Select location
Membership information
0800 561 9000
Medicolegal advice
0800 561 9090
Refine my search

Protecting patient confidentiality

Post date: 08/11/2017 | Time to read article: 5 mins

The information within this article was correct at the time of publishing. Last updated 14/11/2018

Written by a Senior Professional

Confidentiality is one of the most common risk factors in general practice. Kirsty Plowman looks at how a Medical Protection interactive risk management training session on confidentiality can help members lower their risk.

Confidentiality is the cornerstone of good medical practice and is central to the trust between doctors and patients. However, our data shows that it is also the most common risk area for practices. In 2015 Medical Protection undertook 108 Clinical Risk Self Assessments (CRSAs) in general practices, of which 98% had risks relating to confidentiality.

Our in-house practice training session, The Importance of Maintaining Patient Confidentiality, is designed for all members of the primary care team to assess risk management concerns and understand how they can work together to improve confidentiality. Each interactive session lasts between one and one-and-a-half hours and can be delivered in your protected time. Last year we delivered 428 talks in GP practices during protected learning time across the whole of the UK.

The workshop, led by a trained facilitator, explains the importance of confidentiality, defines the responsibilities of staff, increases awareness of current government policies relating to confidentiality, enables a practice team to identify where a potential breach of confidentiality could occur and explores ways to reduce these risks. A practical exercise also gives staff the opportunity to work together as a team to review and discuss real-life case studies related to confidentiality.

The importance of confidentiality

Patients disclose private and confidential information to doctors so that they can be treated and advised appropriately – if confidentiality is breached, patients will be reluctant to divulge information and therefore treatment may be affected. Additionally, breaches of confidentiality have legal implications and therefore practices have a legal obligation to maintain it. 

What is confidential information?

  • Medical records
  • Current illness or condition
  • Ongoing treatment • Personal details: name, address, age, marital status, sexuality, race Record of appointments
  • Audio/visual recordings
  • The fact that the patient is your patient!

Staff accountability

The workshop identifies how each staff member at the practice is accountable for their actions and which policies outline their responsibilities.
GPs could find themselves in difficulties with the GMC if they breach confidentiality. They are also responsible for the actions of all practice staff – through vicarious liability – if they breach confidentiality. Nurses are accountable to guidelines set out by the NMC if he or she breaches confidentiality, and the NHS Code of Practice (November 2003) covers all healthcare workers. The training session also highlights additional policies relating to confidentiality. CQC regulations describe the fundamental standards of quality and safety that people who use healthcare services have a right to expect. In addition, the Caldicott report produced by the Department of Health in 1997 protects patient identifiable information. 

Where potential breaches of confidentiality could occur

  • Waiting rooms and reception areas
  • Consulting rooms
    • Patient identifiable information
    • Computers
  • Staff confidentiality statements
  • Post-employment
  • Use of social networking sites
  • Staff training
  • Faxes
  • Photocopier
  • Telephone
  • Texts
  • Visitors
  • Staff ID
  • Computer
  • Back up tapes
  • Privacy
  • Security
  • Passwords
  • Emails
  • Internet

Ways to reduce risks of breaching confidentiality

In 2015, 72% of the practices that we visited as part of the CRSA programme had issues relating to patients being able to overhear conversations at the reception desk which could of course lead to a breach of confidentiality. 

The workshop offers practical solutions to some of these concerns that a practice could have. For example, in relation to the risks associated with potential breaches of confidentiality at the reception desk, some considerations could be: 

  • Looking at the layout at reception
  • Repositioning the computer screen or providing privacy screens for the monitors
  • Discouraging sensitive telephone conversations at the front desk, if a patient wishes to speak about a confidential matter use an area away from the public
  • Repositioning the layout of chairs in reception
  • Consider whether a television might act as a distraction, of course practices would need to ensure that they have a suitable licence in place
  • Consideration to the introduction of a queuing system

Real-life scenarions

During the workshop, the practice team have the opportunity to discuss real-life cases relating to confidentiality, using the information from the session to form a critical analysis of each case. How would you respond in the following scenarios?

Case one

While parking outside the practice, a patient bumps into and damages the car of a second patient. On finding the damage later, the second patient asks for the names of those individuals who had appointments before hers that morning. Can you provide the patient with the list?

No – the duty of confidentiality prevents you from releasing a ‘blanket list’ of names. It is for the aggrieved patient and/or the police to pursue their own enquiries without the help of the practice staff.

If the accident occurred in a practice car park with video surveillance, you may wish to let the patient and/or the police know that there is a video tape, and they could either seek a Court Order or rely on their power of seizure of evidence which are set out at Section 19 of the Police and Criminal Evidence Act (1984).

CCTV systems are now covered by the Data Protection Act (1998) – there has to be a code of practice and a compliance officer and an annual audit to ensure that the installation continues to meet the needs for which it was registered with the Commissioner of Information. The code of practice should include the ‘management and use of video tapes’.

The GMC publication Confidentiality (2009) gives detailed advice on the issue of disclosure in the public interest. In essence, before disclosing personal information, doctors must weigh the harm that may arise from non-disclosure against the harm caused by breaching. Ultimately, each decision must be made on its own merits, but it is likely that the balance would only tip in the direction of disclosing the sort of information police may be seeking in relation to much more serious crimes, such as murder or child abuse. Where a decision is made to disclose information in the public interest without seeking a patient’s consent, clear records must be made of the reasons for disclosing the information, including what steps have been taken, either to inform the patient about the disclosure or the reasons for not doing so.

It is important to engage constructively with any request for information from the police whilst at the same time being mindful of both the legal and professional obligations in relation to patient confidentiality. In this case, if the police obtained a Court Order or rely on their powers of seizure under the Police and Criminal Evidence Act (1984) then it is unlikely that the practice will be legitimately criticised for disclosing the information.

Case two

A pharmacist suspects that a patient has altered a prescription for temazepam by changing ‘20 tabs’ to ‘120 tabs’, and he notifies the police. A police constable brings the prescription to the practice and requests a statement. What should you tell the police officer?

On the basis that the police constable has already obtained the prescription, the fact that it has been issued and the information on the prescription are now within their ‘field of knowledge’.

The doctor, therefore, can legitimately identify a prescription as one that he has signed; and then to verify what the prescription stated when it left the surgery. The GP should not speculate as to when, why and by whom the changes to the prescription were made.

If the police require information about the patient’s medical condition then (unless there was a public interest justification for disclosure which would not appear to apply here) they would need to provide the patient’s consent or seek a Court Order to facilitate this.

It would be good professional practice for the GP to tell the patient what action has been taken (unless this would compromise the police investigation). The GP should explain to the police that it would be their intention to inform the patient, in order that there can be a discussion (if indicated) as to whether or not taking this step would compromise the police investigation.  


Share this article

Load more reviews

You've already submitted a review for this item

New site feature tour

Introducing an improved
online experience

You'll notice a few things have changed on our website. After asking our members what they want in an online platform, we've made it easier to access our membership benefits and created a more personalised user experience.

Why not take our quick 60-second tour? We'll show you how it all works and it should only take a minute.

Take the tour Continue to site

Medicolegal advice
0800 561 9090
Membership information
0800 561 9000

Key contact details

Should you need to contact us, our phone numbers are always visible.

Personalise your search

We'll save your profession in the "I am a..." dropdown filter for next time.

Tour completed

Now you've seen all of the updated features, it's time for you to try them out.

Continue to site
Take again