A medical record allows health care providers to document medical history and identify patterns that may help determine appropriate treatment for their patients. With the increasing need for providers to access patient information scattered across multiple sites, electronic health records (EHRs) offer a solution. EHRs have the potential to improve health care efficiency and effectiveness by allowing multiple people to access a record at any one time, which prevents tests from being unnecessarily repeated and allows treating physicians to track important information in a timely manner.

However, with the progression to electronic forms, an opportunity for inappropriate access is created and the potential for patient confidentiality to be breached.

Last year five staff members at the Centre for Addiction and Mental Health in Toronto, Ontario accessed the medical records of 22 patients without permission1, resulting in suspension without pay in four cases and a disciplinary letter in the fifth. This example is just one of many that represents serious privacy violations that are unfortunately common in many Ontario hospitals. The University Health Network (UHN), representing four hospitals in downtown Toronto, reported 132 privacy violations in 2014 including the uploading of two photos with patient names and medical record numbers to UHN’s public Facebook page, and a staff member releasing patient appointment information to an employer.1

If major breaches in patient confidentiality aren’t prevented, confidence in the health care sector to protect private information may be compromised. The result could be patients refusing to disclose all pertinent health information and limit public acceptance to a move towards EHRs. Risk management strategies need to be introduced and enforced by healthcare institutions to decrease the number of privacy breaches occurring. Such strategies should include enforcing policies regarding the use and access of personal health information, and limiting access to records on a need to know basis. That being said, not all breaches experienced are deliberate or intentional, and many are the result of genuine human error. Conducting audits and providing ongoing education about privacy issues to all staff are measures that can prevent future breaches and create a culture of privacy.

By: Tess Ingram


  1. Carville O. Hundreds of hospital privacy violations go unreported, 2015. Available from: Accessed January 2015
  2. Bedgood A. The Age of Digital Health Care, 2015. Available from: January 2015
  3. Canadian Nurses Protective Society. Privacy and Electronic Medical Records, Revised 2009. Available from: Accessed January 2015
  4. The College of Physicians and Surgeons of Ontario. Medical Records, Revised 2012. Available from: Accessed January 2015
  5. Rosen Sunshine LLP. Prosecutions Not Necessarily Best Means for Preventing Privacy Breaches, 2014. Available from: Accessed January 2015
  6. Kalra D, et al. Electronic Health Records, 2006. Available from: Accessed January 2015
  7. Jha A, et al. The New England Journal of Medicine 2009. 360: 1628-1638