Confidentiality

Confidentiality is central to the trust patients place in their doctors. It is an important legal and ethical principle – doctors must abide by the principles of the 1988 and 2003 Data Protection Acts and by the Medical Council’s guidance.

Sharing confidential information

Confidentiality is usually referred to as an ethical issue. It is, but it is also a legal principle

At face value, confidentiality may seem a very straightforward principle, but there are all sorts of situations where it is difficult to know if patient information should be shared or not – with the gardai, for example, or social workers.

Confidentiality is usually referred to as an ethical issue. It is, but it is also a legal principle.

Healthcare workers employed by hospitals and clinics are bound by confidentiality clauses in their contracts.
There is a common-law duty to preserve professional confidence.
There are requirements under the Data Protection Act to keep personal data, including medical records, secure.
It is a condition of your registration to abide by Medical Council guidance, which includes a requirement to respect patient confidentiality.

The duty of confidentiality goes beyond undertaking not to divulge confidential information; it includes a responsibility to make sure that written patient information is kept securely. Confidential records should not be left where other people may have casual access to them and information about patients should be sent under private and confidential cover, with appropriate measures to ensure that it does not go astray.

Patients should be informed about the kind of information being held about them, how and why it might be shared, and with whom it might be shared. It is especially important to inform patients – and to let them know that they have the right to withhold consent – if you intend to use their personal information for purposes other than their immediate care, or to share it with non-medical agents such as social workers.

Confidentiality is not an absolute principle, and there are exceptions to the rule

Confidentiality is not an absolute principle, and there are exceptions to the rule. The circumstances in which it is permissible to disclose information about a patient to a third party are:

Disclosure with the patient’s consent. This includes fulfilling requests for information made by insurance companies, employers, solicitors and other organisations.
Sharing information with members of the clinical team. This should be on a need-to-know basis, and patients should be informed that they can withhold consent for certain information to be shared as long as it doesn’t endanger members of staff or others.
To comply with a court order. Compliance with a request for information from a court is mandatory.
To comply with a statutory reporting requirement. Some reporting of confidential patient information is permissible or required by law – eg, reporting a notifiable infectious disease (see Box 7) or reports to the national cancer registry.
To protect a child from abuse or neglect. The welfare of the child is paramount, so an appropriate breach of confidence (to a social worker, for example) is justified if you have reason to believe the child is at risk.
In the public interest. It is usually considered justifiable to disclose confidential patient information in order to prevent serious harm befalling a third party. This includes disclosures to the guardai to help them in the prevention, detection or investigation of serious crimes.

Patients should be informed that they can withhold consent for certain information to be shared as long as it doesn’t endanger members of staff or others

Data protection advice from the Commissioner

The following information has been extracted from The Medical and Health Sector: The Data Protection Rules in Practice, www.dataprotection.ie (as of 9 May 2012).

If you are passing the patient data to another health professional for guidance and advice on clinical issues, the patient data should be kept anonymous

Can I pass patient details on to another health professional for clinical purposes?

“If you are passing patient data on to a person or body acting in an agency capacity for you – such as a clinical laboratory – then this is not a ‘disclosure’ under the Data Protection Act, and the Commissioner does not insist on specific patient consent in such cases. However, you should inform the patient in advance that their data will be used in this way.

“If you are passing the patient data to another health professional for guidance and advice on clinical issues, the patient data should be kept anonymous. If you wish to pass on the full patient data, including identifying details, you will need the consent of the patient in advance, except in cases of urgent need.”

What if I need to disclose patient data, and I don’t have the time to obtain consent?

“If patient details are urgently needed to prevent injury or other damage to the health of a person, then you may disclose the details. Section 8(d) of the Acts makes special provision for such disclosures. However, if the reason for the disclosure is not urgent, then you will need to obtain consent in advance.”

Can I use patient data for research or statistical purposes?

“Ideally you should make patients aware in advance if you intend to use their data for your own research purposes. However, the Acts provide that such uses of personal data are permitted, even where the patient was not informed in advance, provided that no damage or distress is likely to be caused to the individual.”

Can I disclose patient data to others for research or statistical purposes?

“You may pass on anonymised or aggregate data, from which individual patients cannot be identified. Ideally, you should inform patients in advance of such uses of their personal data. If you wish to pass on personal data, including identifying details, you will need to obtain patient consent in advance.

You may pass on anonymised or aggregate data, from which individual patients cannot be identified

“Cancer research and screening is an exception to this rule. Under the Health (Provision of Information) Act, 1997, any person may provide any personal information to the National Cancer Registry Board for the purpose of any of its functions; or to the Minister for Health or any body or agency for the purpose of compiling a list of people who may be invited to participate in a cancer screening programme which is authorised by the Minister.”

Box 7: Notifiable infectious diseases

“As soon as a medical practitioner becomes aware of or suspects that a person on whom he/she is in professional attendance is suffering from or is the carrier of an infectious disease, or a clinical director of a diagnostic laboratory as soon as an infectious disease is identified in that laboratory, he/she is required to transmit a written or electronic notification to a Medical Officer of Health.”

Health Protection Surveillance Centre (www.hpsc.ie)

Tips to avoid confidentiality breaches

If you are not involved in the patient’s care you have no more right than any other member of the public to access their records

Do not leave case notes lying around in publicly accessible areas.
Resist the temptation to look up patients’ records out of idle interest (eg, because you know the patient personally, or the patient is a celebrity). If you are not involved in the patient’s care you have no more right than any other member of the public to access their records.
Do not use information contained in the medical records for purposes other than patient care, unless consent has been obtained or the data anonymised.
For research or audit, anonymise information about patients in such a way that they cannot be identified. If this isn’t possible, obtain the patient’s consent.
If you write identifiable information about patients on scraps of paper, post-it notes or in a notepad, keep track of them – don’t leave them lying around in your car or in your pockets, etc. When you’ve finished with them, dispose of them securely.
Follow the hospital’s policies on safe storage of records and their removal from the premises.
If you download patient information onto a memory stick or flash drive, make sure it’s encrypted and that the files are password protected. Keep the memory stick in a secure place.
Change your computer password regularly, keep it secret, never let anyone log onto the system in your name, and never borrow someone else’s ID to log on.
If you are faxing confidential patient information, call the recipient first to check that you have the right number and to tell them the fax is on the way. Ask them to notify you if it doesn’t arrive. You might also consider using a cover sheet warning the recipient that the contents of the fax are confidential.
Be aware that emails are not secure, so take care not to include identifiable information about patients in emails unless you are confident that the emails are being adequately encrypted.
Even letters can go astray, so they should be marked “Confidential” on the envelope and care must be taken to ensure that the correct address is used (see Box 8). Consider using registered post for highly confidential letters.

Box 8: The wrong number

In 2009, the Data Protection Commissioner reported the case of a company that carries out DNA tests sending the results of a paternity test to a client’s next door neighbour. By the time the mistake was discovered, the next-door-neighbour had already opened the envelope and read the contents.

www.dataprotection.ie

« Advance directives

Sharing confidential information »