Sage Journals: Discover world-class research

Abstract

Personal health information (PHI) sharing through Health Information Exchange (HIE) enhances patient safety in Canada, yet not all provinces and territories voluntarily disclose PHI on safety incidents to federal and pan-Canadian surveillance systems. A frequently cited barrier by healthcare organizations for HIE between different interoperable health databases is patients’ and families’ concerns for their privacy. This explorative qualitative study examined patients’ and families’ attitudes toward PHI sharing, including its secondary use in patient safety events. Rather than expressing reluctance, participants described support for HIE when privacy safeguards, such as defined sharing purposes and anonymous formats, were in place. These findings present a significant opportunity for health leaders and data custodians to use the research findings to create a patient-centric framework for the HIE of PHI.

Introduction

Patient safety is essential to quality healthcare, yet occurrences of harm continue to shape patient experiences and outcomes. In Canada, an alarming 1 in 17 hospital stays results in harm.¹ Reducing patient safety incidents is fundamental to healthcare excellence, but meaningful progress depends on the effective reporting, investigation, and analysis of these events. Surveillance systems play a crucial role by aggregating anonymous patient safety data to track and forecast health risks, equipping health leaders with insights to improve patient care.²

Canada’s Food and Drug Act³ mandates the reporting of adverse drug reactions and medical device incidents to the Canada Vigilance Database, commonly known as Vanessa’s Law.⁴ Despite the importance of surveillance, the legislation does not require broader HIE of patient safety incident data. For instance, only six provinces and territories participate in hospital surveillance of medication incidents through the Canadian Institute for Health Information’s (CIHI) National System for Incident Reporting (NSIR).⁵ Without external reporting requirements, data custodians face challenges in navigating privacy legislation governing PHI. This lack of mandated reporting significantly limits the potential for comprehensive patient safety surveillance and performance monitoring. In provinces and territories with underdeveloped performance infrastructure, this gap reduces health leaders ability to identify jurisdictions that are making significant gains in patient safety and those that need more focused support. A systems thinking approach, requiring coordinated action across all levels, emphasizes the need for robust safety surveillance practices to improve care outcomes.⁶

What remains unaddressed in policy and legislation are the perspectives of patients and families. This novel research identifies the absence of a person-centred perspective in patient safety surveillance. It explores how patients and families view the disclosure of Personal Health information (PHI), a key consideration in shaping policy and addressing concerns about its secondary use. By actively including these perspectives and moving beyond assumptions about privacy concerns, health leaders can better navigate Health Information Exchange (HIE) challenges and support informed, patient-centred approaches to data disclosure. This, in turn, strengthens reporting mandates and enhances patient safety outcomes.

Methods

A qualitative descriptive study,⁷ approved by the University of New Brunswick’s Research Ethics Board, explored patient and family perspectives in New Brunswick, Canada, on how information is shared about patient safety incidents, defined as events causing unnecessary harm during healthcare delivery. Specifically, how PHI on these incidents may be used to improve safety outcomes. English or bilingual patients or family members with firsthand and second-hand experiences of such incidents were purposefully selected for this study. Participants were recruited through social media, advertisements, snowball sampling, and community message boards. Semi-structured one-on-one interviews were conducted via phone or video conferencing, recorded in Microsoft Teams, and transcribed verbatim. Transcriptions were reviewed for accuracy, with filler words removed and pseudonyms assigned to participants before organizing the data using MS Word. The texts were collated and organized by codes in an open-source qualitative analysis software, Qual Coder™, to show code frequencies. Data were analyzed using thematic analysis guided by Braun and Clarke’s 15-point criteria checklist,⁸ leading to the identification of relationships across transcripts and the development of a thematic map illustrating key connections.

Results

Eight participants were purposefully selected from New Brunswick’s three different health regions to capture patient and family experiences of harm in two health authorities. Participants for this study predominantly identified as female, White, aged 45-50 years, and English-speaking (see Table 1). All the participants had a minimum of a high school education, and most reported having a post-secondary degree (75%). While many of the patients, and their family members, who participated in this study had experienced a patient safety incident within the past 5 years (63.5%), a significant number experienced an incident more than 5 years ago (37.5%). Three participants reported experiences of harm in both zones 1A and 1B.

Table 1.

