WIXLIB

PR ACTICE STANDARD ensuring information practices comply with theAct and its regulations;ensuring information is accurate, complete andup-to-date; andensuring information is secure.A nurse is responsible for ensuring that she/heuses a client’s personal health information onlyfor the purpose(s) for which it was collected. Anurse should ensure that it remains secure withinthe health care team. Health care providers alsohave an obligation to ensure that personal healthinformation used by the health care team ordisclosed outside the team is as accurate, completeand up-to-date as possible. If a complete record isnot transmitted or transferred for any reason, healthcare providers must communicate this to the personto whom they are sending the record.PHIPA defines “collection” as the gathering,acquiring, receiving or obtaining of personal healthinformation. Nurses may only collect as muchpersonal health information as is needed to meetthe purpose of the collection. Information may becollected indirectly without consent (e.g., from arelative or significant other) when the client cannotprovide it (e.g., he/she is unconscious), if there isa question as to the accuracy of the informationthat the client provides, or when obtaining consentwould affect the timeliness of the care. The Act listsprovisions that permit collection of personal healthinformation from someone other than the client.How the Personal Health InformationProtection Act affects nursesThe legislation does not change nurses’responsibilities to protect their clients’confidentiality and privacy. Nor does it greatlyaffect their ability to collect and use personalhealth information to plan and deliver care. InPHIPA, “use” is a defined term. In this context,use means to handle or deal with personal healthinformation in the custody or under the control ofa custodian. Sharing information among membersof the health care team to provide care is one useof information under PHIPA. Generally, consent touse information to provide care can be assumed bythe health care team. A client should be made awareof his/her right to withhold or withdraw consent tothe sharing of his/her personal health informationwith other members of the health care team.Circumstances in which nurses may have to obtainexplicit consent for disclosure of informationare outlined in the section on disclosure in thisdocument. The legislation also outlines permitteddisclosures that do not require client consent.A. Implied consentPHIPA specifies that several conditions must bemet to assume a client’s implied consent. It is acustodian’s obligation to fulfil these conditionsby posting a notice or providing a brochure thatdescribes the purposes for the collection, use anddisclosure of personal health information. Thiskind of notice is one way to fulfil the conditions forimplied consent.B. Express consentPHIPA does not require a specific form of expressconsent, which may be given verbally or in writtenform. It may be provided over the telephone orelectronically if the nurse is sufficiently able toidentify the person; however, express consent thatis written helps avoid ambiguity. The content andformat of the consent need not be elaborate. Expressconsent is required in the following situations:personal health information is to be disclosedoutside of the health care team (e.g., submittingpersonal health information on a claim form toan insurance company);information is to be disclosed (within the healthcare team) for purposes other than providing, orhelping to provide, care;personal health information is used forfundraising (e.g., contact information can beprovided without express consent); andpersonal information is being collected formarketing research or marketing activities. C. Substitute decision-makersIf a client cannot provide consent, then a substitutedecision-maker may make decisions and providehealth information. Rules for who may act as asubstitute decision-maker are similar to those inOntario’s health care consent law. For example, aCollege of Nurses of Ontario Practice Standard: Confidentiality and Privacy — Personal Health Information5

