Membership information 1800 932 916
Medicolegal advice 1800 936 077

Confidentiality: case law update

08 January 2019
Medical Protection’s expert consultants frequently deal with queries about patient confidentiality. Dr James Lucas, medicolegal consultant and editor-in-chief of Practice Matters, explains the implications of a recent High Court judgment in Ireland

Confidentiality is central to the trust between patients and healthcare practitioners. If the therapeutic relationship is to be successful, patients must be confident that intimate details about their health and personal relationships go no further than the consultation room. The need for a confidential medical service is recognised as a public good. The duty to maintain patient confidentiality is rooted in medical ethics, in common law and in law relating to contracts. The General Data Protection Regulation (GDPR) also imposes obligations in terms of the lawful processing of personal data.

But the duty is not absolute. Disclosure of confidential medical information may be required by law, for example, when ordered by a judge in the context of civil litigation, criminal or family proceedings. In rare cases, where patient consent has not been obtained, or where a patient has refused consent, disclosure may be justified in the public interest, to protect others (for example, from the risk of death).

In a recent case involving a patient with HIV infection, the courts in Ireland considered, for the first time, the concept of disclosure of a patient’s medical information, against his wishes, to prevent serious harm to another person.1

The facts in brief

‘A’ was a 17-year-old male, in the statutory care of the Child and Family Agency (CFA). Described by the Court as an intelligent and capable person, there was evidence he had significant behavioural issues in the past. The genesis of the case was A’s relationship with ‘B’, a 17-year-old female, in circumstances where A had been diagnosed with HIV infection at birth. B was one of A’s closest friends, but A denied that she was his girlfriend and he also denied that they had ever had sexual intercourse. The CFA was of the view that despite A’s denials, B was having a sexual relationship with A. The CFA was also of the view that A was not using condoms.

The CFA sought a declaration from the High Court that it was entitled lawfully to disclose the fact of A’s HIV condition and status to B in order to afford her the opportunity of availing of such medical and healthcare testing, treatment and counselling as may be indicated, notwithstanding A’s refusal to consent to such disclosure.

The court’s analysis

The Judge considered in detail the circumstances of the relationship between A and B, failure by A to take his antiretroviral drugs, use of condoms by A, expert medical evidence on the risk of B contracting HIV and medical evidence regarding the effect of disclosure on A.

In relation to the factual dispute, the Court had little hesitation in finding that there was a possibility that A was having sexual intercourse with B, but it concluded that the CFA had not proven, on the balance of probabilities, that there was such a relationship. The Court indicated that even if this analysis was incorrect and A was having sexual intercourse with B, A would not put B at risk by having unprotected sex with her. Hence, the Court concluded that there was no basis for the breach of patient confidentiality.

Broader issues

It was made clear in the judgment that the key legal issue in this case – whether medical confidentiality could be breached to prevent harm occurring to a third party – arises irrespective of the ages of the individuals involved and would apply equally to adults. Additionally, the fact that it was the CFA seeking to breach patient confidentiality was not significant and the scenario could just as easily involve a doctor who had the same information. The broader issue behind the question in this particular case was encapsulated as follows: in what circumstances can a doctor breach his or her duty of confidentiality because of the risk of harm to a third party?

(i) The legal test

The Court determined that the appropriate test to apply to ascertain whether patient confidentiality should be breached is whether “on the balance of probabilities, the failure to breach patient confidentiality creates a significant risk of death or very serious harm to an innocent third party”.

In considering whether the disclosure threshold had been crossed in this particular case, regard was to be had to the balancing of interests, namely between the interest of A whose privacy was at stake, the interest of B who was potentially at risk of harm, and the public interest in ensuring that the public at large has the confidence to disclose the most private details about their health and private lives to doctors.

(ii) HIV infection

The Court determined that the contracting of HIV, although a significant condition, is no longer a terminal one, but rather a chronic and lifelong condition that can be managed. Accordingly, HIV infection is not a ‘very serious harm’ to justify a breach of patient confidentiality. In addition, there is not, in the view of the Court, a ‘significant risk’ of that harm (because the risk of contracting HIV through sexual intercourse is extremely low and can be further reduced through the use of condoms).

(iii) Societal issues

The Court observed that the proceedings in this case were supported by well-intentioned doctors who had the interests of B at heart. However, if the Court granted an order giving medical professionals the right to breach patient confidentiality where a patient has a sexually transmissible disease, that right would necessarily carry with it a responsibility for medical professionals in the future. It would mean that medical professionals could decide, in cases of sexually transmissible disease, whether a sexual partner of the patient needed to be notified of the harm to which he or she was exposed. With this responsibility could come liability for those medical professionals who failed to breach patient confidentiality, where that failure leads to harm to a third party. 

The Court held that there was a public interest in patients remaining open and frank with their doctors. If the order in this case had been granted, it would operate as a disincentive to those with sexually transmissible diseases from seeking medical advice. Such persons would perceive that there would be a risk that their doctor would disclose this fact to their alleged sexual partners (if the patient refused to do so). The Court concluded that this would be detrimental to society as a whole since it could lead to patients with communicable diseases failing to seek medical advice, which could result in those diseases not being treated and becoming more prevalent in the community.


Where there is a significant risk of death to a member or members of the public, a healthcare professional would not only be entitled to breach confidentiality, but it seems clear that he or she would have a duty to act to try to prevent innocent deaths. Where the risk falls short of the risk of death but still involves a significant risk of very serious harm, the public interest in protecting others takes precedence over the interest of a patient in keeping medical information confidential. It also takes precedence over the public expectation that doctors keep patients’ medical information confidential. However, in the case of A and B, the test had not been met and it would not therefore be lawful to breach A’s confidentiality.

The judgment underscores the importance of patient confidentiality, which must be observed save in the most exceptional of circumstances.

Tips for practice

• Disclosures in the public interest can be ethically challenging. Adopt a low threshold for consulting your medical defence organisation.
• Ensure that a clear record explaining the decision is made in the patient’s records (including in those cases where there is a decision to maintain confidentiality).
• When disclosing information in the public interest, you should normally inform the patient about the disclosure.
• Any disclosures that are made should be to an appropriate person or body, and include only the information needed to meet the purpose.2

1.  The Child and Family Agency v A.A. & Anor [2018] IEHC 112.
2. Medical Council. Paragraph 31.3. Guide to Professional Conduct & Ethics for Registered Medical Practitioners.  8th Edition, 2016.