Sociodemographic Characteristics (n = 8)

Characteristic	Attribute	N (8)	Full sample
Participant type	Patient	4	50%
Participant type	Family member	4	50%
Gender	Identified male	2	25%
Gender	Identified female	6	75%
Age	30-35 years	1	12.5%
	40-45 years	1	12.5%
	45-50 years	3	37.5%
	55-60 years	1	12.5%
	60-70 years	2	25%
Race	White	8	100%
Timeframe incident occurred	<1 year ago	1	12.5%
	1-5 years ago	4	50%
	>5-10 years ago	1	12.5%
	>10+ years ago	2	25%
Highest education completed	High school degree	2	25%
	Undergraduate degree	4	50%
	Graduate degree	2	25%
First language	English	5	62.5%
First language	Bilingual	3	37.5%
Health zone	1A	3	37.5%
	1B	5	62.5%
	3	3	37.5%

Four main themes were identified to describe participants’ thoughts regarding PHI’s collection, use, disclosure, and retention of patient safety incidents and the HIE of that data for safety surveillance. These four themes include (1) criteria for privacy, (2) conditions for access, (3) types of data for HIE, and (4) the purpose of HIE to help others.

Criteria for Privacy

Participants emphasized two key criteria for privacy: (a) maintaining the security of personal health information (PHI) and (b) ensuring access is limited to those who need it to help a patient. While patients recognized protections such as password authentication, concerns remained about potential breaches and the role of institutions in safeguarding data. At the same time, there was strong support for authorized access among care teams to enhance patient outcomes. As one participant stressed, “More information makes it more powerful…more knowledge to help the patient” (P03).

Conditions for Access

Participants identified three conditions under which access to patient safety incident information is appropriate: (a) to help the patient, (b) to help others, and (c) with access limitations to prevent harm or misuse. Participants supported sharing identifiable health information within a care team to ensure continuity and quality of care, and they emphasized the societal value of data sharing to improve healthcare for others. These futuristic gains included “public safety, public health good” (P01), to “help people that are in a situation like I am” (P02), and to “make things better for someone else” (P04). While participants endorsed altruistic sharing when it served patients or the public, they opposed access that could cause financial harm to patients or benefit others financially. However, the use of such information to secure government funding for safety improvements was deemed acceptable.

Types of Data for HIE

Participants differentiated between two primary types of data for health information exchange: (a) identifiable data, which should be safeguarded and shared only with authorized care providers to directly help patients and (b) anonymous information or aggregated data, viewed as more appropriate for broader use to help others. While all participants agreed on the need to protect identifiable information, views varied on appropriate conditions for its access. Aggregated data were generally seen as less risky and more acceptable for wider sharing as they represent multiple individuals whose data are combined and are by default rendered nearly anonymous. As one participant remarked, “If they’re aggregating it, it is properly anonymized…they could honestly do anything they wanted with the data as far as I’m concerned” (P01).

Purpose of HIE to Help Others

Participants identified three key purposes of health information exchange (HIE) that serve to help others: (a) accountability, (b) system improvement, and (c) research. They viewed HIE as a means to ensure healthcare organizations are held accountable through oversight enabled by the sharing of anonymous or aggregated patient safety data. As one patient participant explained, “Everybody needs to have someone to look over what they’re doing… to make sure that what they’re doing is appropriate and/or legal...as long as they themselves have the knowledge, they have a right to look over what they are doing and [to do] something about it” (P03). Patients also felt that HIE could support meaningful changes in the health system by helping leaders (e.g., the Department of Health) identify recurring issues and take steps to prevent similar incidents. Additionally, they expressed strong support for the use of anonymized data in research that could lead to new treatments or a deeper understanding of healthcare challenges to help others benefit from their experiences.

Discussion

This study provides valuable insights into how patients and families perceive the use of personal health information (PHI) for patient safety surveillance. It highlights three interconnected concepts vital to public trust: strong information security, clear access conditions through a “social license,” and the influence of personal values and beliefs on privacy attitudes.

