Confidentiality is a fundamental principle of medical ethics and is central to the trust between patients and doctors. Doctors are generally aware of this obligation and are unlikely to deliberately disclose information to a third party without consent.
The responsibility to make sure confidentiality is maintained in a practice remains that of the GP.
The new Guide to Professional Conduct and Ethics for Registered Medical Practitioners 8th Edition 2016 (“the Guide”) provides helpful principles-based guidance on the duty of confidentiality and disclosure of identifiable patient information.
The Guide describes the behaviour and values that support good care and identifies confidentiality as one of the main elements of good practice and “essential to maintaining patients’ trust and enabling patients to speak honestly and fully about their lives and symptoms”. Without assurances about confidentiality patients may be reluctant to seek medical advice or treatment or give their GP the information needed to provide appropriate, effective care.
An important departure from earlier editions of the Guide is the fact that while the Guide specifically states it is not a code or a set of rules that dictates how a doctor should behave, it does introduce two distinct and very different terms to outline the behaviour expected of you. The Guide uses the term “you must” where there is an absolute duty on a doctor to comply with the principle that follows. The Guide uses the term “you should” to describe best practice in the given situation accepting that it may not always be practical to follow the principle in every circumstance. Your particular attention should be given to situations where the absolute duty now applies in relation to a GP’s duty of confidentiality.
Main principles of the duty of confidentiality
The Guide confirms that sharing information, in appropriate circumstances, is important, both for patient care and for the safety of patients and others.
The Guide states that a doctor should protect a patient’s privacy by keeping records and other information about patients secure and should guard against accidental disclosures. Before disclosing identifiable information about patients, a doctor must:
- Take into consideration Freedom of Information and Data Protection principles1.
- Be clear about the purpose for disclosure.
- Have the patient’s consent or other legal basis for disclosing the information.
- Have considered using anonymised information and you are certain it is necessary to use identifiable information.
- Be satisfied that you are disclosing the minimum information to the minimum amount of people necessary.
- Be satisfied that the intended recipient is aware the information is confidential and that they have their own duty of confidentiality.
Disclosure with consent
If a patient is capable of making their own decisions about their healthcare, you must get their consent before giving confidential information that identifies them to the patient’s relatives and close friends, or for research or to disease registers. If the patient does not consent to disclosure of identifiable information you should respect that decision except where failure to make the disclosure would put the patient or others at risk of serious harm.
If disclosure of a patient’s information to other health care providers is necessary as part of a patient’s treatment and care, you should explain this to the patient and disclose the information to an appropriate person making sure they are aware of their duty of confidentiality. If a patient objects to the transfer of the information you deem necessary you should explain you cannot arrange referral or treatment without disclosing the information.
The Guide recognises that clinical audit, quality assurance, education and training are essential for providing safe and effective healthcare. If a GP is providing patient information pursuant to of any of these activities, the information must be anonymised or coded before it is disclosed outside the healthcare team. If that is not possible a GP must make sure a patient is told about the disclosure in advance and given the opportunity to object. A GP must respect a patient’s wishes in respect of the disclosure.
Disclosure without consent
In certain circumstances a GP will be required to disclose patient information by law or in the public interest. A GP should inform the patient in advance of such an intended disclosure, unless this would cause the patient serious harm or would undermine the purposes of the disclosure.
A GP must disclose patient information where required by law, for example, pursuant to a court order or infectious disease notification or if a GP holds a reasonable belief that a crime involving a sexual assault or other violence has been committed against a child or other vulnerable person. Disclosure in the public interest may be made to protect the patient, other identifiable people or the wider community. Before making such a disclosure a GP must satisfy himself or herself that the possible harm the disclosure may cause to the patient is outweighed by the benefits that are likely to arise for the patient or others. The disclosure should be limited to the minimum information and minimum number of people necessary.
If a patient lacks capacity to give consent and is unlikely to regain capacity you should consider making a disclosure only if it is in the best interests of the patient.
As a general rule where possible a GP should always tell the patient in advance that they are disclosing information without the patient’s consent and why the GP is doing so, unless to do so would put the patient or third party at risk of serious harm. Document carefully your communications with the patient and the reasons for your decisions.
