Patient Confidentiality when can it be breached

Alison Kelleher

by Alison Kelleher, Partner,
Comyn Kelleher Tobin,
Medisec Panel Solicitors

General Principles of Confidentiality

Confidentiality is a fundamental principle of medical ethics and is central to the trust between patients and doctors. Patients are entitled to expect that information about them will be held in confidence, even after death. Paragraph 29.3 of the Medical Council Guidelines states:

“29.3 Before sharing or disclosing any identifiable information about patients, you must take into account the Freedom of Information (FOI) principles.

You must be clear about the purpose of the disclosure and that you have the patient’s consent or other legal basis for disclosing information. You must also be satisfied that:

  • you have considered using anonymised information (information that does not identify the patient), and you are certain that it is necessary to use identifiable information;
  • you are disclosing the minimum information to the minimum number of people necessary;
  • the person or people to whom you are disclosing the information know that it is confidential and that they have their own duty of confidentiality.”


Disclosure with a patient's consent

Where a patient is capable of making their own healthcare decisions, GPs must obtain the patient’s consent before giving medical information to a third party.

While the concern of the patient’s relatives and close friends is understandable, information must not be disclosed to them without the patient’s consent. If the patient does not consent, GPs should respect their decision, except in very exceptional circumstances where failure to disclose information would put the patient or others at risk of very serious harm.


Disclosure where there is no capacity

If the patient lacks capacity to give consent and is unlikely to regain capacity, a GP may only consider breaching patient confidentiality if it is in the patient’s best interests to do so. The views of family members are relevant in weighing up the best interests test to be applied, but without any formal legal authority such as an Enduring Power of Attorney, a family does not have any right to confidential information unless it is felt by the GP that it is in accordance with the patient’s best interests.


Disclosure required by law

Disclosure required by court order

Confidentiality will be overridden when ordered by a judge in a court of law, or by a tribunal or body established by an Act of the Oireachtas. For example, a Fitness to Practice Committee of the Medical Council has the power to issue a “Production Order”, which is akin to a Court Order directing that copy records of a patient be provided to the Medical Council.

Disclosure required by statute

Infectious Disease Regulations oblige all medical practitioners to notify the Medical Officer of Health or Director of Public Health of certain infectious diseases, including most recently, Zika Virus. The patient should be advised of the GP’s statutory obligation to report the patient’s details to the relevant authority, and that the report will be treated in a confidential manner.

Disclosure in relation to a vulnerable person

Where a GP knows or has reasonable grounds for believing that a crime, abuse or neglect has been perpetrated against a vulnerable person, special considerations apply where it is appropriate and necessary to protect that vulnerable person. The Criminal Justice (Withholding of Information on Offences against Children and Vulnerable Persons) Act 2012 came into force on 1st August 2012 and provides that it is an offence to withhold information on certain offences against children and vulnerable persons from An Garda Síochána.

Disclosure in relation to child protection concerns

Under the Protections for Persons Reporting Child Abuse Act 1998, disclosures are protected by law if they in good faith report suspected child abuse to a designated officer.

GPs have an obligation to follow the Children First Guidelines and promptly report any reasonable concerns to Tusla. Paragraph 26 of the Medical Council Guidelines states:

“You must be aware of and comply with the national guidelines and legislation for the protection of children, which state that the welfare of the child is of paramount importance. If you believe or have reasonable grounds for suspecting that a child is being harmed, has been harmed, or is at risk of harm through sexual, physical, emotional abuse or neglect, you must report this to the appropriate authorities and/or the relevant agency without delay. You should inform the child’s parents or guardians of your intention to report your concerns taking into account that this may endanger you or the patient….”

So long as the report is made in good faith in a child’s best interests, the provision of information to the appropriate statutory agencies for the protection of a child is not a breach of confidentiality or data protection.


Disclosure in the public interest

Paragraph 31.3 of the Medical Council Guidelines provides guidance in relation for disclosure in the public interest to protect a patient or another identifiable person, or the community more widely. Before making a disclosure in the public interest, a GP must be satisfied that the possible harm the disclosure may cause the patient is outweighed by the benefits that are likely to arise for the patient or for others. Again, the information should only be disclosed to an appropriate person or authority, and include only the information needed to meet the purpose of the disclosure.

As a general rule, in balancing the duty of confidentiality against the duty to protect a patient or a third party at risk of serious harm, GPs should consider:

  • the likely impact on the patient or third party, should confidentiality not be breached;
  • the profound and irreversible consequences of making a disclosure;
  • whether there are any appropriate alternatives to breaching confidentiality, such as counselling a patient to make the disclosure themselves.


Exceptions to disclosure under data protection and freedom of information legislation

Section 8 of the Data Protection Act lists a number of exceptions to the rules applying to data processing. This includes information held in a personal record that is “required for the purpose of preventing, detecting or investigating offences or prosecuting offenders” or “to prevent injury or other damage to the health of a person or serious loss of or damage to property”.

The legislation does not elaborate on the seriousness of the offences or threats concerned. However, for GPs who have a professional duty to protect the confidentiality of their patients, it is generally accepted that it would not be ethical to comply with any request for disclosure of sensitive personal information unless withholding the information would potentially have profound adverse consequences.


Risk of a serious harm if information disclosed

There are occasions, such as a request by a patient for release of their own psychiatric records where there could be a risk to the patient’s safety if the records are released.

Section 28 of the Freedom of Information Act states that access to records can be denied in circumstances where the disclosure of the information concerned might be prejudicial to the individual’s physical or mental health, well-being or emotional condition.

Guidance published by the Information Commissioner sets out the considerations that public bodies, including the HSE should take into account when deciding whether to disclose or withhold sensitive medical information under the Freedom of Information Act. The Guidance states that particular procedures must be followed where disclosure may be prejudicial to a patient’s health or emotional well-being.

In these circumstances, if a vulnerable patient requests information, consideration should be given to releasing information to an appropriate health professional nominated by the patient, rather than the patient themselves.

The Guidance confirms that release of personal information to a third party should only be made in exceptional circumstances where, on balance, the public interest in disclosure outweighs the right to privacy of the individual concerned, or where release of the information would benefit the individual.

Section 4(1) - Data Protection (Access Modification) (Health) Regulations, 1989 provides for such instances and states –

“Information constituting health data shall not be supplied by or on behalf of a data controller to the data subject concerned in response to a request under section 4(1)(a) of the Act if it would be likely to cause serious harm to the physical or mental health of the data subject”.

In the case of Mr X and the Health Board, 12 December 2000, the Data Commissioner took the view that it was appropriate to withhold information from a patient where there was evidence of a real and tangible possibility of harm being caused to the general health, welfare and good of the patient as a result of release of medical information to the patient.

The Data Commissioner has clarified that this is a variation in the right of access that should only be applied in rare circumstances.



Unfortunately, a GP should never and can never give 100% assurance to a patient that all medical information will be kept confidential.

Where a GP has concerns in relation to breaching confidentiality and making a disclosure of information or records without consent, consideration should be given to:

  • General Freedom of Information and Data Protection principles.
  • The purpose of the disclosure.
  • Whether the use of anonymised information would suffice.
  • Disclosing the minimum information to the minimum amount of people necessary.
  • Ensuring the intended recipient is aware the information is confidential and that they have their own duty of confidentiality.

The advice for all doctors is to proceed with caution and if in any doubt, contact Medisec for assistance

Share this article: