DLM Module 11 PDF
Document Details
Uploaded by FlawlessMountainPeak
Tags
Summary
This document discusses the principles of confidentiality in healthcare, covering legal bases, GMC and NMC guidance, disclosures, data protection legislation, and patient rights to access medical records. It also examines the duty of confidentiality in specific situations and the importance of maintaining trust in the doctor–patient relationship.
Full Transcript
Patients entrust us with, or allow us to gather, sensitive information relating to their health and other matters as part of their seeking treatment. There have been some high profile examples of breaches – for example, when Richard Hammond was hospitalised following a brain injury in 2006, 300 medi...
Patients entrust us with, or allow us to gather, sensitive information relating to their health and other matters as part of their seeking treatment. There have been some high profile examples of breaches – for example, when Richard Hammond was hospitalised following a brain injury in 2006, 300 medical staff accessed his records over a 24 hour period. It is estimated that 20 events were appropriate. In 2018, two staff were disciplined following inappropriately accessing Ed Sheeran’s records. After successful completion of this module, you should be able to: From the Syllabus: Candidates should have a detailed knowledge and understanding of the law and ethics governing the duty of confidentiality, including: 1. 9.1. legal basis; 2. 9.2. GMC and NMC guidance; 3. 9.3. disclosures required by law; 4. 9.4. disclosures in the public interest; 5. 9.5. data protection legislation; 6. 9.6. patients' rights of access to health records and medical reports; 7. 9.7. confidentiality and mentally incapacitated adults; and 8. 9.8. confidentiality after death. By the end of this module a student should be able to understand: Confidentiality and Disclosure Confidentiality and the Deceased Patient Data Protection & General Data Protection Regulation (GDPR) Child Protection “And about whatever I may see or hear in treatment, or even without treatment, in the life of human beings, I will remain silent, holding such things to be unutterable.” Hippocrates penned these words in the 5th Century BC and they still remain an integral part of the Hippocratic Oath, underlining one of the central tenets in the practice of medicine – the Duty of Confidentiality. It is the inherent confidentiality which has always underpinned the absolute trust in the Doctor-Patient relationship. https://www.gmc-uk.org/ethicalguidance/ethical-guidance-for-doctors/confidentiality/ethical-and-legalduties-of-confidentiality Both deontological (duty-based) and consequentialist reasoning can be used to justify the existence of a duty of confidence between patients and clinicians. Deontological arguments would emphasise the patient’s right to privacy and their right to control access to sensitive and personal information. Consequentialist arguments center around the need to ensure patients trust healthcare professionals with their medical information and seek treatment, for the overall health of the population. Raanan Gillon states: “Quite apart from the medical benefits to the patient, maintenance of confidentiality may in some circumstances benefit others. In the context of transmissible diseases, especially sexually transmissible diseases, so long as the patient continues to trust his or her doctor, the doctor is left in a position of being able to educate and influence the patient in ways that can reduce the likelihood of the disease being passed on. As soon as confidentiality is broken the trusting relationship is likely to be undermined and the opportunity to help reduce the spread of disease is lost.” There are a number of sources of legal duty of confidence. 1. Common Law There is a general common law duty imposed on a doctor to respect the confidences of his/her/their patient. The nature of this obligation, which applies to all confidential information was discussed by the Court of Appeal in A-G –v- Guardian Newspapers ltd (No 2) [1990]AC 109, also known as the ‘Spycatcher case”. Lord Goff: “[A] duty of confidence arises when confidential information comes to the knowledge of a person (the confidant) in circumstances where he has notice, or is held to have agreed, that the information is confidential, with the effect that it would be just in all the circumstances that he should be precluded from disclosing the information to others.” Lord Goff further suggested three limiting principles: With regards to medical information – this is normally clearly confidential, and the doctor-patient relationship is one in which a duty of confidence exists. Boreham J stated in Hunter v Mann: “in common with other professional men, for instance a priest… the doctor is under a duty not to disclose, without the consent of his patient, information which he, the doctor has gained in his professional capacity, save… in very exceptional circumstances.” In the case of W-v- Egdell [1990]Ch359 a secure prisoner obtained a Psychiatric report with a view to transfer to a less secure unit. The report was unfavourable to W, and his application was aborted. However, a routine review of his detention was due and when the Psychiatrist became aware that his report was not to be included in the patient’s notes, he feared that the decision would be made without accurate up to date information and would be potentially dangerous to the public. As such he informed the hospital’s medical director and the Home Office of his findings and W brought an action against the Psychiatrist alleging breach of duty of confidentiality. The action failed. The fear of a real risk to public safety entitled a doctor to take reasonable steps to communicate the grounds of his concern to the appropriate authorities. This was an important decision in that the important principle of medical confidentiality emerged relatively unscathed as W’s case was extreme and Courts would not condone a breach of confidence on less urgent grounds. However, this case clearly highlighted that there are circumstances where it could be permissible to breach this enshrined duty of confidentiality. 2. Statute - The Human Rights Act 1998 Human Rights Act 1998 Schedule 1 Article 8 8(1) Everyone has the right to respect for his private and family life, his home and his correspondence 8(2) There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. Whilst there have been a number of cases where patients have relied upon Article 8 when complaining about disclosure of medical information, it has proven fairly difficult for them to establish that disclosure constitutes a prima facie violation of Article 8, as it has often been possible for public authorities to establish that disclosure was justifiable under 8(2). Z v Finland (1997) 25 EHRR 371 Z’s husband was charged with a number of sexual offences. He was HIV positive. In order to ascertain when he became aware of his HIV status, police sought and gained access to his wife, Z’s, medical records. The ECtHR held that this was not a violation of Z’s Article 8 rights because there were good reasons for requiring this information. Stone v South East Coast SHA [2006] EWHC 1668 Michael Stone, a convicted murderer, sought to suppress publication of a homicide inquiry containing details about his medical treatment. Although the judge acknowledged his right to privacy, this was outweighed by the public interest in knowing more about the treatment which Mr Stone had and had not received. Article 8 must also be balanced against Article 10 – the right to freedom of expression. An example of this is: Campbell v MGN Ltd [2004] UKHL 22 Naomi Campbell, a ‘super model’, sued the Mirror newspaper for revealing information about her addiction and attendance at Narcotics Anonymous. Whilst she accepted that the newspaper was entitled, in the public interest, to disclose that she was a drug addict and was receiving treatment (which she had previously denied publicly), she claimed that details of her attending Narcotics Anonymous and the accompanying photographs amounted to a breach of privacy. In this case, the House of Lords found that an obligation of confidence existed because of the nature of the information about Ms Campbell’s treatment for drug addiction. As a result of a European Union (EU) Directive, until 25 May of 2018 the Data Protection Act 1998 applied UK wide and provided a right of access to health records of living people. The General Data Protection Regulation (GDPR) replaced the Data Protection Act 1998. The Data Protection Act 2018 implemented the EU’s General Data Protection Regulation and is not limited to the UK GDPR provisions. What else does the DPA 2018 cover? The DPA 2018 has a part dealing with processing that does not fall within EU law, for example, where it is related to immigration. It applies GDPR standards, but it has been amended to adjust those that would not work in the national context. It also has a part that transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law. The Directive complements the General Data Protection Regulation (GDPR) and Part 3 of the DPA 2018 sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’. National security is also outside the scope of EU law. The Government has decided that it is important the intelligence services are required to comply with internationally recognised data protection standards, so there are provisions, based on Council of Europe Data Protection Convention, which apply to them There are also separate parts to cover the Information Commissioners Office (ICO) and its duties, functions and powers. THE DATA PROTECTION ACT 2018 and GDPR now govern access to health records of living individuals. Key areas to be aware of: What are the 6 principles of GDPR? These replace the previous ‘8 principles’ of the DPA 1998 1. Lawful, fair and transparent 2. Limited for its purpose 3. Adequate and necessary 4. Accurate 5. Not kept longer than needed 6. Integrity and confidentiality What does GDPR say about consent? Art 7(4) “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment and further consent should not provide a valid legal ground… where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority.” Definitions Data controller A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed. GDPR mandates that data controllers ensure contracts with data processors are up to date and reviewed. Data processor In relation to personal data – any person (other than an employee of the data controller), who processes data on behalf of the data controller. The GDPR places new specific legal obligations on data processors: To maintain records of personal data and processing activities To comply with GDPR and not act contrary to the lawful instructions of the data controller Data processors can now be fined Processing Obtaining, recording or holding information or data Data Protection Officer A requirement under GDPR. Responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. Personal data "data from which a living individual can be identified or identifiable (by anyone), whether directly or indirectly, by all means reasonably likely to be used" ICO PERSONAL DATA EXAMPLES Name NHS number Location data Online identifier Some pseudonymised data To legitimately process personal data, processors must have a schedule 2 (article 6) condition: Public authorities can no longer rely on ‘legitimate