Request for records from a patient or third party before and after death of a patient.
The Guide specifically states that before giving copies of a patient’s records to them you must remove information relating to other people, unless those people have given consent to the disclosure. If you receive a request from a patient to release a copy of a patient’s records consider carefully the obligation on you to remove all references to third parties.
Patient information remains confidential even after death. If it is not clear if a patient consented to the disclosure of information after death, consider how the disclosure might benefit or cause distress to the family or carers, the effect of disclosure on the reputation of the deceased and the purpose of disclosure. A GP’s discretion may be limited if a disclosure of a patient’s records is required by law as referred to above.
As a GP you will be faced with difficult scenarios in relation to requests for records from patients and third parties and requests for records of a deceased patient. Each case should be considered on a case by case basis and always act in the best interests of your patient. Have a protocol in place for dealing with requests for records. Contact your indemnifier for specific advice on any queries relating to requests for patients’ records if you are unsure of your obligations.
A GP can only prepare a medical report on a patient with the patient’s consent. Medical reports and should be specific to the episode for which the report has been requested. The Guide states that if the report is requested by a third party such as an employer, insurance company or legal representative a GP should explain to the patient that the report must be factual, accurate and not misleading. The GP should be satisfied that the patient understands the scope and purpose of the report and that you cannot omit relevant information. Ensure your patient is aware of your duty of care to them and to the person/company from whom the report was requested. You should take the patient through the report before you release it so they appreciate the extent of the information you are reporting upon.
The new Guide states that any audio, visual or photographic recordings of a patient or relative of a patient, in which the person is identifiable, should only be made with express consent of that person. The recordings should be kept confidential as a part of the patient’s records. You should be aware of security when sharing information by electronic means and do all you reasonably can to protect confidentiality which could include encryption measures. You should also get consent before sharing such videos, photos or other images of a patient.
You should only take images of patients on your personal mobile device when necessary for the patient’s care. Such images must not identify a patient and should only be kept for the minimum time necessary.
We have no doubt that the Guide will provide helpful clarifications for the manner in which the patient–doctor relationship should be conducted and is fundamental to patient safety and the delivery of high-quality health care.
How to avoid accidental breaches of confidentiality in a GP practice:
Complaints or legal actions against GPs on the basis of an alleged breach of confidentiality are rare. However, everyone working in general practice must understand the rules of confidentiality. All patient information is confidential from the most sensitive diagnosis to the fact of having visited the surgery to being registered in the practice. Standards of confidentiality apply to all health professionals, students, administrative and ancillary staff including receptionists, secretaries, practice managers and cleaners.
Most breaches of confidentiality within general practice are inadvertent overheard disclosures. You might in addition consider the following factors that may lead to confidentiality breaches:
- Physical environment – be mindful of room design such as proximity of waiting room to reception, positioning of computer screens and telephones or seating.
- Medical records – be mindful of safety in your system for filing records or transferring or disposing of records securely. Do not leave patients’ records on paper or screen unattended or where they can be seen by other patients, unauthorised staff or the public.
- IT systems – be mindful to install a robust IT System of backing up files, audit logs, firewalls, virus protection and appropriate encryptions. Do not share login details.
- Training and education – provide ongoing training to all practice staff so theyunderstand that patient information is given to them in confidence and that they are bound by a legal duty of confidence. Encourage all practice staff to work together to ensure that standards of confidentiality are upheld and improper disclosures avoided. Promote and insist on a ‘no gossip’ culture within the practice.
- Contract – Have all practice staff including students sign a confidentiality agreement which includes the use of social media sites.
- Communication by fax/text/email – have a policy in place to manage the disclosure of confidential formation about patients by electronic means.
The ICGP have a very useful online E-learning module on confidentiality which is relevant and practical for GPs in their everyday practice.
In house Legal Counsel
First published in Forum in June 2016
1Appendices A and B of Guide to Professional Conduct and Ethics for Registered Medical Practitioners 8th Edition 2016 set out relevant principles and legislation of Freedom of Information and Data Protection.