Membership information 1800 509 441
Medicolegal advice +44 113 241 0200

Confidentiality of records

Confidentiality may seem a very straightforward principle, but translating principle into practice can be problematic. There are all sorts of situations where it is difficult to know if patient information should be shared or not – with the gardai, for example, or social workers.

Confidentiality is usually referred to as an ethical issue. It is, but it is also a legal principle.

  • Healthcare workers are usually bound by a confidentiality clause in their contracts.
  • There is a common-law duty to preserve professional confidence.
  • There are requirements under the Data Protection Act to keep personal data, including medical records, secure.
  • It is a condition of registration to abide by Medical Council guidance, which includes a requirement to respect patient confidentiality.
The duty of confidentiality goes beyond undertaking not to divulge confidential information; it includes a responsibility to make sure that written patient information is kept securely
The duty of confidentiality goes beyond undertaking not to divulge confidential information; it includes a responsibility to make sure that written patient information is kept securely. Confidential records should not be left where other people may have casual access to them and information about patients should be sent under private and confidential cover, with appropriate measures to ensure that it does not go astray.

Box 5: Informing patients

A woman complained to the Data Protection Commissioner after she received a letter from researchers asking her some questions about her attendance at the A&E department of a public hospital some months earlier. She had not been told at the hospital that her personal information would be used in this way, but the researchers evidently knew the reason for her visit to A&E.

The hospital argued that it had met its obligations under the DPA by placing a notice about the research in the waiting area of the A&E department. The Commissioner did not agree, however.

He pointed out that A&E patients are likely to have their minds on other things and are therefore unlikely “to be alert to matters not relating directly to their condition. In such circumstances there is a special need for the data controller to satisfy itself that any uses of the data which are unlikely to be anticipated by the data subject are fully explained”.

The hospital should, therefore have brought its intentions to the specific attention of the patient so that she could make an informed choice.

Data Protection Commissioner, Case Study 1/97

The hospital argued that it had met its obligations under the DPA by placing a notice about the research in the waiting area of the A&E department. The Commissioner did not agree, however
Patients should be informed about the kind of information being held about them, how and why it might be shared, and with whom it might be shared. Patient information leaflets are a convenient way of notifying patients about this, but they are not sufficient in themselves. Bear in mind that few patients will bother to read the leaflets, and some may not be able to read them.
It is especially important to inform patients – and to let them know that they have the right to withhold consent – if you intend to use their personal information for purposes other than their immediate care, or to share it with non-medical agents such as social workers. (See Box 5.) Confidentiality is not an absolute principle, and there are circumstances where it is permissible to disclose a patient’s medical records to a third party.
Patient information leaflets are a convenient way of notifying patients about this, but they are not sufficient in themselves

Disclosure with patient consent

The first and most obvious exception is disclosure with the patient’s consent. Insurance companies, employers and people involved in legal proceedings frequently request information about patients. Any disclosure must be with, and limited to, the authority provided by the patient. If this is not forthcoming, no information may be provided.

Disclosure without patient consent

Information can be disclosed without a patient’s consent in two instances – if the disclosure is required by law or if the disclosure is in the public interest. This is the case whether the patient has explicitly refused consent or is incapable of giving consent.

Solicitors

Solicitors often ask for medical information. If the solicitor is acting for the patient, then before disclosing confidential information MPS recommends that a valid signed and dated mandate is provided.

Members of the clinical team

Patient care is usually team based and access to patient information is crucial for patient safety and continuity of care. Most patients are aware that information about them needs to be shared among the healthcare professionals delivering care, but they may not know that they have a right to ask for certain information to be withheld. They should be informed of this (via leaflets, notices and verbally) and, if they ask for information about them to be kept confidential, this should be respected. The only exception is if withholding information from staff would place others at risk of death or serious harm.

If patients ask for information about them to be kept confidential, this should be respected
The sharing of information within the team should be on a need-to-know basis, depending on the role the member of staff has in the patient’s care. See paras 30.1 and 30.2 of the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners.

Court orders

Doctors should comply with a court or tribunal’s order to disclose health records. Even if they have concerns about disclosing the records, they should still comply with the order and attach a covering letter to the judge describing their concerns. Generally, compliance with a court order should be considered mandatory, but in exceptional circumstances, if you have concerns, it may be appropriate to seek advice from MPS. The mere threat of a court order is not sufficient authority to disclose.

Case 4

Following a middle-aged man’s sudden death, his insurance company sought information from his GP, relying on a declaration giving authority during the patient’s lifetime for his medical details to be divulged.

The GP was not satisfied with this, and asked the insurance company to obtain consent from the executors to the estate.

The insurance company renewed its request, this time with consent from the executors, but the GP felt undecided about how much information to include in her report.

The medical record contained information about the patient’s childhood experiences of sexual abuse, and she was sure that he would not have wanted even a mention of these painful memories to be exposed to strangers.

After talking it over with a medicolegal adviser at MPS, she decided that her first duty was to respect the confidentiality of the deceased and, as this particular aspect of his medical record had no bearing on the nature of the patient’s death, she omitted it from her report to the insurance company.

