Confidentiality is at the centre of maintaining trust between patients and doctors. As a doctor, you have access to sensitive personal information about patients and you have a legal and ethical duty to keep this information confidential, unless the patient consents to the disclosure, disclosure is required by law or is necessary in the public interest. This factsheet sets out the basic principles of confidentiality.
Any profession that deals with people’s sensitive personal information is bound by the same expectations of confidentiality and healthcare is no different. However, your duty of confidentiality relates not only to sensitive health information but to all information you hold about your patients.
The National Health Act (no. 61 of 2003) declares that this information must not be given to others, unless the patient consents or if you can justify the disclosure. This includes demographic data and the dates and times of any appointments your patients may have made, or consultations they may have attended. The fact that an individual may be a patient of yours or registered with your practice is also confidential.
You are only permitted to reveal confidential information about a patient in certain circumstances – the most obvious of which is with the permission of the patient in question, assuming that they have sufficient capacity to consent to this. According to the HPCSA, the other appropriate scenarios are:
- In the terms of a Statutory provision
- At the instruction of a court
- When it is in the public interest
- With the written consent of a parent or guardian of a minor under the age of 12 years
- In the case of a deceased patient with the written consent of the next of kin or the executor of the deceased’s estate.
You should take care to avoid unintentional disclosure – for example, by ensuring that any consultations with patients cannot be overheard. When disclosing information, you should ensure that the disclosure is proportional – anonymised if possible – and includes only the minimum information necessary for the purpose.
Consent to disclosure
Before disclosing any information about a patient to a third party, you should seek the patient’s consent to the disclosure. There are a variety of reasons for which personal medical information may be requested: education, research, monitoring and epidemiology, public health surveillance, clinical audit, administration and planning, insurance and employment.
The patient’s consent to release this information may be implied or express. Implied consent can be deemed sufficient in instances such as you dictating a referral letter to your medical secretary. However, in the case where you will be sharing a patient’s personal information among your healthcare team, it is wise to check that the patient is aware of this. This is not necessary if the patient has already expressly consented to the particular treatment.
Express consent is needed if patient-identifiable data is to be disclosed for any other purpose, except if the disclosure is required by law or is necessary in the public interest.
In order for consent to disclosure to be valid, the patient needs to be competent to give consent, and provided with full information about the extent of the disclosure. Adult patients are assumed to be competent, unless you have specific reason to doubt this. When taking consent for disclosure of information about a patient, you should ensure the patient is aware of what data will be disclosed, and to whom. For more on how and when to take consent, see the MPS factsheet series on Consent.
Disclosure required by law
In some circumstances, you are obliged to disclose information to comply with a statutory requirement. An example is the requirement to notify certain communicable diseases. In such cases, you should disclose the information – even if you do not have the patient’s consent. You should also inform the patient of the disclosure and reason for it.
Disclosures in the public interest
In some cases, it is not possible to obtain the patient’s consent, such as when the patient is not contactable. Alternatively, the patient may have expressly refused their consent. If you believe that disclosure is necessary in the public interest, and that the benefits from disclosure outweigh the risks from doing so, it may be justified to disclose the information, even without the patient’s consent.
Such circumstances usually arise where there is a risk of death or serious harm to the patient or others, which may be reduced by disclosure of appropriate information. If possible, you should seek the patient’s consent and/or inform them of the disclosure before doing so. Examples of such a situation would include one in which disclosure of information may help in the prevention, detection or prosecution of a serious crime.
For more on disclosures without consent, see the MPS factsheet Confidentiality – Disclosures Without Consent.
Patients lacking capacity
You may consider a patient to be immature, too ill or lacking in mental capacity to give valid consent, yet they could request that information not be disclosed to a third party. Under the terms of the National Health Act, if no person has been legally appointed to give consent on a patient’s behalf, then the following order of preference for obtaining consent should be followed: a spouse or partner, parent, grandparent, adult child or adult brother or sister.
Where none of the above persons exist, then you may approach the High Court for relief. In emergency situations in state hospitals, the Medical Superintendent may give advice.
Children and young people under 18 years
If a young person is able to understand the implications of the disclosure, they are able to give their consent, regardless of age. However, the rules previously mentioned regarding immaturity apply. If you believe the child to be a victim of physical, sexual or emotional abuse, yet they are incapable of giving consent, you must pass their information on to an appropriate responsible person or statutory agency. This is where the disclosure can be given without consent, in the patient’s best interests.
After a patient has died
Your duty of confidentiality to your patient remains after death. In some situations, such as a complaint arising after a patient’s death, you should discuss relevant information with the family, especially if the patient was a child. If you reasonably believe that the patient wishes that specific information should remain confidential after their death, or if the patient has asked, you should respect that wish.
The “personal representative” of the patient (usually an executor of the will) can apply for access to the relevant part of a patient’s medical records, as can someone who has a claim arising out of the patient’s death, eg. For a life assurance claim. Always seek advice when considering such a request.
For more on this, see the MPS factsheet Confidentiality: Disclosures Relating to Patients Unable to Consent.