6PR ACTICE STANDARDsubstitute decision-maker may be a spouse or theparent of a child under 16 who is unable to answerhealth questions or make decisions about treatment.PHIPA also contains directions for substitutedecision-makers when considering decisions ofconsent; appeal routes for clients found incapable;and means to deal with conflicts between peopleacting as client representatives.Personal health information belongs to theclientThe legislation recognizes that personal healthinformation belongs to clients and is simply beinghoused in health care facilities. Clients have theright to give, refuse or withdraw their consent tothe collection, use and disclosure of their personalhealth information.Clients also have the right to instruct that a partof their personal health information not be sharedwith other providers. This is referred to as thelockbox provision. If a client instructs a nurse notto release a part of his/her health information toanother practitioner, the nurse must advise thepractitioner that some relevant information has beenwithheld at the direction of the client.Although clients have the broad right of access totheir personal health information under PHIPA,they may be refused access. Possible grounds forrefusing access include the following:the information is Quality Assurance informationor that generated for a regulatory college’s QualityAssurance Program;it is raw data from standardized psychologicaltests or assessments;it may present a risk of serious harm to thetreatment or recovery of the client, or of seriousbodily harm to another person; oraccess to the information would reveal theidentity of a confidential source of information. made in writing warrant the correction proceduresset out in the Act. Clients can only requestcorrections to their information if access has beenprovided. They may not restrict the collection, useor disclosure of their personal health informationthat is required by law or professional standards.Client requests to correct personal healthinformation may be refused in the followingcircumstances:the request is frivolous, vexatious or made in badfaith;the custodian did not create the record anddoes not have sufficient knowledge, expertise orauthority to make the correction; orthe information is a professional opinion orobservation made in good faith. To comply with this legislation, procedures andpolicies must be in place to process client requestsfor access and corrections. Specific procedures forhandling access and correction requests are outlinedin the legislation.Clients can complain to an organization’scontact person or to the Information and PrivacyCommissioner about refusals to access requests orother breaches of PHIPA.DisclosureDisclosure is defined as making informationavailable or releasing it to another custodian orperson. Express consent is needed when personalhealth information is disclosed outside of the healthcare team or is not used to provide health care.However, PHIPA includes provisions that permita custodian to use personal health informationwithout the consent of the client. Some of theseinclude use of personal health information for thefollowing reasons:to manage risk;to support quality of care programs;to allocate resources;to obtain payment; andto do research, if a research plan has beenapproved by a research ethics board. Clients also have the right to correct their personalhealth information. This means clients can requestchanges if they believe the record is inaccurate orincomplete. Requests for corrections can be madeverbally or in writing; however, only those requests College of Nurses of Ontario Practice Standard: Confidentiality and Privacy — Personal Health Information

PR ACTICE STANDARDThe Act also permits practitioners to disclosepersonal health information without obtainingconsent in the following circumstances:if disclosure is needed to provide health care, andconsent cannot be obtained quickly;to contact a relative or friend of an injured,incapacitated or ill client for consent;to confirm that a client is a resident or client ina facility, provide his/her location and commenton his/her general health status (unless there is anexpress request not to do so); orto eliminate or reduce a significant risk of harmto a person. Refer to PHIPA or the Office of the Informationand Privacy Commissioner for Ontario forinformation on disclosure.Professional misconductOne of the definitions of professional misconduct inthe Nursing Act, 1991 is “giving information about aclient to a person other than the client or his or herauthorized representative, except with the consent ofthe client or his or her representative, or as requiredor allowed by law.”College of Nurses of Ontario Practice Standard: Confidentiality and Privacy — Personal Health Information7

8PR ACTICE STANDARDStandard StatementsPersonal health information practicesNurses share relevant information with thehealth care team, whose members are obliged tomaintain confidentiality. Nurses must explainto clients that information will be shared withthe health care team and identify the generalcomposition of the health care team.IndicatorsThe nurse meets the standard by: seeking information about issues of privacy andconfidentiality of personal health information; maintaining confidentiality of clients’ personalhealth information with members of the healthcare team, who are also required to maintainconfidentiality, including information that isdocumented or stored electronically; maintaining confidentiality after the professionalrelationship has ended, an obligation thatcontinues indefinitely when the nurse is no longercaring for a client or after a client’s death; ensuring clients or substitute decision-makersare aware of the general composition of thehealth care team that has access to confidentialinformation; collecting only personal health information that isneeded to plan and provide care; not discussing client information with colleaguesor the client in public places such as elevators,cafeterias and hallways; accessing information for her/his clients only andnot accessing information for which there is noprofessional purpose; denying people who are not part of the health careteam access to personal health information (e.g.,OHNs denying a client’s employer access to theclient’s personal health information); safeguarding the security of computerized, printedor electronically displayed or storedinformation against theft, loss, unauthorized access or use, disclosure, copying, modification ordisposal;not sharing computer passwords;ensuring that explicit consent has been obtainedto keep a client’s personal health information inthe home;not using standard e-mail to send personal healthinformation;ensuring that security-enhanced e-mail is effectivebefore sending personal health information thisway;using confidentiality warnings on facsimile coversheets and in e-mail to instruct those who receivethe information in error to destroy it immediatelybefore reading it;communicating to the recipient of the informationthat a particular record is incomplete;advocating for policies and practices that ensureconfidentiality during storage, transmissionor transfer, or disposal of personal healthinformation, whether in hard copy or electronic(e.g., e-mail, facsimile) form;complying with retention policies or advocatingfor these when none exist;ensuring that personal health information isdestroyed in a way that protects the confidentialityof that information; andnotifying the contact person within the practicesetting when she/he becomes aware that there hasbeen a breach of confidentiality (e.g., personalhealth information has been stolen, lost oraccessed by unauthorized people).College of Nurses of Ontario Practice Standard: Confidentiality and Privacy — Personal Health Information

