Africa Digital Health Academy

Confidentiality When the Record Goes Digital

Free preview.This is a sample lesson. The full course is delivered in the ADHA learning platform once you're admitted.

Meta: course=ethics-basics · module=1 · lesson=1.1 · ~55 min · keywords: confidentiality, EMR, shared devices, access control, audit log, OpenMRS, DHIS2, minimum necessary, WhatsApp, re-identification Objectives:

  • Explain why confidentiality is harder, and higher-stakes, in digital systems than on paper.
  • Apply the "minimum necessary" and "need-to-know" rules in routine digital work.
  • Identify common confidentiality breaches in low-resource African settings and how to prevent them.

Confidentiality — the duty to protect information a patient shares in the course of care — is one of the oldest obligations in health. Digital systems do not change the duty; they change the attack surface. A paper register sits in one cabinet, in one clinic, readable by whoever is in the room. The same data in an EMR such as OpenMRS, or aggregated in a DHIS2 dashboard, can be copied perfectly, transmitted in seconds, and accessed by people who never met the patient. The book frames confidentiality in digital contexts as the first element of the ethics, privacy, and security competency domain — a "core basic" for community health workers and "applied clinical ethics" for clinicians (Ch3 §3.3).

Two principles carry most of the load. The first is minimum necessary: collect, view, and share only the data the task in front of you actually requires. A pharmacy clerk dispensing medication does not need the patient's HIV status to do the job; a reception clerk registering a visit does not need the consultation notes. The second is need-to-know access: systems should let each cadre see only what their role requires, and you should never use access you happen to have for curiosity, for a relative, or for a neighbour. The architecture makes this enforceable — centralised identity, role-based access control, and audit logs are the platform "control points" that turn confidentiality from a promise into a governed rule (Ch4 §4.4.2). The audit log matters to you personally: in a properly configured system, every record you open is timestamped against your name. Looking up a celebrity admission or an ex-partner's file is not invisible — it is evidence.

In African low-resource settings the most common breaches are mundane, not dramatic. A single shared computer at a busy clinic means one logged-in account is used by five staff, so the audit trail blames the wrong person and access can't be controlled. An unlocked phone left on a counter exposes a patient list. A clinical photo or a "funny case" shared in a WhatsApp group — even with the name cropped — can often be re-identified from the tattoo, the ward, the date, or the rare condition. Screens face the waiting room. Printed line-lists are used as scrap paper. None of these require a hacker; they require only a moment's inattention. The countermeasures are equally mundane and equally effective: individual logins (never shared), automatic screen locks, screens angled away from public view, no patient data on personal messaging apps unless the platform is approved and the sharing is clinically justified, and shredding rather than recycling printed identifiers.

Confidentiality also extends to aggregated and secondary uses. Data collected for a patient's care may be reused for reporting, research, or program monitoring — but that reuse must respect purpose limits and, where required, be de-identified. A district malaria dashboard built from DHIS2 aggregates is legitimate; a list of named pregnant women circulated outside the care team is not. When you are unsure whether a sharing request is legitimate, the safe default is to ask who is requesting, for what purpose, under what authority — and to escalate rather than guess.

Figure 1.1.1 — Confidentiality at the point of care: where digital data leaks in a busy African clinic

Key terms:

  • Confidentiality — the duty to protect patient information disclosed during care and prevent unauthorised access or sharing.
  • Minimum necessary — collect, access, and disclose only the data the immediate task requires.
  • Role-based access control (RBAC) — system permissions granted by job role so each cadre sees only what they need.
  • Audit log — a tamper-resistant record of who accessed which patient record and when.
  • Re-identification — recovering a patient's identity from supposedly anonymous data using contextual clues.

Knowledge check: Q: A colleague asks for your EMR password because theirs isn't working. What should you do, and why? A: Refuse and have them get their own access reset. Sharing logins breaks the audit trail (actions appear under your name) and removes role-based access control, making both of you liable for any misuse.

Q: Is it acceptable to share a clinical photo in a staff WhatsApp group if you crop out the patient's face? A: Generally no. Patients can be re-identified from context (tattoos, ward, rare condition, date), and personal messaging apps are usually not approved, governed channels for patient data. Use only sanctioned platforms with clinical justification and consent.

Q: What does "minimum necessary" mean for a pharmacy clerk dispensing ARVs? A: They need the prescription and dispensing details to do the task — not the full clinical history or unrelated diagnoses. Access should be limited to what the role requires.

Q: Why is a shared clinic computer a confidentiality risk even if the clinic is small and trusted? A: One shared login means access cannot be controlled per person and the audit log cannot attribute actions correctly, so breaches can't be traced and need-to-know cannot be enforced.

Summary: Confidentiality is an old duty facing a new, larger attack surface in digital systems. Apply minimum-necessary and need-to-know rules, use individual logins and locked screens, keep patient data off ungoverned apps, and remember that audit logs make every record you open traceable to you.