Advice correct as of August 2019
Confidentiality is at the centre of maintaining trust between patients and doctors. As a doctor, you have access to sensitive personal information about patients and you have a legal and ethical duty to keep this information confidential. This factsheet sets out the basic principles of confidentiality.
Data relating to an identifiable individual should be held securely, in accordance with the Data Protection Act 2018 (see the Medical Protection factsheet on the General Data Protection Regulations) and the Medical Council’s guidance on confidentiality. The information held should be accurate, relevant and up-to-date, and kept only as long as necessary for the purpose of providing healthcare.
You should take care to avoid unintentional disclosure – for example, by ensuring that any consultations with patients cannot be overheard. Your duty of confidentiality relates to all information you hold about your patients, including demographic data, the dates and times of any appointments your patients may have made, and the fact that an individual may be a patient of yours or registered with your practice.
When disclosing information in any of the situations outlined below, you should ensure that the disclosure is proportional – anonymised if possible – and includes only the minimum information necessary for the purpose.
Consent to disclosure
Before disclosing any information about a patient to a third party, you should seek the patient’s consent to the disclosure. Consent may be implied or express – for instance, most patients understand that information about their health needs to be shared within the healthcare team providing care. Implied consent is adequate in this circumstance and express consent does not need to be sought.
For the purpose of clinical audit the patient’s details should be anonymised. Implied consent is also acceptable for the purposes of clinical audit within the healthcare team, as long as patients have been made aware of the possibility by notices in the waiting room, for example, and the patient has not objected to having their information used in this way. If the patient does object, their objection should be respected and their data should not be used for audit purposes.
Express consent is needed if patient-identifiable data is to be disclosed for any other purpose, except if the disclosure is required by law or is necessary in the public interest.
In order for consent to disclosure to be valid, the patient needs to be competent to give consent, and provided with full information about the extent of the disclosure. Adult patients are assumed to be competent, unless you have specific reason to doubt this.
When taking consent for disclosure of information about a patient, you should ensure the patient is aware of what exact data will be disclosed, and to whom.
Disclosures required by law
The Medical Council states in paragraph 31.2 of their Guide to Professional Conduct and Ethics for Registered Medical Practitioners that in certain limited circumstances, disclosure of patient information is required by law. These circumstances are not limited to but may include:
- When ordered by a judge in a court of law, or by a tribunal or body established by an Act of the Oireachtas
- Where required by infectious disease regulations
- Where you know or have reasonable grounds for believing that a crime involving sexual assault or other violence has been committed against a child or other vulnerable person.
In these instances, you should inform patients of the disclosure, unless it would cause them serious harm, or undermine the purpose of the disclosure.
Disclosures in the public interest
In some cases, it is not possible to obtain the patient’s consent, such as when the patient is not contactable. Alternatively, the patient may have expressly refused their consent.
The Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners states in paragraph 31.3 that disclosure of patient information without their consent may be justifiable in exceptional circumstances when it is necessary to protect the patient, other identifiable people, or the community more widely:
“Before making a disclosure in the public interest, you must satisfy yourself that the possible harm the disclosure may cause the patient is outweighed by the benefits that are likely to arise for the patient or for others. You should disclose the information to an appropriate person or authority, and include only the information needed to meet the purpose.”
Solicitor, Gardai or third party request for records
Solicitors often ask for medical information. If the solicitor is acting for the patient, then before disclosing confidential information Medical Protection recommends that a valid signed and dated Form of Authority is provided.
Children and young people under 18 years
Section 11.2 of the ICGP/National GpiT Group, A Guide to Data Protection Legislation for Irish General Practice (2011) states that if a young person is 16 years or older, he or she can exercise the right of access to personal information established under the Data Protection Acts, independently of a parent or guardian. He or she would also be considered to have the right to refuse access to their medical record by a parent or guardian. However, it should be made clear that you cannot give an absolute guarantee of confidentiality, as set out in paragraph 18.8 of the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners:
“Children and young people have a right to confidential medical treatment set out in paragraph 29. However, parents and guardians also have a legal right to access medical records of their children until they are 18. You should tell children and young people that you cannot give an absolute guarantee of confidentiality.”
For children under 16, you should exercise professional judgment on a case by case basis, on whether the entitlement to access should be exercisable by the individual alone, a parent or guardian alone, or both jointly. Your decision should be influenced by the maturity of the young person and his or her best interests.
If a child is a private patient and their parent(s) apply for a copy of their medical records, this would be considered under the Data Protection Acts.
For public patients, a copy of the records could be applied for under the Data Protection Acts, or the Freedom of Information Acts.
Patients lacking capacity
Adults are assumed to have capacity unless they have an impairment affecting their mind (eg, dementia), which means they are unable to make a specific decision at a particular time. There is also a requirement to ensure all practical steps have been taken to help the individual make a decision.
If a patient lacks capacity, you should act in their best interests when deciding whether to disclose the information. Consider the patient’s past or present wishes, if known.
If the patient has given someone legal authority to act as an attorney and make decisions on their behalf, they can take the decision about disclosure on behalf of the patient and should be consulted.
After a patient has died
Your duty of confidentiality to your patient remains after death. In some situations, such as a complaint arising after a patient’s death, you should discuss relevant information with the family, especially if the patient was a child. However, if you reasonably believe that the patient wishes that specific information should remain confidential after their death, or if the patient has asked, you should respect that wish.
Requests for medical information concerning a deceased person are often made by family members. Care must be taken never to disclose anything the deceased would have wished to keep private. You should also avoid making disclosures which would compromise the confidentiality of a third party.
If a family member asks for the records of a deceased patient who held a Medical Card, they are entitled to apply to the HSE for disclosure under the Freedom of Information Acts. In conjunction with the HSE’s consideration on whether or not to disclose the deceased’s medical records it is likely that you will be asked for your comments and observations since you have the benefit of familiarity with the patient and their background, unlike the FOI decision maker.
If the patient was treated privately, the patient’s records would not be accessible under the Freedom of Information Acts (applies to public patients only) or the Data Protection Acts (only applies to living individuals). The question of whether and to what extent the records can be disclosed should be considered in accordance with your ethical duty of confidentiality which endures after death. This duty is encapsulated in paragraph 32.1 of the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners
, which states the following:
“Patient information remains confidential even after death. If it is unclear whether the patient consented to the disclosure of information after their death, you should consider how the disclosure might benefit or cause distress to the deceased’s family or carers. You should also consider the effect of the disclosure on the reputation of the deceased and the purpose of the disclosure.”
It would be prudent to ensure that disclosure of confidential medical information about a deceased private patient should only be done at the request, or with the consent of the deceased’s personal representative. This should be obtained in writing.
We would also strongly recommend that you make a written record of what you decide in respect of the disclosure and why, so that later, if issues are taken with the disclosure, you have evidence to establish that you complied with the ethical guidance.