The below article has been reproduced from a BMJ series to help medical students make the leap to budding doctors. In this article, Geoffrey Robinson and colleagues explain that patients have a right to confidentiality, but in some instances the rules must be broken. 

Please note: the below information, while relevant, is intended for a UK audience and may contain technical details and procedures that are not the same in New Zealand. Please see below for links to New Zealand specific information about confidentiality. Your DHB will also have guidelines on patient confidentiality.

• Medical Council of New Zealand: Good Medical Practice
• The Health Information Privacy Code

Patients have a right to expect that information about them will be kept in strict confidence by their doctors. As part of the privilege of the doctor-patient relationship, the doctor has a responsibility to protect the patient’s right to confidentiality. This has led to a series of rules that doctors must be aware of and follow in their clinical practice.^1-4 But, as for all rules, circumstances exist when they may be broken for good reason, and doctors must also be aware of these exceptions.

Junior doctors, in particular, must be familiar with the issues surrounding patient confidentiality. From time to time they are given particular information that has not been disclosed to other health carers and, on occasion, the patient expressly limits the possession of that information to the junior doctor.

Rights and responsibilities

Being registered as a medical practitioner gives doctors rights and privileges. In return, doctors have a duty to meet standards of competence, care, and conduct. This includes maintaining patients’ confidentiality, which is central to the trust between doctors and patients. Without the assurance of confidentiality, patients may be reluctant to provide comprehensive information required for optimal health care. It has been proposed that the doctor-patient relationship may be interpreted as an agreement in which the doctor guarantees confidentiality (secrecy and discretion) in exchange for the confidence and honesty of the patient.⁵

It is often taken for granted that patients give “implied consent” to medical information being disclosed to others for “healthcare purposes”. Regardless, junior doctors should remember the standard of not divulging medical information without the consent of the patient—even routine matters of referrals and discharge summaries should be mentioned to and agreed by the patient. This is particularly so if the situation is sensitive—for example, psychiatric problems, sexually transmitted diseases, or terminations of pregnancy. Fortunately, most patients understand that information must be shared within the healthcare team that is providing the treatment.

Rules of disclosure

Here are the rules that you should consider when you are asked to disclose information about a patient or their health care.²

• Inform patients about the disclosure, or check that they have already received information about it
• Anonymise data if unidentifiable data will serve the purpose
• Be satisfied that patients know about disclosures necessary to provide their care so that they can object to these disclosures if they wish
• Seek patients’ express consent to disclosure information, where identifiable data are needed for any purpose other than the provision of care or for clinical audit
• Keep disclosures to the minimum necessary
• Keep up to date with and observe the requirements of statute and common law, including data protection legislation. These requirements may differ between countries and are likely to change over time.

Most breaches of confidentiality occur “inadvertently” in settings such as ward rounds in cubicles with multiple beds and overheard “discussions management” in corridors. Ideally, patients should be asked, especially if there are sensitive issues, if they would prefer a private area for their consultation, however, this may be difficult in practice. Regardless, you should take all reasonable steps to ensure that your consultations with patients are private. Beware gossip about patients in corridors, in the dining room, and in general because it is a small world.

Pitfalls…

You should not leave patients’ records, either on paper or on screen, where they can be seen by other patients, unauthorised healthcare staff, or the public. The area of electronic health records has increased the opportunity for breaching a patient’s right to confidentiality.¹ It is important to be aware of regulations that confine your attention to your own patients. Ensure that you do not share “log-ins” with others, do not leave a terminal unattended when logged in, and always log out of a computer system when your work on it is finished.

Everyday situations, such as formal case presentations or grand rounds, can breach confidentiality. Ideally, the patient’s consent should be sought even if you think that anonymity can be preserved. Similarly, bedside teaching of medical students by junior doctors needs pre-arranged consent.

Research and audits are other activities in which confidentiality requires consideration. Clearly, in research, individual patients’ consent and approval by an ethics committee is required, but the anonymity of individuals should be preserved in data collection. Audits are less well regulated, but the same principles should apply.

You must still keep information confidential after a patient dies. Requests for information after a patient’s death may be complex and cause distress or benefit to the patient’s family. The purpose of the disclosure should be clear, and you should seek legal advice.

… and exceptions

Various situations may arise in which you might be legally and ethically obliged to breach confidentiality and disclose information about a patient in your care (see below). These primarily relate to disclosure in connection with judicial or other statutory proceedings, disclosure in the public interest to protect either the patient or others, or in circumstances when children or other patients may lack competence to give consent.

Reasons to disclose information

These criteria may vary between countries—make sure you know the rules where you are practising Healthcare reasons Parents (when child is unable to give informed consent) Caregivers or family of patients with intellectual impairment or dementia Public interest Where there is risk of serious harm or death to the patient or other people Provisions in the Mental Health Act Required by law Court ordered by the health ombudsman or coroner Complaints committees Child abuse Serious criminality Medically unfit patients continuing to drive despite advice Required by statutory regulatory bodies Notifiable diseases Drug addiction Termination of pregnancy Births and deaths Identification of patients undergoing in vitro fertility treatment with donated gametes (and the outcome of such treatment) Identification of donors and recipients of transplanted organs Prevention, apprehension, or prosecution of terrorists

If you consider that a legal or ethical requirement to divulge information exists, as a junior doctor you should discuss this with a senior clinician in conjunction with the hospital’s legal advisers. When this is done, the patient should be informed wherever possible, but not if there are concerns of violence or danger to other people. Disclosures should be kept to the minimum amount of information necessary for the purpose.