Participants emphasized the importance of robust data protection, especially those who had experienced harm in healthcare. For them, security was a baseline expectation. Their views align with studies by Majorana et al. and Paprica et al., which highlighted the link between trust in health systems and confidence in privacy safeguards.^9,10 Transparent communication about PHI protection could improve trust in HIE initiatives used for safety surveillance.¹¹

The study also highlights the importance of social license, defined as the public’s expectations for data sharing.¹² Consistent with national findings, participants supported PHI use when its purpose was clearly articulated and aligned with public interest.¹³ Support, however, depended upon who accessed the data and under what conditions. These insights suggest the need for policy frameworks that involve the public in clarifying and communicating access parameters to maintain trust.¹⁴

Finally, the study revealed how deeply held values and lived experiences influence privacy attitudes. Drawing upon the Theory of Reasoned Action, this research illustrates how individual beliefs and prior experiences among those harmed by safety incidents shape judgments about what is appropriate or acceptable in terms of PHI use.¹⁵ This study shows that individuals affected by safety incidents were more likely to support data sharing if it promised meaningful change and accountability. Their views suggest a policy foundation rooted in real-world experience.

This study serves as a starting point for understanding patient-centred perspectives on the HIE of PHI for patient safety. A limitation of this study is that the sample remained relatively homogeneous, primarily of white, older adults who spoke English or French. Given Canada’s diverse health systems, findings may be most applicable to this demographic. Participant experiences are context-specific, and differing results in future studies should not undermine the trustworthiness of this research, but rather reflect the varied environments, cultures, and personal perspectives. The absence of Indigenous and racialized participants limits sociocultural representation, particularly regarding information sharing and patient safety. Upholding Indigenous data sovereignty requires future research to be led by or conducted with Indigenous communities, ensuring meaningful inclusion of their perspectives, governance structures, and knowledge systems, critical for equity in patient safety research.^16,17

As a novel area of inquiry, this study lays the groundwork for broader, more inclusive research across Canada’s diverse populations. Ultimately, this study emphasizes the importance of grounding health data policy in the lived experiences of patients and families. Security, transparency, inclusivity, and alignment with public values are essential to building trust and enabling ethical, effective safety surveillance.

Conclusion

When provinces and territories do not mandate HIE for patient safety surveillance, third-party data sharing remains voluntary. As a result, custodians may withhold critical information due to privacy assumptions, limiting health leaders’ ability to monitor and improve system-wide safety and quality. This study explored the perspectives of patients and family members affected by harm regarding the privacy of PHI and its exchange with provincial, federal, and pan-Canadian organizations. Thematic analysis suggests a potential social license for the secondary use of PHI in HIE related to patient safety incidents. While broader research is needed to incorporate diverse Canadian ethnocultural perspectives and refine boundaries of social license, establishing a policy or standard aligned with legislation, privacy principles, and public trust could support a patient-centred framework for PHI exchange. Provincial and territorial frameworks would be further strengthened by a national approach to security, access, and HIE, improving data timeliness and enabling health leaders to derive meaningful insights to improve patient outcomes.

Footnotes

Authors’ Note

To ensure the credibility of this study, findings were grounded in rich, contextualized descriptions drawn directly from the participants’ own words. The analysis was conducted with a commitment to preserving the authenticity of their perspectives. Importantly, the research process and outcomes were conducted independently, without the influence or direction of any government body.

ORCID iDs

Joanna L. Seeley

Donna G. Curtis Maillet

Sarah Balcom

Pamela Durepos

Ethical Considerations

This study was reviewed and approved by the University of New Brunswick’s Research Ethics Board (REB), ensuring compliance with ethical standards for research involving human participants. Approval was granted under REB 2023-095 on July 24, 2023, with modifications on October 25, 2023, and January 15, 2024. All participants provided informed consent, and measures were taken to protect their privacy, confidentiality, and autonomy following REB guidelines.

Informed Consent

Participants reviewed a research board-approved informed consent document and had their questions addressed before providing verbal assent. They were informed that participation was voluntary, that they could select which questions to answer, and that they could withdraw at any time without consequence. Participants were reminded that the interview would be recorded for research purposes and assured that recordings would be accessible only to the researcher. MS Teams recordings, stored on a password-protected computer, would be deleted following manuscript transcription. De-identified manuscripts would be securely stored on a UNB OneDrive account, accessible only to the research supervisor and committee. While responses could not be removed after pseudonymization, no participants withdrew from the study. Informed consent forms and research manuscripts were electronically stored on a password-protected UNB OneDrive account. Video recordings have been deleted, and all remaining research materials will be securely destroyed within 7 years of project completion.

