These cases are based on actual calls made to MDDUS advisers and are published here to highlight common challenges within general practice. Details have been changed to maintain confidentiality.
Easing the workload
Q. Our practice team recently spent a day discussing ways to better manage our increasing workload. One idea was to free up the doctors’ time by delegating some tasks across the team, such as the filing of certain normal test results. Would this be possible?
Before implementing any new systems, it would be useful to consult the General Medical Council’s guidance on delegation and referral. It advises that: “When delegating care you must be satisfied that the person to whom you delegate has the knowledge, skills and experience to provide the relevant care or treatment; or that the person will be adequately supervised.” While MDDUS cannot give specific advice on any proposed new protocols, you should ensure that patient safety is not jeopardised. Staff should be sufficiently trained and adequately supervised, and any new systems should be regularly monitored. Record any decisions you make in delegating medical duties and be prepared to justify your actions. It is important to remember the GMC’s guidance in Good medical practice that: "When you delegate care you are still responsible for the overall management of the patient." In the context of this proposal, it is also important to consider that not all ‘normal’ test results will require no action. There will of course be cases in which a normal result should prompt further investigation and, indeed, where the definition of what is ‘normal’ will vary according to the particular patient in question, regardless of the laboratory range.
CCTV with audio
Q. We have a couple of CCTV cameras in our reception area to review patient interactions with the practice team. We had an incident with an aggressive patient yesterday and I wondered if we could add a microphone to pick up audio as well as video. Would this be possible if we put up plenty of signs to inform patients in advance?
Before installing any audio recording devices in your reception area, you would have to be sure that patient confidentiality could be protected at all times. Patients would have to be fully informed of this change, with notices at routine touchpoints such as the practice website or leaflets, social channels, or posters in the waiting room. You would also have to give staff sufficient training to ensure they do not discuss confidential medical information at the reception desk. You may have to consider providing a separate private space, away from the CCTV system, for any patients who wish to speak about confidential matters. Should confidential information be picked up by a CCTV audio recording, this would lead to significant data protection issues around retention, storage and protection from unauthorised access, similar to those involved in recording patient telephone calls.
Insurance company request
Q. The practice has been contacted by an insurance company who are requesting a copy of a patient’s entire medical notes and correspondence dating back six years. They have applied under the Access to Medical Reports Act 1988. Should I comply? I’m worried about breaching data protection rules.
The Access to Medical Reports Act 1988 (AMRA) allows a doctor to write a report with the patient’s consent that includes information that is relevant to the purposes of that report only. The patient then has the right to review the report before it is sent to confirm they still consent to its disclosure. Under the Data Protection Act 1998 (DPA) individuals are entitled to request a full copy of their health records via a subject access request (SAR). A third party can also request this information if the patient provides full consent. In the above case, as the appropriate consent has not been supplied, it may be prudent to reply to the insurance company in general terms advising them of your duty of confidentiality and your data protection obligations to all patients. If they wish to proceed with the SAR, then they should provide you with the appropriate signed mandate from the patient confirming their consent. If the patient does consent to the release of their full medical notes, then you can proceed with the disclosure. Any information that could identify or is about third parties, or which may cause serious mental or physical harm to the patient, should be redacted.
Family member and patient?
Q. The sister of one of our receptionists is also a patient at the practice and I wondered if this was appropriate in terms of confidentiality or other issues? Are there rules relating to certain types of relationships being more problematic than others, e.g. would it be okay to have someone’s sibling registered, but not a parent/child?
There are no specific rules relating to the appropriateness of registering certain types of relatives. But there are potential conflicts of interest that can arise if an employee or family member is a patient at the practice where they work. The doctor/patient relationship should be kept separate and it would be in the best interests of all patients to have access to independent objective care. For example, the receptionist’s sister may feel reluctant to share certain personal information during a consultation if she thinks this could be accessed by her sibling. While there is no obligation for staff members or their family to re-register at another practice, it may be reasonable to discuss the issue with them in a sensitive manner. Although in some circumstances - such as practices in rural areas - finding an alternative practice nearby may not be possible. The practice staff should also be very clear about the importance of patient confidentiality and measures should be in place to ensure data is not accessed inappropriately.
GMC disclosure request
Q. I am a GP partner and have received a letter from the General Medical Council requesting a copy of a patient’s records. This is in regard to an investigation of a former GP at the practice. Do I need the patient’s consent before complying with this request?
You should contact the GMC to confirm if they have either patient consent or other legal justification for the disclosure. If so, then it would be appropriate for you to comply with the request and send the files via secure means. If the GMC have not secured patient consent, you should ask why. It may be appropriate at this point for you to contact the patient directly with the GMC’s agreement. Should the patient decline to provide consent then the regulator can pursue a disclosure request with powers invested in them under Section 35A of the Medical Act 1983. Members should contact MDDUS for advice where needed in regard to any correspondence with the GMC in such matters.
Discharge summary data breach
Q. A patient of ours was recently admitted to hospital and during his stay his medication was changed. A new prescription was generated and this was stapled to the discharge summary to allow the doctor to review the changes prior to signing the script. The discharge summary remained attached to the script when it was collected and taken to the pharmacy. (The doctor felt the pharmacy should be made aware of the medication changes.) The patient has since complained that details of his hospital stay and diagnosis were disclosed to the pharmacy. Was this a breach of confidentiality, given the pharmacy are directly involved in the patient’s care?
The General Medical Council’s guidance, Confidentiality, states that there is implied consent for sharing medical information within a healthcare team. However, this information must be relevant to the ongoing treatment of the patient. In this instance, it would seem that the information disclosed extends beyond that which is normally provided to a pharmacist. If the information on the discharge summary was not required by the pharmacist to dispense the prescription, then this would constitute a breach of the patient’s confidentiality. It may be appropriate for the practice to discuss this matter internally and perhaps also with your local Caldicott Guardian and/or data protection officer. If it is decided that a breach occurred, then the practice should inform the patient, and consider if it is necessary to report the breach to the Information Commissioner’s Office (ICO) – their self-assessment tool can be used. If any advice is needed, members can contact MDDUS.