Regulatory bodies are clear that there is a risk of patients under-reporting symptoms or avoiding medical help altogether if they think their personal confidential information will be disclosed by healthcare professionals without consent, or if they are unable to have a say or some control over how their information may be shared.
However, the right to confidentiality is not absolute. That right – whilst guarded by healthcare professionals on behalf of their patients – may sometimes be at odds with the law. Legislation and guidance governing the collection and maintenance of clinical information is ever-expanding, as are the increasingly diverse methods of processing and sharing such information. Keeping up to date in this area is an important challenge for healthcare providers.
There are three generally recognised scenarios when confidential information may be disclosed:
- where disclosure is judged necessary and the patient to whom the information relates grants consent
- where disclosure is a legal obligation
- where disclosure constitutes an overriding public interest to do so.
Unlawful or unjustified disclosure of confidential information could expose a practitioner to:
- Breach of statutory duty under the Data Protection Act 2018.
- Disciplinary proceedings: an unauthorised breach of confidentiality can lead to fitness to practise proceedings by the GMC, GDC and other regulatory bodies.
- Disciplinary action by employers in relation to capability and professional conduct.
- Civil action: a patient alleging breach of confidentiality can seek damages in civil courts.
In general, a practitioner should always seek the consent of the patient for the disclosure of confidential information and keep disclosure to the minimum necessary for the intended purpose. Should consent be refused or otherwise unobtainable, seek medico-legal advice.
Make a record of all confidential disclosure decisions, along with the reasoning behind such decisions and be prepared to explain and justify the decision. Contact MDDUS for medicolegal advice before disclosure takes place, if in any doubt.
Patient information can be requested for purposes other than direct care. It can be used to enable health services to function more effectively and safely in research, future service planning or financial audit. Other uses may serve wider public interests, such as disclosures for public protection.
If you are unsure about how to handle a particular request or situation, you should consult a Caldicott or data guardian, data protection officer or the MDDUS for further advice.
Data protection principles
Healthcare professionals are obliged, both legally and professionally, to abide by the following data protection principles:
- Only use the minimum necessary personal information to fulfil the intended purpose. If practicable use anonymised information if it will serve the purpose.
- Ensure that any personal information you process or control is effectively protected at all times against improper access, use, disclosure or loss.
- Be aware of and comply with the principles of the Data Protection Act 2018. Be satisfied that you are controlling or processing personal information lawfully.
- Seek explicit consent to disclose personal information about patients for purposes other than direct care or local clinical audit, unless the disclosure is required by law.
- Seek consent from patients about any disclosures of personal information that they would not reasonably expect, unless this is not practicable or would undermine the purpose of the disclosure. Keep a record of all your decisions to disclose or not to disclose information.
- Assist and support patients’ rights to access their own information. Respect patients’ legal rights to be informed about how their information will be used and to have access to, or copies of, their health records.
- Ensure that you respect the general right to confidentiality extending beyond death. This is particularly relevant where a patient has specifically requested that certain information remains confidential following their death.
Personal information may be disclosed without breaching confidentiality where the following circumstances are present:
- The patient has consented, either implicitly or explicitly in connection with their own care or for local clinical audit.
- The disclosure in question is in the best interests of a patient who lacks the capacity to consent.
- Disclosure is required by a relevant law or court order.
- Disclosure can be justified in the public interest.
In disclosing confidential information about a patient you must try to:
- Use anonymised information if it will serve the intended purpose and is practicable.
- Satisfy yourself that the patient has access to information explaining how their personal information will be used for their own care and that they have the legal right to object. In all cases check that the patient has not objected.
- Obtain the patient’s explicit consent if identifiable information is to be disclosed for purposes other than their own care, unless the disclosure is required by law. Ensure that disclosures are kept to the minimum necessary for the purpose at hand.
- Being overly defensive.
- Not addressing all the issues raised by the complainant.
- Taking too long to respond and not keeping the complainant updated about the reasons for this and when they can expect a response.
- Follow a clear framework when responding to complaints in writing or verbally.
- Provide an acknowledgement and express regret that the complainant is unhappy with their care. A sincere apology can assist matters greatly from the outset.
- Outline a summary of the complainant’s concerns – this can be particularly helpful if the complaint is complicated or multi-faceted.
- Describe how the complaint has been investigated
- It can be helpful to provide a chronological account of care. Should you identify potential learning points as a result of your investigation, it is helpful to include these.
- Offer of a face-to-face meeting.
- Remind the complainant that if they remain dissatisfied with your explanation and response that they are entitled to raise their concerns with the ombudsman and signpost how the complainant can contact them.
- Remember that complaint-handling procedures are slightly different for each of the countries in the UK, and these should be referred to when responding to complaints. This is important in respect of statutory timescales.
- The Local Authority Social services and National Health Service Complaints (England) Regulations 2009
- The National Health Service (Concerns, complaints and redress arrangements) (Wales)
- NHS Scotland Complaints Handling Procedure 2017
- Northern Ireland Quality and Outcomes Framework 2017
- Scottish Public Services Ombudsman (SPSO)
- Parliamentary and Health Services Ombudsman in England (PHSO)
- The Northern Ireland Public Service Ombudsman
- The Public Service Ombudsman for Wales
- General Dental Council. Focus on Standards (Principle 5 Have a clear and effective complaints procedure)