Membership information 0800 225 677
Medicolegal advice 0800 014 780

Respect for patient confidentiality

Confidentiality is usually thought of as an ethical issue. It is, but it is also a legal obligation:

  • Employed healthcare workers are usually bound by a confidentiality clause in their contracts.
  • There is a common-law duty to preserve professional confidence.
  • The Constitution guarantees citizens the right to privacy, including the right not to have the privacy of their communications infringed.7
  • Rule 13 of the Council’s Ethical Guide states that practioners may only divulge confidential information without the patient’s consent when specific circumstances apply.
  • The National Health Act makes it an offence to divulge information about health service users without the user’s consent. The only permissible exceptions are when the law or a court order requires disclosure, or if non-disclosure would represent a serious threat to public health.8
There is a common-law duty to preserve professional confidence

The obligation of confidentiality goes beyond undertaking not to divulge confidential information; it includes a responsibility to make sure that all records containing patient information are kept securely.

Confidential records should not be left where other people may have casual access to them and information about patients should be sent under private and confidential cover, with appropriate measures to ensure that it does not go astray.

Patients should be informed about the kind of information being held about them, how and why it might be shared, and with whom it might be shared.

Patients should be informed about the kind of information being held about them, how and why it might be shared, and with whom it might be shared

Patient information leaflets are a convenient way of notifying patients about this, but they are not sufficient in themselves. Bear in mind that few patients will bother to read the leaflets, and some may not be able to read them.

It is especially important to inform patients – and to let them know that they have the right to withhold consent – if you intend to use their personal information for purposes other than their immediate care, or to share it with non-medical agents such as welfare workers.

In addition, be especially cautious about sharing information governed by specific regulations outlined in Box 7.

Box 7: Legislation stipulating confidentiality requirements for certain types of medical information

Choice on Termination of Pregnancy Act, 92 of 1996, section 7.

Records of termination of pregnancy must be made by the practitioner and the person in charge of the facility. The person in charge of the facility must notify the Director-General within one month of the termination, but the information should be de-identified. “The identity of a woman who has requested or obtained a termination of pregnancy shall remain confidential at all times unless she herself chooses to disclose that information.”

Childrens’ Act, 28 of 2005, sections 12, 13, 133 and 134

“Every child has the right to confidentiality regarding his or her health status and the health status of a parent, care-giver or family member, except when maintaining such confidentiality is not in the best interests of the child.”

In addition, the Act specifies that information about a child’s virginity, HIV status and contraceptive use should not be divulged without the child’s consent.

In the case of HIV status, the exception is if the child is below the age of 12 and lacks the maturity to understand the implications, in which case the parent or care-giver, a child protection organisation or the person in charge of a hospital may consent to disclosure on his or her behalf.

Confidentiality is not an absolute obligation – there are circumstances in which disclosure is permissible or even mandatory (see Box 8).

Information about a child’s virginity, HIV status and contraceptive use should not be divulged without the child’s consent

Box 8: Circumstances in which disclosure is either permissible or mandatory

  • To meet the terms of a Statutory provision (e.g. notification of a communicable disease)
  • To comply with a court order
  • In the public interest (which includes, but is not limited to, “situations where the patient or other persons would be prone to harm as a result of risk-related contact”.)
  • With the patient’s consent.
  • With the written consent of a parent or guardian of a minor under the age of 12 years
  • With the written consent of the next of kin or the executor of the estate of a deceased patient.

Source: HPCSA, Confidentiality: Protecting and Providing Information (2007) para 3.2

Professional ethics

Confidentiality is considered to be central to the trust between doctors and patients and doctors are held responsible by their professional bodies for protecting personal information that patients share with them.

An unjustifiable breach of confidentiality is taken very seriously by the Council; its booklet, Confidentiality: Protecting and Providing Information (2007), sets out detailed guidance on the circumstances in which patient information may be disclosed to third parties. The principles that should be applied are listed in Box 9.

Box 9: Principles of confidentiality

  1. Patients have a right to expect that information about them will be held in confidence by health care practitioners. Confidentiality is central to trust between practitioners and patients. Without assurances about confidentiality, patients may be reluctant to give practitioners the information they need in order to provide good care.
  2. Where health care practitioners are asked to provide information about patients, they should:
    1. Seek the consent of patients to disclosure of information wherever possible, whether or not the patients can be identified from the disclosure; Comprehensive information must be made available to patients with regard to the potential for a breach of confidentiality with ICD10 coding.
    2. Anonymise data where unidentifiable data will serve the purpose;
    3. Keep disclosures to the minimum necessary.
  3. Health care practitioners must always be prepared to justify their decisions in accordance with these guidelines.

HPCSA, Confidentiality: Protecting and Providing Information (2007), para 4.

Tips to avoid confidentiality breaches

  • Do not leave case notes lying around in publicly accessible areas.
  • Resist the temptation to look up patients’ records out of idle interest (eg, because you know the patient personally, or the patient is a celebrity). If you are not involved in the patient’s care you have no more right than any other member of the public to access their records.
  • Do not use information contained in the medical records for purposes other than patient care, unless consent has been obtained or the data anonymised.
  • For research or audit, anonymise information about patients in such a way that they cannot be identified. If this isn’t possible, obtain the patient’s consent.
  • If you write identifiable information about patients on scraps of paper, post-it notes or in a notepad, keep track of them – don’t leave them lying around in your car or in your pockets, etc. When you’ve finished with them, dispose of them securely.
  • Follow the hospital’s policies on safe storage of records and their removal from the premises.
  • If you download patient information onto a memory stick or flash drive, make sure it’s encrypted and that the files are password protected. Keep the memory stick in a secure place.
  • Change your computer password regularly, keep it secret, never let anyone log onto the system in your name, and never borrow someone else’s ID to log on.
  • If you are faxing confidential patient information, call the recipient first to check that you have the right number and to tell them the fax is on the way. Ask them to notify you if it doesn’t arrive. You might also consider using a cover sheet warning the recipient that the contents of the fax are confidential.
  • Be aware that emails are not secure, so take care not to include identifiable information about patients in emails unless you are confident that the emails are being adequately encrypted.
  • Even letters can go astray, so they should be marked “Confidential” on the envelope and care must be taken to ensure that the correct address is used (see Box 10). Consider using registered post for highly confidential letters.