Chapter 4: Confidentiality and Privacy

Duty of Confidentiality

Patient privacy is a core principle of health care in the Western medical system. As patients, we trust health care professionals to protect our privacy and keep medical records confidential, and as MLTs we agree that any information about patients that we have access to should remain confidential. Without this key trust between the public and the health care system, patients would not feel comfortable disclosing sensitive but important information about their health, and this could in turn jeopardize their medical care.

The requirement for absolute confidentiality was initially laid down in the values and codes of professional conduct of the various medical professions. Many places, including Nova Scotia, now have it formally covered by legislation. The Nova Scotia Personal Health Information Act (PHIA) came into force in 2013.

The best way to think of your duty to maintain patient privacy is to consider that all information that you encounter about a patient is confidential, including things such as date of birth, address, and even the fact that they have had an encounter with the health care system at all. Confidentiality means that you do not share this information by any means, except with other members of the health care team as necessary, with professional bodies as defined in the PHIA, or with the permission of the patient. Be careful: you are committing a breach of patient privacy if you:

  • Access information about medical testing for a patient or their family member, or even for your own information if you do not have a professional reason to do so
  • Inform a colleague or friend that someone they know has had an encounter of any kind with the health care system, after learning of it through your work as an MLT
  • Ask someone about his or her visit to the emergency room or other health care facility after learning of it through your work as an MLT
  • In a professional capacity, ask a patient for personal information that you do not need
  • Repeat something a patient tells you, even if it does not clearly relate to their health
  • Collect or provide patient contact information if you don’t have a professional reason to do so
  • Include someone’s personal information or confidence in a social media post, or anywhere where it might be accidentally accessed by others
  • Allow others access to contact information in your possession, if they don’t have a professional need for it

Numerous other scenarios constitute breach of privacy. It’s best, and safest, to proceed as though there are no exceptions to the rule of patient confidentiality. If in doubt, consult your employer, if possible, and ask yourself: do I have permission to access/share this, and is it necessary to do so in order to perform my work as an MLT?

top

Privacy and Access Legislation

Privacy and confidentiality are linked but subtly different. For our purposes, confidentiality refers to our duty not to disclose information we gain about an individual through our work as MLTs; privacy refers to their ability to withhold information about themselves from us and/or others.

SCENARIO:

Marie is working evenings in hematology when she receives specimens collected in emergency. The patient is married to Rick, a co-worker. Marie is concerned; she knows that Rick’s wife has a chronic illness and she hopes this isn’t serious. Though the specimens have been processed and test results reported by the end of her shift, Marie mentions them to Judy, who takes over for the night shift.

In the morning, Rick arrives for work as Judy is leaving and she asks after his wife, mentioning that she’s aware of the emergency visit. Rick is upset by the question, and distressed that people in the lab know that his wife was in emergency the evening before. No one can understand why he’s offended; Judy was only asking because she cared and was worried.

Unfortunately, although no harm was intended, there are confidentiality and privacy concerns in this scenario. In the lab, it’s virtually impossible to avoid seeing specimens and test results on co-workers, family members, friends, and even public figures from time to time. But as professional MLTs, we must keep all such knowledge confidential.

Judy did not need to know about the tests on Rick’s wife for any professional reason so Marie breached confidentiality by mentioning them. Similarly, Rick and his wife had a right to privacy, and others in the lab should have neither discussed the specimens among themselves, nor mentioned or asked questions about the emergency visit unless Rick brought it up himself. Rick could have reported both Marie and Judy for this breach.

We have legislation that deals with both confidentiality and privacy. The PHIA protects confidentiality, and focuses on “the collection, use, disclosure, retention, disposal and destruction of personal health information” (Section 2). The PHIA stipulates that if you collect, use, and share personal health information about clients you must collect and share only as much information as is necessary.

In contrast, the Freedom of Information and Protection of Privacy Act (FOIPOP) focuses on ensuring “that public bodies are fully accountable to the public” (Section 2) while protecting the privacy of individuals. The FOIPOP states that “disclosure of personal information is presumed to be an unreasonable invasion of a third party’s personal privacy if... the personal information relates to a medical, dental, psychiatric, psychological or other health-care history, diagnosis, condition, treatment or evaluation” (Section 20 [3]). The FOIPOP, therefore, does not overrule our duty of confidentiality.

Members of the public can request access to information that is kept by a public body (such as a hospital, university, or other public institution); however, it would be unusual for such a request to be handled by an MLT as the responsibility for handling requests rests with the head of the public body. If asked to disclose information to anyone, for any reason, an MLT employed by a public body must ensure that all requirements of both the legislation and the employer have been met.

top

Confidentiality and Privacy in a Remote or Mobile Workplace

Today, the vast majority of patient or client information is stored in institutional databases where its security is the responsibility of the institution. Situations do occur, however, where individuals are in possession of sensitive information that’s vulnerable to a breach. Such situations include:

  • Personal health information may be included in email communication and intercepted.
  • Institutional databases and email accounts are often accessed remotely.
  • Licensed MLTs working as blood collectors, or research assistants who visit clients in their homes carry and collect personal information.
  • Information may be carried in ledgers or electronic devices from one facility to another.
  • Laptops containing patient or client information may go home, either inadvertently or because the person is working from home.

