Q An insurance company has asked a practice to email the dental records of one of their patients. The patient has already given her consent for the disclosure but the manager is unsure how safe it is sending confidential information electronically.
APrinciple four of the General Dental Council’s new standards guidance relates to maintaining and protecting patient information. It makes it clear that practices must keep patients’ information secure at all times, whether they are held on paper or electronically. If you are sending confidential information, such as records, you should use a secure method. If confidential information is sent (or stored) electronically, the GDC advises that it should be encrypted. It may be worth seeking professional IT advice to ensure your computer system is up-to-date and secure.
Q A patient has recently been diagnosed with an aggressive form of skin cancer and has just a few months to live. She is also HIV positive but does not want her family to know. The practice is unclear as to whether her HIV status could be omitted from her death certificate, which the family would have access to. There are also concerns the family may request access to the patient’s medical records after her death, which would also reveal her status.
A The patient is within her rights to request her HIV status is not disclosed to family after her death. In this case, there would not appear to be any connection between the HIV and the cancer’s rapid progression which means there would be no need to include it on the death certificate. (This fact could be confirmed by consulting an infectious disease specialist.) In terms of relatives accessing the records, the practice must respect the patient’s wishes and be sure not to disclose anything that makes reference to her HIV status. Also, it would be useful if there was a note somewhere in the record to confirm that the issue has been discussed and the patient has specifically requested her family not be told about her HIV status.
Q The widower of a gynaecologist/ obstetrician has discovered a pile of private patient records in the loft. He is concerned they should be kept somewhere more appropriate but is not sure what to do with them.
A Ideally, private practitioners would explain in their will what should be done with records in the event of their death. If not, then the next of kin/executor becomes the data controller and must ensure they are stored/disposed of securely. Private practitioners are advised to adhere to the retention periods set out in local NHS guidelines. Remember also that the Data Protection Act prohibits the retention of personal data for longer than necessary.
Obstetric records in England should be kept for 25 years after the birth of the last child while gynaecological records, and hospital records generally, should be kept for eight years after conclusion of treatment/ patient death. Time limits vary for GP records. Those relating to mentally disordered people should be kept for 20 years after treatment completion/10 years after the patient’s death. Other adult personal health records should be kept 10 years after treatment completion/the patient’s death/ the patient has permanently left the EU. In this case, it would be advisable to seek a secure storage solution, for example from an information management company. If in doubt, seek further advice from MDDUS.
Q A dental practice manager in Scotland has been notified of a forthcoming practice inspection. She knows the system has recently changed and asks how best to prepare for the visit.
AA single combined practice inspection (CPI) process was implemented in Scotland at the beginning of 2013, replacing those previously carried out separately by NHS boards and NES. It is a three-year rolling programme and practices should start to prepare now as the process can be time-consuming. Familiarise yourself with the CPI checklist (or the sedation practice inspection checklist where relevant) and ensure your practice meets all essential criteria. There is a list of documentation that you should have ready to produce on the day and forms that should be completed in advance of an inspection. Failure to comply with the checklist standards could affect a practice’s access to NHS grants and allowances. Find out more at www.scottishdental.org
Q A private company has been in touch recently offering to take over large practice mailings inviting patients to use services such as flu vaccinations and disease clinics. The practice manager knows this would save his team a lot of time but is worried about breaching confidentiality.
A Practices are allowed to outsource the printing and mailing of such patient invites to a third party, but only under certain conditions. It’s important to bear in mind that the practice’s data controller (often the PM) remains responsible for ensuring the third party organisation complies with the Data Protection Act. As such, you should only use a company that you consider can carry out the work in a secure manner.
The Information Commissioner’s Office states that you must have a written contract in place with the company that requires them to take appropriate security measures and ensures they only use and disclose the personal data in line with your instructions. It also recommends that you audit the organisation regularly to ensure they are maintaining standards and that you ask them to report any security breaches or problems. Make sure you have procedures in place that allow you to act appropriately should you receive one of these reports.
WHO CAN VACCINATE?