Funding

The authors received no financial support for the research, authorship, and/or publication of this article.

Declaration of Conflicting Interests

The authors declare they have no potential conflict of interest. The first author is employed by the government of New Brunswick. This research study was conducted outside of that role as a public consultation through the University of New Brunswick, with no influence from government with respect to the research design, analysis, and publication of this article.

Data Availability Statement

Research data were collected in fulfillment of the University of New Brunswick’s graduate thesis for the Master’s in Applied Health Services Research program. The author agreed that full-text electronic access to the thesis shall be available to users at the discretion of the University of New Brunswick as of December 3, 2025.*

References

Patient Harm in Canadian Hospitals? it Does Happen. CIHI. Accessed June 13, 2025.https://www.cihi.ca/en/patient-harm-in-canadian-hospitals-it-does-happen

Canada PHA of Surveillance and Public Health Practice. PHAC. 2012. Accessed June 13, 2025. https://www.canada.ca/en/public-health/services/public-health-practice/surveillance.html

Food and Drug Act, RSC 1985, c F-27.

The Dangers of Prescription Medication: Vanessa Young’s Story. 2013. Accessed June 13, 2025. https://www.hercampus.com/school/u-ottawa/dangers-prescription-medication-vanessa-youngs-story/

Data Holdings. CIHI. Accessed June 13, 2025. https://www.cihi.ca/en/access-data-and-reports/data-holdings

Milligan

Allin

Farr

, et al. Patient Safety Mandatory Reporting Legislation and Outcomes: A Jurisdictional and Scoping Review. North American Observatory on Health Systems and Policies. https://naohealthobservatory.ca/wp-content/uploads/2020/02/NAO-Rapid-Review-19_EN.pdf

Sandelowski

. Whatever happened to qualitative description? Res Nurs Health. 2000;23(4):334-340. doi:10.1002/1098-240X(200008)23:4<334::AID-NUR9>3.0.CO;2-G

Braun

Clarke

. Using thematic analysis in psychology. Qual Res Psychol. 2006;3(2):77-101. doi:10.1191/1478088706qp063oa

Maiorana

Steward

Koester

, et al. Trust, confidentiality, and the acceptability of sharing HIV-related patient data: lessons learned from a mixed methods study about Health Information Exchanges. Implement Sci. 2012;7(1):34. doi:10.1186/1748-5908-7-34

10.

Paprica

De Melo

Schull

. Social licence and the general public’s attitudes toward research based on linked administrative health data: a qualitative study. Cmajo. 2019;7(1):E40-E46. doi:10.9778/cmajo.20180099

11.

Cumyn

Ménard

Barton

Dault

Lévesque

Ethier

. Patients’ and members of the public’s wishes regarding transparency in the context of secondary use of health data: scoping review. J Med Internet Res. 2023;25:e45002. doi:10.2196/45002

12.

Paprica

Crichlow

Maillet

, et al. Essential requirements for the governance and management of data trusts, data repositories, and other data collaborations. IJPDS. 2023;8(4):2142. doi:10.23889/ijpds.v8i4.2142

13.

Muller

SHA

Kalkman

Van Thiel

GJMW

Mostert

Van Delden

JJM

. The social licence for data-intensive health research: towards co-creation, public value and trust. BMC Med Ethics. 2021;22(1):110. doi:10.1186/s12910-021-00677-5

14.

Burt

Cumyn

Dault

, et al. Social license for uses of health data: a report on public perspectives. Health Data Research Network Canada and GRIIS. https://www.hdrn.ca/en/public/public-resources/reports/social-licence-report/

15.

Fishbein

Ajzen

. Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research. Addison-Wesley Publishing Company; 1975.

16.

Waanders

Brown

Caron

, et al. Indigenous peoples and inclusion in clinical and genomic research: understanding the history and navigating contemporary engagement. Neoplasia. 2023;37:100879. doi:10.1016/j.neo.2023.100879

17.

Public trust, literacy and health data foundations in Canada. Health Data Research Network Canada. Accessed July 2, 2025. https://www.hdrn.ca/wp-content/uploads/Public-trust-literacy-health-data-1pager.pdf