Abstract
This paper describes the results of an in-depth interview study targeting three different stakeholders - privacy professionals, doctor's office administrators, and information technology designers - in an aim to understand the current practices, challenges and knowledge regarding compliance with privacy legislation in the management of patients' Personal Health Information (PHI). We apply the grounded theory as an analytical approach to form privacy-preserving guidelines. Further, we derive themes related to PHI access, breach conditions, Electronic Medical Records (EMRs), and privacy legislation Compliance. Based on our results, we propose privacy-preserving design guidelines to assist IT privacy designers in showing compliance with privacy legislation in the design process of online patient portals in Canada.