South Africa
Membership information 0800 225 677
Medicolegal advice 0800 014 780
Search
Membership information 0800 225 677
Medicolegal advice 0800 014 780

Disclosing patient records

Confidentiality is a fundamental right of all patients, but access to their medical records can be granted – for appropriate reasons. Gareth Gillespie looks at the issues involved

A common source of queries from MPS members in South Africa is uncertainty over when to disclose confidential patient information held within medical records. In a follow-up article to last issue’s feature on maintaining good patient records, we now look at the law surrounding confidentiality in records, and also consider the situations where you can disclose without patient consent.

Confidentiality

Patient confidentiality is enshrined in law – the National Health Act 2003 makes it an offence to disclose patients’ information without their consent, except in certain circumstances. These will be discussed later in the article. This right to confidentiality means more than simply refraining from divulging information – you are also responsible for ensuring that all records containing patient information are kept securely.

The National Health Act 2003 makes it an offence to disclose patients’ information without their consent, except in certain circumstances

Sections 14, 15 and 16 of the Act are pertinent with regards to confidentiality. In particular, sections 15 and 16 describe how patient information may be disclosed by a healthcare worker “for any legitimate purpose within the ordinary course and scope of his or her duties where such access or disclosure is in the interests of the user”.

It is not just in law that confidentiality is delineated; the HPCSA views it as central to the doctor–patient relationship and a core aspect of the trust that holds the relationship together. The HPCSA’s official guidance, Confidentiality: Protecting and Providing Information (2008), lists the key principles:

  1. Patients have a right to expect that information about them will be held in confidence by health care practitioners. Confidentiality is central to trust between practitioners and patients. Without assurances about confidentiality, patients may be reluctant to give practitioners the information they need in order to provide good care.
  2. Where health care practitioners are asked to provide information about patients, they should:
    • Seek the consent of patients to disclosure of information wherever possible, whether or not the patients can be identified from the disclosure; Comprehensive information must be made available to patients with regard to the potential for a breach of confidentiality with ICD10 coding.
    • Anonymise data where unidentifiable data will serve the purpose;
    • Keep disclosures to the minimum necessary.
  3. Health care practitioners must always be prepared to justify their decisions in accordance with these guidelines.1

Disclosures

There are circumstances – including a statutory duty to share certain information, such as reporting notifiable diseases – when you may have to disclose or allow access to information within a patient’s medical record. Not all these circumstances require you to obtain the patient’s consent. Examples are listed in this article but each situation must be assessed on an individual basis – and you must also document your actions and the reasons for doing so, whether you decide to disclose the information or not.

Consent must be obtained from the patient if access to their record has been requested by the HPCSA, an insurance company, employer or people involved in legal proceedings. If no such authority is forthcoming from the patient, no disclosure can be made.

Sharing of information within the healthcare team is usually assumed if the patient, for example, has agreed to being referred to a specialist. In this case, such sharing should be limited to a need-to-know requirement. Patients do have the right to request that certain information be withheld from a team, but many are unaware of this right – they should be made aware through leaflets, notices or verbal means.

Each situation must be assessed on an individual basis – and you must also document your actions and the reasons for doing so

HIV

Your record-keeping system should have a way of limiting access to information regarding the status of HIV-positive patients. The HPCSA says such information should be treated as highly confidential and specific consideration should be given to sharing this information with other professionals involved in the patient’s care.2

Disclosures without consent

It is possible to disclose confidential information about a patient without their consent, if there is a sufficient risk to public health. The HPCSA says the risk of harm must be serious enough to outweigh the patient’s right to confidentiality. You should always try to obtain the consent of the patient first, but disclose anyway if consent is not forthcoming. 

The HPCSA says the risk of harm must be serious enough to outweigh the patient’s right to confidentiality

Again, your reasons for disclosing this information must be documented. The same applies in cases where you suspect a vulnerable patient – such as a child or adult lacking capacity – is at risk of abuse or neglect.

The patient’s best interests are the overriding factor in such situations, and any concerns must be reported to the relevant person or agency. 

Access to records

The Promotion of Access to Information Act 2000 gives everyone the right of access to records held by public or private bodies, provided it is for legitimate reasons. This includes health records. Either the patient or someone authorised to act on the patient’s behalf can request access, and the request must be responded to in 30 calendar days. The Act says that the request should be refused if the disclosure to “the relevant person might cause serious harm to his or her physical or mental health, or well-being”.3

Relatives other than parents have no automatic right of access and any requests for information should only be granted with the consent of the patient. Parents and guardians of children aged under 12 can gain access to their child’s medical records if they request it. An exception is if the child has had a termination of pregnancy, which should remain confidential unless the child consents to its disclosure.

Children aged 12 or over, and who have the maturity to understand the consequences of disclosure, must give their consent to the disclosure of their medical records. 

The police have no special right to access clinical records. However, they can be granted access if the patient consents

The police have no special right to access clinical records. However, they can be granted access if the patient consents to the disclosure; if the information has been requested by a court order; or if – as with risks to public health – the public interest outweighs the patient’s right to confientiality.

Solicitors may also request access to a patient’s medical records, in situations where they are handling a claim – again, the consent of the patient is needed before any disclosure. If the solicitor is acting on behalf of the patient, it is safe to assume that the request is being made on the instructions of the patient – although a signed consent form clarifying this is preferable.

Other types of medical information

Specific legislation exists for confidentiality concerning other types of medical information, such as sexual offences, termination of pregnancy and children.

  • National Directives and Instructions on Conducting a Forensic Examination on Survivors of Sexual Offence Cases in Terms of the Criminal Law (Sexual Offences and Related Matters) Amendment Act, 2007, Directives 3 and 5
  • Choice on Termination of Pregnancy Act, 92 of 1996, section 7
  • Children’s Act, 35 of 2005, sections 12, 13, 133 and 134

After death

Confidentiality applies after a patient’s death – generally, information should only be disclosed to third parties with the consent of the deceased patient’s next of kin or executors. Exceptions to this rule include if information is required for an inquest. 

Other uses

Identifiable information in medical records can be used for study, teaching or research with the consent of the patient, but no such authorisation is needed if the information has been suitably anonymised. However, if you wish to publish case reports, photographs or other images in a format that the public can access – whether it is identifiable or not – the patient must provide consent. 

It is not possible to cover every unique scenario and while there are sometimes definitive rules you must adhere to, in some cases your course of action is not so crystal clear

Conclusion

While the importance of confidentiality in the doctor–patient relationship cannot be underestimated, it is equally important to be aware of the range of circumstances where you may be asked to either disclose confidential information from or provide access to your patients’ medical records. That said, it is not possible to cover every unique scenario and while there are sometimes definitive rules you must adhere to, in some cases your course of action is not so crystal clear. You should remember to contact MPS for specific advice if you are faced with such a dilemma.

References

  1. HPCSA, Confidentiality: Protecting and Providing Information (2008), para 4.
  2. HPCSA, Ethical Guidelines for Good Practice with Regard to HIV (2008), para 5.
  3. Promotion of Access to Information Act 2 of 2000, section 61(1)
Download a PDF of this edition