interests’.https://ico.org.uk/fororganisations/guide-to-data-protection/guide-to-the-general-data-protectionregulation-gdpr/lawful-basis-for-processing/legitimate-interests/ Special category data Race Ethnic origin Politics Religion Trade union membership Genetics Biometrics Health Sex life or sexual orientation To legitimately process special category data, processors must have a schedule 3 (article 9) condition: A request for access to health records under DPA and GDPR is known as a subject access request. Healthcare professionals need to familiarise themselves with the legislation and regulation. Any 3rd party information (e.g. relatives' comments or contact details must be removed). If a data breach occurs e.g. if a patient’s personal data or records are disclosed to the wrong party the patient has a right to compensation if he suffers damage as a result of the breach. The healthcare professional may also face a financial penalty. Who can make a subject access request (SAR)? 1. Patients with capacity. It is not necessary for a patient to give a reason why they want access to their records. The request is free of charge. 2. A Third Party authorised by the patient with capacity e.g. a Solicitor acting on their behalf. 3. Parents with parental responsibility. Not all parents have parental responsibility. Who has parental responsibility? (a) The mother; and also the father of a child, if born after 01 December 2003 in England and Wales, after 15 April 2002 in Northern Ireland and after 04 May 2006 in Scotland, provided the father is registered on the child’s birth certificate. (b) For children born before the above dates, a biological father will only automatically acquire parental responsibility if the parents were married at the time of the child’s birth or sometime after. (c) If the parents of a child were never married, only the mother automatically has parental responsibility but a father may acquire it by a Court Order or agreement. Where more than one person has parental responsibility each may independently exercise rights of access to health records. It is not necessary to inform the other parent of the request. However, consideration must be given to a potential breach of the European Convention for Human Rights and the right to private and family life in not informing the other parent. (d) A Guardian appointed by the Court or a local authority which has been granted a Care Order may acquire parental responsibility. (e) adoptive parents where a child has been formally adopted. 4. Children aged over 16 5. Children aged under 16 in England, Wales and Northern Ireland who demonstrate that they have sufficient understanding of what is proposed are entitled to make a subject access request. Children aged 12 and over are expected to have competence to give or withhold consent to release of information from their health records. 6. Where a child between 12 and 16 is considered capable of making decisions about access to their medical records the consent of the child must be sought before a parent or third party is given access to the records via a subject access request. BEWARE - A person describing themself as a next of kin has no right of access to medical records. A clinician should review records prior to disclosure to check: For information which is likely to cause serious physical or mental harm to the patient or another person For data relating to third party (other than a healthcare professional) who has not given consent for disclosure Information which a third party or the patient has asked to be kept confidential Information restricted by court orders Information relating to the keeping or use of gametes or embryos In the case of child records, disclosure prohibited by law e.g. pertaining to adoption An important case relating to mixed data, is the case: Dr DB v. General Medical Council [2018] EWCA Civ 1497. In this case P requested disclosure of an expert report which described “below standard” care by Dr DB. GMC asked Dr DB’s consent to release – he refused. GMC decided to release but agreed not to do so pending Dr DB’s appeal. Court decision: Where one party objects to disclosure of the information this does not create a presumption or starting point against disclosure in the balancing exercise. Even if the requesting party is seeking legal action, this motive does not diminish their rights to receive the information, but can be a relevant factor, depending on the circumstances and the impact, on the other individual’s rights. Data controllers are given a wide discretion in the factors to be considered in the balancing exercise, and the weight placed on those factors. The ICO (https://ico.org.uk) is the UK's independent body set up to uphold information rights; it is an independent public body and the Department for Digital, Culture Media and Sport is the ICO’s sponsoring department within Government. It covers a number of regulations including: Data Protection Act Freedom of Information Act Privacy and Electronic Communications Regulations General Data Protection Regulation Environmental Information Regulations INSPIRE regulations eIDAS Regulation Re-use of Public Sector Information Regulations NIS Regulations Investigatory Powers Act ICO Powers include: Carry out audits Impose improvement notices Issue orders to cease operations Notify data subjects of a breach Restrict or erase data Issue fines not just for personal data breaches but also for lack of, or insufficient systems and processes. GDPR has brought in a new requirement to report ‘High risk’ breaches to the ICO and the relevant data subjects within 72 hours. Failure to notify a breach can result in a significant fine of up to 10 million euros or up to 2% of the total worldwide annual turnover. