Privacy and Security - Patient Records - EBUS.05

The terms privacy and security are linked together in this material. These terms, while related, are distinct in relation to the protection of the information accessed through ministry health information exchange (HIE) services.

  • Privacy of health information is addressed through rigorous policy and procedures defining who is authorized for access, the circumstances it may be accessed, and how it is used and disclosed to authorized persons.
  • Security measures including various administrative, technical and physical controls protect access to health information, and guard it from unauthorized disclosure or tampering.

Privacy and Security Training

Training staff is a critical component of privacy and security. Everyone needs to understand the importance of protecting health information and his or her role in its safekeeping. Most importantly, staff need to know the policies and procedures they are expected to follow. Therefore, all staff, including contractors, must receive privacy and security training annually. Training must include specific instruction on the following topics.

Policies and Procedures

Policies and procedures established at your point of service must address the following:

  1. Confidentiality of personal health information.
  2. Maintaining patient records:
    • Printing
    • Secure storage
    • Retention
    • Transport
    • Disposal
  3. Faxing documents containing personal information.
  4. Using couriers to send documents containing personal information.
  5. Reviewing audit logs at scheduled intervals.
  6. Maintaining user accounts, including deactivating accounts no longer required.

Your policies and procedures are to be reviewed and updated regularly to ensure they are current.


Confidentiality is a key component of privacy and security. It is assurance that health information is revealed to only those who need to know. You are obligated to protect the data you receive from HIE systems as you would with any other information contained in the patient's record.

To adhere to the Freedom of Information and Protection of Privacy Act (FOIPPA) and ministry agreements, ministry HIE systems must not be accessed from outside of Canada. If users are permitted to connect to their POS application from outside of Canada, they are to disable their connection to HIE systems prior to doing so.

Confidentiality Agreements

Anyone accessing clinical or patient information must sign a confidentiality agreement. This agreement will specifically detail the obligation and expectations for accessing health information and define the repercussions for inappropriate collection, use or disclosure of personal information.

Each year, all employees, contractors and third party confidentiality agreements must be reviewed and renewed.

Third Party Contracts

If you have contracts with third parties that involve personal information, those contracts must contain specific clauses defining privacy protection obligations.

Privacy and Security Breach

Your organization must have procedures established for managing suspected and actual privacy and security incidents and breaches. At minimum, these procedures must meet the requirements recommended by the Office of Information Privacy Commissioner for British Columbia:

Examples of common privacy breaches include:

  • unauthorized access by authorized users ("browsing");
  • failure of an authorized user to comply with a patient's disclosure directive;
  • the theft or loss of any personal information regardless of the format on which it is stored (including devices such as laptops, PCs, removable memory sticks); and
  • unauthorized interception through technological means (e.g., interception of wireless transmissions).

When a privacy or security incident involves access to or data received from HIE systems, you must promptly notify the province according to your systems access agreement.

Access Audit

User access audits are fundamental to information security. Audits create and maintain a culture of compliance, protect your organization, and protect your patients. Audits are conducted to:

  • detect inappropriate access to health information;
  • hold individuals accountable for their activity;
  • reduce risk for the organization;
  • investigate complaints; and
  • meet legal and regulatory requirements.

An authorized person in your organization will be given access to the audit tools and audit logs. This person will be responsible for routine and periodic (spot audit) monitoring of user access audit trails for unusual patterns or anomalies in use. All potential security weaknesses or breaches will be reported to the management of the point of service.

Patients and Privacy

Maintaining high standards for privacy and confidentiality is a key component of providing quality health care and of fostering the confidence of patients in the health care system. It is also part of delivering health care in a professional manner.

Patient Requests

Your organization's procedures to handle patient requests for information, corrections, and complaints must be established and communicated openly (e.g., via poster or pamphlet).

Patient Privacy Notification

Notices or other communication materials related to privacy practices must be readily available to patients.

Equipment Disposal

Before disposing of computer equipment, all personal health information must be removed in a way that it cannot be reconstructed.