PR ACTICE STANDARDKnowledgeable consent and substitutedecision-makersNurses ensure that clients are aware oftheir rights concerning their personal healthinformation and have expressly consented to theIndicatorscollection, use and disclosure of informationoutside the health care team.The nurse meets the standard by: obtaining the client’s express consent beforedisclosing his/her information outside the healthteam (e.g., to family members or friends of theclient); ensuring clients are provided with an opportunityto withhold or withdraw consent to disclose theirname, location in the facility and general healthstatus; ensuring clients are provided with an opportunityto withhold or withdraw consent to disclose theirname to a person representing his/her religiousorganization; and seeking consent from the substitute decisionmaker when the client is incapable of providingknowledgeable consent.The client’s right to access and amendhis/her personal health informationNurses respect the client’s right to see/obtain acopy of his/her health information, to see his/herhealth file and to request correction to theinformation. The onus is on the client to provethat the record is incomplete or inaccurate, andany changes to the record must be tracked.IndicatorsThe nurse meets the standard by: ensuring that the custodian has provided writtennotice to clients about information practices andPotential for harmWhen a nurse learns information that, if notrevealed, could result in harm to the client orothers, she/he must consult with the health careIndicatorsThe nurse meets the standard by: considering if any harm may come to a client as aresult of a disclosure; reporting information as required by law; informing the client, as appropriate, when there isa duty to report information to another agency orfacility;that clients are aware of their personal healthinformation privacy rights; and facilitating client access to information about careand treatment.team and, if appropriate, report the informationto the person or group affected. providing the client with the opportunity to takeaction and report information when appropriate; informing the appropriate authority if the clientdoes not take action and report information; and consulting with the health care team when thereare concerns about harm resulting from sharinginformation with a client.College of Nurses of Ontario Practice Standard: Confidentiality and Privacy — Personal Health Information9

10PR ACTICE STANDARDDisclosure without consentNurses adhere to legislation that requires themto reveal confidential information to others. Forexample, the Child, Youth and Family ServicesAct, 2017, requires all health care professionals toreport suspected child abuse to the Children’s AidSociety; the Health Protection and Promotion Actpermits reporting of certain conditions to theIndicatorsThe nurse meets the standard by: ensuring clients or substitute decision-makersknow that information may be used for purposesother than client care, such as for research orimprovements to the quality of care;Medical Officer of Health. Additionally, requiredreporting information may be disclosed to theWorkplace Safety and Insurance Board. Theinformation CNO gathers during an investigationand shares with the members under investigationis confidential. ensuring that those seeking access to informationhave the requisite authority before providinginformation (e.g., police officers who requestinformation have a court order); and seeking the advice of the contact person forprivacy of health information before providinginformation.College of Nurses of Ontario Practice Standard: Confidentiality and Privacy — Personal Health Information

