare services and in control of personal health information, e.g., nurses, doctors, pharmacists, physiotherapists, personal support workers, case managers, laboratory technicians (PHIPA, 2004, S.O. 2004, c. 3, Sched. A).


Table 6: Personal health information

Examples of Personal Health Information 

Not Considered Personal Health Information 

  • Blood type.

  • A diagnosis.

  • X-ray results.

  • Room number.

  • Name of attending physician.

  • Payment for a procedure.

  • Aggregated data where individuals are not identified, e.g., information about an outbreak in a region.

  • Health patterns or behaviours in groups, like flu shot uptake among certain populations.

  • Identification of cases of communicable diseases without personal health information.

Based on this legislation, you have have a responsibility to protect client’s personal health information and maintain confidentiality. In addition to not sharing data with individuals not involved in the client’s care, you must also protect the client’s chart from inappropriate access. For example, paper charts are typically kept at the nurse’s station in a hospital or facility. You must take reasonable steps not to leave them unattended on a table. Electronic charts provide the additional security feature of signing in with a username and password to protect the client’s privacy and help ensure that someone who should not have access does not have access. This additional security feature makes electronic charts less risky in terms of privacy breaches.

The PHIPA (2004) sets out rules to balance the need for health information with a person’s right to privacy. Importantly, the PHIPA applies to both health information custodians, like healthcare providers, and to persons who may receive personal health information from health information custodians. For example, a nurse may complete a form that is submitted to an insurance company: in this scenario, the nurse is the health information custodian and the insurance company is the recipient of personal health information.

Healthcare organizations such as hospitals must implement information practices that comply with the act. The PHIPA (2004) requires that health information custodians take reasonable steps to ensure that personal health information is accurate, current, and complete, and also that it is protected from loss, theft, or unauthorized use or disclosure. For more information, please visit:

The use of personal health information is restricted to members of the healthcare team involved in the client’s care. PHIPA (2004) specifies that consent is required for the collection, use, and disclosure of personal health information. The fact that an individual provides information to a healthcare provider typically implies consent. Implied consent can be assumed if the client has been provided information about “collection, use and disclosure of personal health information” (CNO, 2019b, pg. 5). Whereas expressed consent (verbally or in writing) is required when the client’s personal health information is shared with any individual outside of the healthcare team, with a few exceptions (CNO, 2019b). A brief overview of disclosure of personal health information exceptions are listed in Table 7.


Table 7: Disclosure exceptions (adapted from PHIPA, 2004, S.O. 2004, c. 3, Sched. A).



Disclosure to other individuals working in the healthcare system.

  • When it is not possible to obtain consent from the client in a timely manner and there is a reasonable need for care.

  • In order for a custodian to receive funding (e.g., a clerk files a claim for OHIP reimbursement).

  • If misconduct is reported or suspected, an investigation can be carried out without the consent of the client.

Disclosure to public health authorities.

  • A custodian may disclose information to public health authorities (e.g., the chief medical officer of health or a medical officer of health) if the disclosure is made for the purpose of the Health Protection and Promotion Act.

  • In cases of suspected child abuse, disclosure to Children’s Aid Society.

Disclosure to family.

  • For contacting a relative, friend, or substitute decision-maker of an individual who is incapacitated, injured, or ill and unable to consent.

  • Necessary to eliminate or reduce a significant risk of serious bodily harm to a person or group.

Disclosure for proceedings.

  • A client’s information can be shared for the purpose of a legal proceeding if it has been subpoenaed.

Disclosure for research.

  • A custodian may disclose information for research if it has been approved by the organization’s research ethics board (REB).

Disclosure for planning and management of a health system.

  • Personal health information may be disclosed for the purpose of analysis or compiling statistical information related to the management, evaluation, or monitoring of allocation of resources to or planning for all or part of the health system, including the delivery of services.

Disclosure to a health data institute.

  • Personal health information may be disclosed to an approved health data institute for analysis of the management, evaluation, or monitoring of the allocation of resources to or planning for all or part of the health system.

Points of Consideration

Who Owns the Client Record?

Clients have the right to access their own personal health information. In 1992, the Supreme Court of Canada ruled that although the institution or physician owns the physical client record, the client owns the contents of it and has the right to receive a full copy of the record, except in certain situations where the likelihood of this act would cause harm to the client (as cited by Canadian Medical Protective Association, n.d.a, 2019).


Activity: Check Your Understanding





Icon for the Creative Commons Attribution-NonCommercial 4.0 International License

Documentation in Nursing: 1st Canadian edition Copyright © 2020 by Jennifer Lapum; Oona St-Amant; Charlene Ronquillo; Michelle Hughes; and Joy Garmaise-Yee is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.

Share This Book