Confidentiality - General principles
Confidentiality is at the centre of maintaining trust between patients and doctors.
As a doctor, you have access to sensitive personal information about patients and you have a legal and ethical duty to keep this information confidential, unless the patient consents to the disclosure, disclosure is required by law or is necessary in the public interest. This factsheet sets out the basic principles of confidentiality.
General principles
Data relating to an identifiable individual should be held securely
Data relating to an identifiable individual should be held securely. The Privacy Commissioner for Personal Data is responsible for the enforcement of the Personal Data (Privacy) Ordinance (Cap 486), which says: “All practicable steps shall be taken to ensure that personal data… held by a data user are protected against unauthorized or accidental access, processing, erasure or other use.”
The information held should be kept only as long as necessary for the purpose of providing healthcare. In addition, s.1.1.3 of the Medical Council of Hong Kong’s Code of Professional Conduct (January 2009) – or the Code – says: “All doctors have the responsibility to maintain systematic, true, adequate, clear and contemporaneous medical records.”
Transfer of medical records
According to s.1.3.1 of the Code, it is the responsibility of any doctor who is intending to cease practising medicine to ensure that patients’ medical records are appropriately handled and preserved.
The medical record – or a copy of it – may be given to the patient, if appropriate, or it could be transferred to another doctor who is sufficiently competent to treat the patient. To notify the patient of this change, s.1.3.2 of the Code says:
You should ensure that the disclosure is proportional – anonymised if possible – and includes only the minimum information necessary for the purpose
“The patients should be informed of the change of circumstances and the arrangements that have been made in respect of their medical records by reasonable means including:
(a) notifying each patient individually, either verbally or in writing;
(b) publishing a public announcement in the newspapers; or
(c) displaying prominent notices in the practice premises.”
The doctor in receipt of the medical records is responsible for informing the patient of the transfer – either if the patient enquires or when the patient attends the practice. The patient must then also give consent to the doctor taking custody of the records.
Disclosure
When disclosing information in any of the situations outlined below, you should ensure that the disclosure is proportional – anonymised if possible – and includes only the minimum information necessary for the purpose.
Consent to disclose
Before disclosing any information about a patient to a third party, you should seek the patient’s consent to the disclosure. Consent may be implied or express, eg, most patients understand that information about their health needs to be shared within the healthcare team providing care, and so implied consent is adequate in this circumstance. Express consent is needed if patient-identifiable data is to be disclosed for any other purpose, except if the disclosure is required by law or is necessary in the public interest.
In accordance with the Personal Data (Privacy) Ordinance, a data holder has 40 days to comply with a patient’s requests to disclose medical records. If there is a delay with this, there will need to be a good reason. When charging a fee for supplying copies of records, you must set fees at a reasonable level.
Valid consent
In order for consent to disclosure to be valid, the patient needs to be competent to give consent, and provided with full information about the extent of the disclosure. Adult patients are assumed to be competent, unless you have specific reason to doubt this. When taking consent for disclosure of information about a patient, you should ensure the patient is aware of what data will be disclosed, and to whom.
Disclosure without consent
In some circumstances, you are obliged to disclose information to comply with the law or to prevent serious harm to the patient or others. In such cases, you should disclose the information – even if you do not have the patient’s consent. But s.1.4.3 of the Code warns that before doing so, you must carefully consider the arguments for and against the disclosure and be able to justify your decision.
Patients lacking capacity
Common law assumes that adults have the mental capacity to make a specific decision at a particular time, unless they have an impairment affecting their mind. Under part IVC of the Mental Health Ordinance, you have the power to administer urgent or non-urgent treatment to a mentally incapacitated person without their consent – provided the patient does not understand the nature and effects of the treatment.
When it comes to making a decision regarding disclosing confidential information, you must act in the patient’s best interests. You should also consider the views of anyone the patient asks you to consult, or who has legal authority to make a decision on their behalf.
For more information on disclosures without consent, see the MPS factsheet Confidentiality: Disclosures without Consent.
After a patient has died
Your duty of confidentiality to your patient remains after death
Your duty of confidentiality to your patient remains after death. In some situations, such as a complaint arising after a patient’s death, you should discuss relevant information with the family, especially if the patient was a child. If you reasonably believe that the patient wished that specific information should remain confidential after their death, or if the patient has asked, you should usually respect that wish.
The “personal representative” of the patient (usually an executor of the will, or an administrator if there is no will) can apply for access to the relevant part of a patient’s medical records (excepting harmful or third party information), as can someone who has a claim arising out of the patient’s death (eg, for a life assurance claim), or a claim in negligence.
Further information
- Medical Council of Hong Kong, Code of Professional Conduct (Part 2A, pages 10-14)
- The Privacy Commissioner for Personal Data, Personal Data (Privacy) Ordinance (Cap 486)
- Hong Kong Medical Association, Patients’ Rights and Responsibilities
- Mental Health Ordinance.