SCENARIO:

Audrey works in research and her job includes visiting research subjects in their homes to conduct interviews and collect samples. All the information she needs for the interviews, and all the data she collects each day is stored on a laptop and downloaded to another computer when she returns to the lab at the end of the day. The information on the laptop is erased daily, and while on her laptop it is only accessible via a password. Audrey’s password is her dog’s name: Ricochet.

One day, Audrey stops at a corner store on her way back to the lab and leaves her car unlocked while she goes in. When she comes back, her laptop is gone. It contains the results of four interviews and associated POC tests. Is this a potentially serious breach of privacy?

It’s likely that the person who stole the computer was an opportunistic thief who had no interest in the information on the hard drive. Some thieves are sophisticated, however, and understand that information on laptops can be valuable. It’s good that Audrey had the information hidden behind a password; however, a dog’s name is a relatively obvious password, and anyone that knows her, or can find out about her, will try it eventually. As well, erased • files can often be recovered, so we can’t be sure that only four individuals • are at risk.

In this situation, though the risk appears low, it would be best to inform anyone whose information is, or has been, on the computer that the information has been stolen and might be used for scams or identity theft. Audrey should inform her employer, who will determine how the incident should be handled. In future, Audrey needs to take more precautions to avoid this sort of mishap.

The key thing to remember is that you are responsible for safeguarding personal information that you carry or access, anywhere, anytime. To prevent anyone gaining unauthorized access to information in your possession, the following habits are helpful:

  • Encrypt data on electronic devices; safeguard encryption keys
  • Enable password protection on electronic devices and use it; safeguard passwords
  • Never use unsecured WiFi networks
  • Never use public computers to access sensitive data
  • Make sure computers, notebooks etc that contain sensitive information aren’t labeled in such a way as to attract curious eyes or an information thief
  • Use locks and keys whenever possible (briefcase, car etc.)
  • Avoid working in public places or anywhere where you can be overlooked

Avoid having sensitive information in your possession whenever possible: if you don’t have it with you, you can’t lose it.

top

Privacy Breach

Privacy breaches do occur. If you become aware that personal information has been lost or stolen, deal with the situation immediately. Depending on your employment circumstances (always follow workplace protocol), you would either inform your employer or, if you are the custodian (the person ultimately responsible for keeping the information safe), determine whether there is any risk of harm or embarrassment to the person(s) whose information is involved. If there is risk to an individual, that individual must be informed.

The only situation where the individual(s) involved might not be informed of a privacy breach is when it’s unlikely that any harm will come of it. But in this scenario, the breach must be reported to the province’s privacy review officer.

top

Client’s Rights to Access and Correct Their Information

Individuals have the right to access their own personal health information and to request corrections if they believe the record to be incorrect. Technologists who work for others would not deal with such requests unless they are the person designated to do so. If you are that person, you’ll be following employer protocol in your response. If you work for yourself, you must respond to a request for access or correction, and in most cases you will comply with the request.

An individual’s right to access and/or correct their own personal health information is dealt with in the PHIA (Section 71 – 90). The PHIA requires that the person in possession of such records respond to a request within 30 days and provide the requested access except in particular circumstances a fee may be charged). Such circumstances include:

  • Legal restrictions
  • Significant risk of harm to the individual or others
  • Risk of breaching privacy in some way

In situations where part of the record presents difficulties, that part can often be separated out and the individual allowed access to the rest.

SCENARIO:

You work in microbiology in a hospital lab and you receive a phone call from an individual requesting to see the results of all lab tests from a recent hospital admission. The caller tells you that he is considering a malpractice suit against the hospital and needs all his test results to determine whether there has been a medical error. You know that individuals have the right to access their personal health files. What do you do?

This individual does have the right to see his lab test results; however, it’s not your obligation to comply with this request. You are not in a position to verify the caller’s identity, or judge whether there is valid reason to refuse the request, and you likely don’t know what your employer’s protocol is without checking. In your hands, this request risks a breach of privacy.

The caller is going about this the wrong way. The information he’s requesting will be recorded in his medical file, and the hospital has a legal obligation to respond to requests such as this. The caller needs to determine what the hospital’s procedure for requests for access are, and follow them.

A request for the correction of information might also be complex in terms of its validity; therefore, the original information is not destroyed—it might be crossed out or filed separately, but it should always be available in case it becomes important later. Again, there are situations where a request for correction should be refused, such as:

  • The record was made by a third party and you don’t have access, knowledge or authority to make a change.
  • The record contains comments/ observations made in good faith.

Obviously, whether an individual is requesting access or correction, it’s important to verify their identity to avoid breaches of confidentiality and inappropriate changes to a document.

top

Conclusion

Personal information belongs to the individual, and the individual has the right to withhold it, entrust it, access it, and correct it. When clients entrust their personal health information to us, they rely on our commitment to confidentiality, and our respect for that trust must be paramount at all times.

In the case of a breach of privacy, follow workplace protocol. All breaches of privacy must be reported, and the individuals whose information was involved warned if there is risk of harm as a result of the breach. Requests for access and correction should be honored if at all possible, but the proper procedures must be followed.

top