Q During a busy flu season, a practice is considering delegating the provision of some flu vaccinations to two of its healthcare assistants in order to ease the burden on the nursing team. The manager wants to know if the HCAs can administer vaccinations under a patient group direction (PGD).
A The short answer is “no”, HCAs cannot administer vaccinations under a PGD. But there are circumstances under which they can administer vaccinations. To explain, the majority of NHS flu vaccinations are administered via PGDs which are written instructions for the supply and/or administration of a named licensed medicine for a defined clinical condition. PGDs allow certain healthcare professionals to administer a medicine directly to patients under a specified criteria without the need to see a doctor or other qualified prescriber. However, the healthcare professional must be professionally regulated (i.e. nurse, pharmacist, health visitor etc) and HCAs are not.
An HCA would however be able to administer a flu jab via a patient specific direction (PSD), or if prescribed by a doctor/ qualified prescriber. A PSD is a written instruction from a doctor (or dentist or other independent prescriber) for a medicine to be supplied or administered to a named patient. It could be a prescription or simple written or electronic instruction in the patient’s notes. A PSD must state the name of the patient, the name and dose of the prescription-only medicine to be administered and “show evidence to confirm that the patient has been considered as an individual”.
PSDs do not limit who can supply or administer the medicine and thus a suitably trained HCA can be tasked to give a flu vaccination to a named patient. The practice should ensure their HCAs are competent to provide any relevant care and treatment and that they are adequately supervised.
PATIENTS AS FRIENDS
Q A teenage patient has attended a practice numerous times in recent months for ongoing treatment, becoming well known and liked by the staff. He recently sent one of the GPs a “friend” request on Facebook, but she is unsure about accepting.
A Most people now have a presence on some form of social networking site, be it Facebook, Twitter, blogs and the like. For healthcare professionals, this poses risks in maintaining patient confidentiality and professional boundaries. It is advisable NOT to accept “friend” requests from present or former patients, to ensure the relationship remains a professional one. When faced with such a request, offer a polite refusal and a brief explanation as to why accepting would be inappropriate. Where a patient displays inappropriate or sexualised behaviour, either through actions or words, the doctor/dentist should, where possible, treat them politely and considerately and try to re-establish a professional boundary.
Q A patient who is taking methadone to treat a heroin addiction has started a new job. He says the position requires a clean driving licence and has asked his GP not to inform the DVLA of his medical issues. He also claims not to have been driving recently. However, the GP has just discovered the patient has been using heroin in addition to methadone and that he has driven to his latest practice appointment. The GP is unsure how to proceed.
A Where a patient suffers from a medical condition that affects their fitness to drive, they are legally responsible for informing the DVLA. However, if a patient refuses and continues to drive, the GMC advises doctors to make every reasonable effort to persuade them to stop. First, consider raising your concerns with the patient in writing and advise him that he must stop driving or you will inform the DVLA. Should the patient continue to drive, inform the DVLA promptly and tell the patient you have done so. Doctors can breach confidentiality without patient consent if it is in the public interest, i.e. if a patient poses a risk to other road users. In this case, it might be useful to seek the advice of an experienced colleague or speak in confidence to the DVLA’s medical adviser.
DISCLOSURE OF HOSPITAL LETTERS
Q A practice has received a DWP request for a report on a patient who has made a claim for benefit. A paragraph in the request states: “Please include in your report any relevant information contained in letters or reports from hospitals or consultants. If you think that it is essential to send us originals or copies of any letters from consultants, please obtain the author’s consent beforehand. You should also confirm in a covering note that they have agreed to the correspondence being used in connection with this claim”. The practice is unfamiliar with such a request and is concerned about data protection.
A There is no requirement to treat hospital doctors as third parties when responding to subject access requests under the Data Protection Act and therefore no need for consent of the author of a letter for disclosure as it forms part of the patient records. But this is not strictly speaking a subject access request from a patient or representative. The practice may wish to simply summarise the contents of any letters that are relevant to avoid the need to contact the authors, or perhaps name the authors as the source of the information so that the DWP can approach them directly. But if a decision is made to include a copy letter or report from the hospital then it would be advisable to comply with the direction from the DWP on the author’s consent.