Her first duty was to respect the confidentiality of the deceased and, as this particular aspect of his medical record had no bearing on the nature of the patient’s death, she omitted it from her report

Child protection

In any case involving the welfare of a child, the child’s best interests are paramount. This may require disclosure of some content of the medical record – or details from it – to a social worker and/or the gardai. As a matter of good practice, you should always explain to the parents that you have a duty to refer your concerns to non-medical professionals and, where possible, obtain their consent to disclosure, except in rare circumstances, where to do so would put the child at increased risk.

In any case involving the welfare of a child, the child’s best interests are paramount

Where allowing access might be permissible

Situations can arise in which it is justifiable to disclose a patient’s medical records to a person other than the patient. In some cases, you might have a statutory duty to share certain information – such as reporting notifiable diseases, reports to the cancer registry, etc – but in these cases it is unlikely that you will also need to provide access to the medical records themselves. There are other circumstances, however, where you might need to allow access to part or the whole of a patient’s medical records.

Each situation must be assessed individually to determine whether disclosure is appropriate in the circumstances, with the best interests of the patient as a prime consideration in all decision making. It is essential that the reasons behind any decision to provide a third party with access to a patient’s records be comprehensively documented.

See paras 6 and 7 of the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners.

Relatives

The only relatives who have a right to request access to a patient’s records are those with parental responsibility for a minor under the age of 18. If, however, the minor concerned is sufficiently mature to understand the implications, his or her consent should be obtained before allowing access.

The only relatives who have a right to request access to a patient’s records are those with parental responsibility for a minor under the age of 18
If the patient lacks capacity to consent to disclosure of his or her medical records, and those records are held by a public body, a family member may apply for access under the Freedom of Information Act. Records held by a private organisation should only be disclosed if the holder of the records is satisfied that it would be in the patient’s interests to do so – to a solicitor, for example, where the patient’s family is pursuing a personal injury claim on his or her behalf – or to comply with a court order.

If a patient has died, the rule of confidentiality still stands, but if the records relate to publicly funded care, certain categories of people, including next of kin, can apply for access to the medical records under the Freedom of Information Act. If the medical records are held by a private organisation, the medical records should only be disclosed with the consent of the next of kin or the executors of the deceased’s estate (see Box 7).

See paras 26.1 and 26.2 of the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners.

Box 7: Next of kin

According to the Succession Act 1965, a person’s next of kin is determined in the following order:

  • Spouse
  • Child or children
  • Parents or surviving parent
  • Brothers and sisters
  • Nephews and nieces.

The gardai

In general, the gardai have no more right of access to confidential information than anybody else, except in the following circumstances:

  • The patient has given consent to the release of information.
  • In compliance with a court order.
  • The public interest in disclosing information outweighs the public interest in preserving patient confidentiality.

Public interest justification to breach confidentiality

The public interest justification for disclosure usually turns on the threat of serious harm to others. Section 8 of the Data Protection Act lists a number of exceptions to the rules applying to data processing. This includes information held in a personal record that is “required for the purpose of preventing, detecting or investigating offences or prosecuting offenders” or “to prevent injury or other damage to the health of a person or serious loss of or damage to property”.

The legislation does not elaborate on the seriousness of the offences or threats concerned, however. For doctors – who have a professional duty to protect the confidentiality of their patients – it would not be ethical to comply with any request for disclosure of sensitive personal information unless withholding the information would potentially have profound adverse consequences.

Guidance published by the Information Commissioner might be of assistance here (see Box 8); it sets out the considerations that public bodies should take into account when deciding whether to withhold or disclose sensitive medical information under the Freedom of Information Act.

For doctors – who have a professional duty to protect the confidentiality of their patients – it would not be ethical to comply with any request for disclosure of sensitive personal information unless withholding the information would potentially have profound adverse consequences

Box 8: Sensitive medical information

“Particular procedures must be followed in respect of medical information where the head of the body is of the opinion that its disclosure to the person concerned may be prejudicial to his or her health or emotional well-being. In these circumstances, if requested to do so by the person concerned, the public body shall instead release the record to an appropriate health professional nominated by the requester.

“The head has discretion to consider release of personal information to a third party only in exceptional circumstances where, on balance, he or she is of the opinion that the public interest in disclosure outweighs the right to privacy of the individual concerned, or where release of the information would benefit the individual.”

Information Commissioner, Short Guide to the FOI Acts, p. 21

Publishing case reports, photographs and recordings

The head has discretion to consider release of personal information to a third party only in exceptional circumstances

The patient’s consent is also required before individual case histories, photographs or recordings can be published in media that the public has access to, even if they have been anonymised.

The Medical Council also recommends obtaining patients’ express consent before using their case histories or photographs for education and training. (See Box 9.)

Box 9: Taking visual images for teaching

“Audio, visual or photographic recordings of a patient, or a relative of a patient, in which that person is identifiable should only be undertaken with their express consent. These recordings should be kept confidential as part of the patient’s record.”

Medical Council, Guide to Professional Conduct and Ethics for Registered Medical Practitioners, para 32.1