The CNO’s process for handling privacy breaches by nurses

By Published On: February 9, 2021Categories: College of Nurses of Ontario (CNO)

Protecting patient privacy is both a legal and an ethical obligation for all nurses – regardless of whether you are a Registered Nurse (RN), a Registered Practical Nurse (RPN), or are practicing in the extended class as a Nurse Practitioner (NP). Disciplining nurses involved in privacy breaches is becoming a growing focus of the College of Nurses of Ontario (CNO).

The Personal Health Information Protection Act, 2004 (PHIPA) governs the collection, use, and disclosure of personal health information (PHI) in Ontario.

PHIPA applies to all health professionals who handle personal health information, including nurses.

The CNO’s practice standard on Confidentiality and Privacy: Personal Health Information largely incorporates the requirements of PHIPA. This standard requires that PHI be kept confidential and secure. Nurses comply with this standard by accessing information for her or his patients only and not accessing information for which there is no professional purpose.

Nurses are required to be knowledgeable about the CNO practice standard on Confidentiality and Privacy in respect of personal health information (“PHI”) and comply with it. Contravening a professional standard constitutes professional misconduct. See subsection 1(1) of ,Ontario Regulation 799/93 made under the Nursing Act, 1991.

How the CNO becomes involved

There are two main ways the CNO may become aware of a nurse’s involvement in a privacy breach or alleged privacy breach:

  1. By a complaint filed by a patient, a patient’s substitute decision-maker (SDM), or another person who becomes aware of the nurse’s conduct, or
  2. By a mandatory report filed by the nurse’s employer to the CNO.

Complaints

If a patient, a patient’s SDM, relative or friend, or a co-worker of a nurse suspects that the nurse was involved in a privacy breach, they may make a complaint to the CNO (but are not required to do so). If the CNO receives a complaint, it is required to look into the matter. The Regulated Health Professions Act (RHPA) and its Health Professions Procedural Code, which forms part of the CNO’s governing legislation, set out the process for how complaints are to be handled. A nurse may first become aware of a complaint when she or he receives a notice from the CNO.

Employer Reports

If a nurse is disciplined by an employer for a privacy-related workplace offense or resigns as a result of an investigation into a suspected privacy breach, the nurse’s employer is required to file a mandatory report with the CNO about the nurse per section 17.1 of PHIPA. As with complaints, the RHPA and Health Professions Procedural Code set out the process for how employer reports are to be dealt with by the College. For example, the CNO is required to notify the nurse of the report. Many nurses who find themselves in this situation may already anticipate receiving a notice from the CNO before it arrives.

CNO Early Resolution Process

In cases that are deemed by the CNO to be of a less serious nature, the matter might be resolved through the CNO’s early resolution process. In this process, the nurse is required to provide a written reflection about the incident, and subsequently meet with a representative from the CNO to discuss the incident. The focus in the early resolution process is less on finding fault, but rather on demonstrating that the nurse has learned from the incident, has insight into her or his nursing practice and relevant CNO practice standards, and has identified and reflected on ways how to improve their nursing practice to avoid similar issues or mistakes from happening in the future.

CNO Investigations

In more serious cases, the CNO’s Executive Director (Registrar) will appoint an investigator to look into the matter. Where a complaint or report is being investigated, further information will be gathered about the incident, which may include but is not limited to relevant records from an employer’s investigation, privacy audit logs, and witness statements.

It is important to be aware that nurses have a professional obligation to cooperate with a CNO investigation. Failure to do so can itself become a ground for professional discipline. It is also important for a nurse to continue to respect privacy obligations during the course of the investigation, including by requesting relevant documents to be provided to the CNO through appropriate methods.

Nurses have a right to comment on the CNO’s investigation and provide a written response. A response should set out the nurse’s position on the allegations and explain the events. It is an opportunity to advocate for an early resolution of the matter. The response may be the nurses’ best (and perhaps only) opportunity to make a case to the CNO that a referral to the Discipline Committee will not be necessary. Where a nurse’s response takes the wrong tone, for example by focusing on blaming others or making misrepresentations, the nurse might expose her- or himself to a harsher penalty down the road. When preparing a response, it is advisable to seek legal assistance.

Review by the ICRC

Once the investigation is deemed complete, the matter will be reviewed by a panel of the CNO’s Inquiries, Complaints, and Reports Committee (ICRC). The ICRC’s review of a case takes place in writing and without the presence of the nurse. The ICRC acts as a screening body and does not make any findings of fact (i.e., it does not decide whether to believe one version of events over another).

In conducting the review, the panel of the ICRC ought to have regard to relevant records gathered during the investigation, including the nurses’ response and the nurse’s prior history with the College, before deciding whether to one of the following:

  • Refer a specific allegation of the nurse’s professional misconduct or incompetence to the Discipline Committee
  • Refer the nurse to incapacity proceedings (Fitness-to-Practice),
  • Require the nurse to appear before a panel of the ICRC to be cautioned and/or to complete a specified continuing education requirement (SCERP), or
  • Take no further action.

Once a decision is made, the nurse should receive a copy of the ICRC’s decision and written reasons for it. The nurse should also be informed of her or his right to have the decision reviewed by the Health Professions Appeal and Review Board (HPARB), if applicable.

Referrals to Discipline

Contravening a professional standard, including the CNO practice standard on Confidentiality and Privacy, constitutes professional misconduct and may be subject to discipline. If a nurse is referred to the CNO’s Discipline Committee, the case will proceed to a discipline hearing.

Matters before the Discipline Committee may be resolved on a consent basis by negotiating an agreement in advance with the CNO’s prosecution counsel. Alternatively, the matter may proceed on a contested basis. A contested discipline hearing is very similar to a trial before the Courts, where the nurse will testify and be subject to cross-examination by prosecution counsel for the College. Presiding panels Discipline Committee are made up of five decision-makers that include three nurses and two public members.

Privacy breaches by nurses including those involving accessing patient records outside of the circle of care without a valid professional reason, losing records containing patients’ personal health information, snooping, or improperly disclosing confidential patient information, increasingly attract significant penalties.

The CNO’s Discipline Committee may impose a variety of penalties on nurses who fail to meet their professional and legal privacy obligations, including (but not limited to) a reprimand, a suspension of the nurse’s license to practice nursing for a specified period of time; and that specific terms, conditions, and limitations (TCLs) be imposed on a nurses’ certificate of registration.

Regardless of the outcome, a nurse subject to the discipline process will also be liable to pay the CNO’s expenses associated with the discipline process.

The Take-Away

Privacy breaches are not to be taken lightly. If you have received a notice from the CNO about a complaint, an employer report, or have been referred to the CNO’s Discipline Committee, consulting with a lawyer early in the process is a very good idea. Receiving sound legal advice and representation throughout the CNO process can increase your chance of resolving your case early and minimizing the penalties and expenses you may be exposed to.


Carina Lentsch is an Ontario health lawyer and an advocate for nurses.

She helps nurses navigate CNO investigations, fitness-to-practice, registration, and discipline matters. Carina writes about legal issues affecting nurses and other health professionals.

To learn more about Carina’s law practice, ,click here. You can subscribe to Carina’s newsletter and follow her on ,Facebook for updates @aclhealthlaw.