Confidentiality is an important consideration in everyday practice for junior doctors and is fraught with ethical and legal dilemmas. Junior doctors should be aware of their responsibilities, the rights of patients, the rules, and the exceptions to the rules.

Learning through examples

HIV from an affair—Your patient has requested an HIV test after a high risk extramarital affair. The test result comes back positive. He urges you to keep the test result a secret, in particular from his wife who he is convinced will leave him if she finds out about the affair. He refuses to use barrier contraception as his wife would become suspicious.

The patient should be urged to tell his wife and given the opportunity to control the release of this information. However, you have a responsibility to tell the wife because her life is being placed in danger by his actions. In this case, his conduct poses a risk to others that outweighs his right to medical confidentiality. After repeated counselling, discussion with senior colleagues, and both the Medical Protection Society and the Medical Council, you advise his wife accordingly and inform the patient that you have done so.

Driver with epilepsy—A patient has recently been diagnosed as having epilepsy. You inform him of his obligation to notify the road transport authority, which will probably revoke his licence. He tells you that he has no intention of doing this because he will lose his job as a travelling salesman.

The road transport authority must be notified because the salesman is putting other drivers at risk. The road transport authority has the responsibility of deciding if someone is medically unfit to drive. The authority needs to know when drivers have a condition that might affect their safety or the safety of other people. If a patient has a condition which may affect their ability to drive, you should explain this to them and ask them to inform the road transport authority. If they refuse to do so, you must inform the road transport authority and let the patient know that you have done so.

Release of information—A patient in your care is being investigated for a malignancy. The patient’s best friend approaches you in visiting hours and asks you how he is getting on and what the tests have shown.

You should absolutely not divulge information about the patient’s medical condition to the friend without the express consent of the patient. If the patient does consent, any discussion with the friend should take place with the patient present. This would apply equally to a family member.

Taking medical records home—You are required to present a case at the weekly departmental meeting and do not have enough time to prepare your presentation while at work. So you take the hospital case notes home over the weekend, but unfortunately the medical records were in your briefcase, which is stolen from your car.

Bad mistake—and bad luck. To ensure that patient information is protected, records must be kept physically secure at all times. As a result, hospitals normally have a standard rule that staff cannot take patient records home. In addition to the risk of loss, such an action may also adversely affect patients’ care should they be readmitted and the records are not available.

Disclosure to employers and insurance companies—You receive a request from a patient’s employer to confirm the dates and details of hospital admission six weeks after the patient has been discharged. The patient had been admitted with pneumonia and there were no “sensitive issues”.

You need to get consent from the patient to release this personal information, even though there seems to be no sensitive issue. The same principle applies to requests for information from insurance companies.

Patients younger than 16 years old—A 14-year-old girl attends the emergency department to get a prescription for the oral contraceptive pill. She does not want to see her normal general practitioner whom she fears will tell her parents. She asks you not to inform her parents. What should you do?

If you consider that the patient is competent to consent to treatment and requests that the treatment is prescribed without the knowledge of her parents, her wishes should be respected. And it is legal to do so. But you should ensure that you provide the patient with sexual health advice and encourage her to accept long-term follow-up with a general practitioner.

Serious crime—A patient attends the emergency department with a gunshot injury that requires surgery. He says that it was an unintentional injury he got when cleaning his shotgun. You are aware of a media report of an armed hold-up in a neighbouring town, in which one of the assailants was shot by his mate and in which a shop assistant was beaten up.

You are obliged to tell the police because this represents a “serious crime,” in which another person suffered “serious harm”. It is best to discuss the case with a consultant, who would need to take responsibility for contacting the police.

 

Original authors:
Geoffrey Robinson, general physician
Sarah Aldington, senior research fellow
Richard Beasley, general physician
Medical Research Institute of New Zealand, Wellington, New Zealand.

We gratefully acknowledge the BMJ for permission to reproduce this article.

References

1. Department of Health. Confidentiality: NHS code of practice. London: DoH, 2003. http://www.dh.gov.uk/assetRoot/04/06/92/54/04 25 4.pdf (accessed 31 May 2006).
2. General Medical Council. Confidentiality: protecting and providing information. London: GMC, 2004. http://www.gmc- uk.org/guidance/library/confidentiality.asp (accessed 31 May 2006).
3. Ethics: confidentiality. London: BMA. http://www.bma.org.uk/ap.nsf/Content/Hubethicsconfidentiality Accessed May 2006.
4. Wilks M. Confidentiality and disclosure of health information. London: BMA, 2004.
5. Lockwood GM. Confidentiality. Medicine 2005;33:8-10.

---