PR ACTICE STANDARDMaintaining a Quality PracticeSettingEmployers and nurses share the responsibility forcreating environments that support quality practice.CNO encourages employers and nurses to use thefollowing strategies to develop and maintain aquality practice setting.Care delivery processesThese processes support the delivery of nursing careand services related to confidentiality and privacy ofpersonal health information.Possible strategies include:conducting reviews of health informationpractices with staff to ensure that privacy andconfidentiality standards are being met; anddeveloping and implementing supportive policiesand processes that address privacy, confidentialityand security in the collection, use and disclosureof personal health information. establishing a process to help staff deal withissues/conflicts arising from inconsistent practicesrelating to privacy and confidentiality of personalhealth information; andconsulting with front-line nurses, to tap intotheir expertise and experience, when determiningthe functional requirements to maintainconfidentiality in computerized documentationsystems.LeadershipLeadership is the process of supporting others toimprove client care and services by promotingprofessional practice. Possible strategies include:developing and implementing leadershipopportunities, such as involving nursing staff inthe development of privacy and confidentialitypolicies/procedures development and revisionsrelated to the health record;establishing systems that ensure healthinformation is collected, used, disclosed andaccessed according to PHIPA and QOCIPA; anddesignating someone in the organization to act asthe main contact for nurses with questions aboutconfidentiality and security of personal healthinformation. Policies/processes include:giving the client access to his/her healthinformation;managing client and/or family requests forchanges to the health record; anddefining the nurse’s role in dealing with a client’sright to access his/her health record. Communication systemsThese systems support information sharing anddecision-making about client care and services.Systems should promote sharing of healthinformation among interprofessional team memberswhile protecting the privacy, confidentiality andaccess rights of clients. Professional development systemsProfessional development promotes a learningenvironment. Activities include orientation,education, performance management andprofessional practice activities related to privacy andconfidentiality.Possible strategies include:ensuring orientation to the facility includesaddressing matters of privacy, confidentiality,security of personal health information andrelevant policies and procedures; andproviding educational opportunities to supporteffective compliance with PHIPA and QOCIPAlegislation. Possible strategies include:ensuring that the electronic systems that supportthe transmission of client information (e.g.,facsimiles, e-mail, intranet) are secure and protectclient confidentiality;ensuring that written public notice with detailson how to access and correct personal healthinformation is available, and gives the name ofthe contact person who can respond to inquiriesand receive complaints; College of Nurses of Ontario Practice Standard: Confidentiality and Privacy — Personal Health Information11

12PR ACTICE STANDARDCase ScenariosThe case scenarios illustrate how the standardsof privacy and confidentiality of personal healthinformation may be applied. They are not allinclusive. If needed, advice should be sought fromthe contact person for privacy and confidentiality inyour practice setting.Scenario 1Your client with an acquired brain injury hasbeen stabilized and is being transferred toanother hospital for continuing care. The clientis unconscious. Her husband is aware of thetransfer, but does not know it is happening today.You tried to reach him by telephone, withoutsuccess. Before the client is transferred, you wantto share information about the care she receivedand the current plan of care with the nurse whowill receive her. The client’s cost for this transferis being covered by private insurance, so you alsoneed to share personal health information withthe insurance company. How much informationcan you share, and with whom, under thesecircumstances?There are two issues of consent in this scenario. Thefirst is sharing personal health information with thereceiving hospital nursing staff. These nurses aremembers of the health care team; therefore, there isimplied consent for the sharing of information withthem to provide health care. You can, therefore,share her personal health information. You maycall the nurse and talk about the plan of care, andtransmit a copy of the pertinent information fromthe health record to the receiving facility in a waythat ensures the security of the files.The second is the sharing of the client’s personalhealth information with the insurance company.Express consent is required because this disclosureis not to a custodian and is not required to treat theclient. Because the client is incapable of providingthis consent, her husband (the substitute decisionmaker) must provide express consent either inwr

PRACTICE TANDARD 5 Colleg urse ntari Practice tandard: onfidentiality nd rivacy — Personal ealth nformation ensuring information practices comply with the Act and its regulations; ensuring information is accurate, complete and up-to-date; and ensuring information is secure. A nurse is responsible for ensuring that she/he uses a client's personal health information only