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-thegeneral-data-protection-regulation-gdpr/personal-data-breaches Department of Health: NHS Code of Practice (2003) available at: https://www.gov.uk/government/publications/confidentiality-nhs-codeof-practice National Data Guardian standards: 1. All staff ensure that personal confidential data is handled, stored 2. 3. 4. 5. 6. 7. and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes. All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches. All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised Information Governance Toolkit. Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals. Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security. Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection. A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management. 8. No unsupported operating systems, software or internet browsers are used within the IT estate. 9. A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually. 10. IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards. NHS England Data Security and Protection Toolkit (previously known as the IG toolkit) is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. With the advent of Electronic Health Care records, clinicians must be particularly mindful of the need to obtain informed consent prior to accessing. Organisations must have the appropriate policies and protocols in place for protecting against unauthorised access. Specific roles within organisations include: Caldicott Guardian – all NHS organisations and local authorities which provide social services must have a Caldicott Guardian A Caldicott Guardian register is maintained by NHS England A Caldicott Guardian is a senior person responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly. They should provide leadership and informed guidance on complex matters involving confidentiality and information sharing. This is an advisory role Described as ‘the conscience of the organisation’ Senior Information Risk Owner (SIRO) This is an accountable role Fosters a culture for protecting and using data Provides a focal point for managing information risks and incidents Concerned with management of all information assets Common Law Statute AG v Guardian Newspapers ECHR Article 8 Negligence – breach of duty of care 1. Respect private and family life 2. Qualifies Campbell v MGN Breach of contract – private patients Z v Finland GDPR 6 principles General Medical Council (GMC) Whilst this does not have the status of law, breach of GMC guidance may lead to disciplinary proceedings and may be used as evidence in a civil suit of breach of duty of care. Candidates should be familiar with GMC guidance available at: https://www.gmc-uk.org/ethical-guidance/ethical-guidance-fordoctors/confidentiality Key areas of guidance: Confidentiality: disclosing information for education and training purposes Confidentiality: disclosing information for employment, insurance and similar purposes Confidentiality: disclosing information about serious communicable diseases Confidentiality: patients’ fitness to drive and reporting concerns to the DVLA or DVA Confidentiality: Reporting gunshot and knife wounds Confidentiality: responding to criticism in the media Nursing and Midwifery Council (NMC) The Code: https://www.nmc.org.uk/standards/code/read-the-code-online The Health and Care Professions Council (HCPC) The Standards: https://www.hcpc-uk.org/standards General Rules when disclosing information Obtain explicit consent (unless required by law or in public interest) Satisfy yourself that Patient has not objected Patient has access to information explaining how their information will be used and that they have a right to object. Anonymise information if practicable. Keep disclosure to the necessary minimum. Follow all legal requirements including the common law and data protection law. The British Medical Association provide a confidentiality aid: https://www.bma.org.uk/advice/employment/ethics/confidentiality-andhealth-records Also consider GMC guidance: “Good Medical Practice”: https://www.gmc-uk.org/ethical-guidance/ethical-guidance-fordoctors/good-medical-practice https://www.gmc-uk.org/ethical-guidance/ethical-guidance-fordoctors/confidentiality With explicit consent Consent can be explicit (or express) when the patient actively agrees either orally or in writing to the information disclosure. With implied consent GMC guidance regarding this for direct patient care is as follows: https://www.gmc-uk.org/ethical-guidance/ethical-guidance-fordoctors/confidentiality/using-and-disclosing-patient-information-for-directcare This is one of the most important exceptions to the duty of confidentiality. See AG v Guardian Newspapers Ltd (No.2) [1988] 3 WLR 776 at 807 There are three public interest disclosures to consider: 1. To prevent harm to others 2. To prevent or detect crime 3. Teaching, research and audit 1. Prevent harm to others As per GMC and BMA guidance there must be A REAL risk of SERIOUS harm See the case of W v Egdell discussed above. In Palmer v Tees Health Authority [1999], a claim was made for damages, on behalf of the estate of a murdered child and her mother for psychiatric damage. The claim against the Health Authority, was made as it was said to have been negligent in having failed to manage a psychiatric patient who had abducted and murdered the girl. The Court found the Health Authority was liable (so not negligent) for failing to restrict the freedom of the patient, who was an out-patient and had threatened to kill. Although the patient did kill the child, the threat was said not to be specific enough. See: http://www.bailii.org/ew/cases/EWCA/Civ/1999/1533.html Another interesting case is the US case of Tarasoff v Regents of the University of California. See: https://www.courtlistener.com/opinion/1175611/tarasoff-v-regents-ofuniversity-of-california This involved a patient confiding to his university psychotherapist, Dr Moore, that he intended to harm T, a fellow student. The therapist informed the University police, but did not inform T, whom the patient subsequently murdered. The California Supreme Court held that the University’s employee was under a duty to protect T by disclosing these threats to her. GMC guidance regarding public interest disclosures, in guidance “Disclosing Information about Serious Communicable Diseases”: 68. When deciding whether the public interest in disclosing information outweighs the patient’s and the public interest in keeping the information confidential, you must consider: a. the potential harm or distress to the patient arising from the disclosure – for example, in terms of their future engagement with treatment and their overall health b. the potential harm to trust in doctors generally – for example, if it is widely perceived that doctors will readily disclose information about patients without consent c. the potential harm to others (whether to a specific person or people, or to the public more broadly) if the information is not disclosed d. the potential benefits to an individual or to society arising from the release of the information e. the nature of the information to be disclosed, and any views expressed by the patient f. whether the harms can be avoided or benefits gained without breaching the patient’s privacy or, if not, what is the minimum intrusion. If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority. Another interesting case is that of X v Y [1988] 2 All ER 648. A newspaper had obtained information from a Health Authority employee that two GPs were HIV positive. The newspaper argued that it was in the public interest to disclose this information. The court supported an injunction preventing disclosure of the names of the GPs on the grounds that the risks of individuals with HIV not seeking treatment that would be created if the information were published, was greater than the public interest in publishing. So what about the patient who tests positive for HIV and refuses to disclose to his wife? 12 You should explain to patients who have serious communicable diseases how they can protect others from infection, including from sexually transmitted diseases. This includes the practical measures they can take to avoid transmission, and the importance of informing people with whom they have sexual contact about the risk of sexual transmission of serious communicable diseases. 13 You may disclose information [sufficient information, not identify the person] to a person who has close contact with a patient who has a serious communicable disease if you have reason to think that: a. the person is at risk of infection that is likely to result in serious harm b. the patient has not informed them and cannot be persuaded to do so. https://www.gmc-uk.org/ethical-guidance/ethical-guidance-fordoctors/confidentiality---disclosing-information-about-seriouscommunicable-diseases/disclosing-information-about-seriouscommunicable-diseases 2. Preventing or Detecting Crime Section 11 of the Police and Criminal Evidence Act 1984 classes medical records as ‘excluded material’, which means that police will not normally be allowed access to them. However, there is an exception for “serious arrestable offences” e.g. rape, murder, kidnapping, death through dangerous driving. The police should provide a “121” form referring to the relevant part of the Data Protection Act 2018 – Schedule 1, Part 2, Clause 1. These forms were previously known as ‘Section 28’ forms, under the DPA 1998. However, healthcare professionals must also have regard to their professional obligations when disclosing information. There are a number of other situations where the police may require information: S172 RTA 1988 – name and address should be provided (no access to medical information) See Hunter v Mann, where a doctor was convicted for failure to provide information regarding two patients he had treated following an alleged hit and run. Terrorism Prevention and Investigation Measures Act 2011 Section 5B, Female Genital Mutilation Act 2003 Section 5, Criminal Law Act (Northern Ireland) 1967 Other scenarios relevant to disclosure include: Medical Act 1983 – disclosure of patient information to the GMC when they request it for fitness to practice enquiries against a doctor Disclosure to Coroner Accountable Officers – Controlled Drugs Regulations Care Quality Commission NHS Counter Fraud Authority HMRC: Schedule 36 Part 1 of the Finance Act 2008 Notification of infectious diseases (The Health Protection (Notification) Regulations 2010) Criminal Appeal Act 1995 Health and Social Care Act 2008 Health and Social Care (Community Health Standards) Act 2003 Regulation of Care (Scotland) Act 2001 Health and Personal Social Services (Quality, Improvement and Regulation) (Northern Ireland) Order 2003 Public Health (Control of Disease) Act 1984 NHS Act 2006; NHS (Wales) Act 2006 You must disclose information if required by statute or ordered by the court. For example: i. a statutory requirement of a registered medical practitioner to notify the ‘proper officer’ of certain infectious diseases; and whilst this is a legal duty for doctors, it is noted that: ”… however, it is good practice for all clinical staff.” See: https://assets.publishing.service.gov.uk/government/uploads/syste m/uploads/attachment_data/file/773214/PHE_Notifiable_diseases_post er_NE___NCL_HPT.PDF ii. a statutory duty to report to the Police, Female genital Mutilation in those under the age of 18 years; s74 Serious Crime Act, 2015. See: http://www.legislation.gov.uk/ukpga/2015/9/part/5/crossheading/female-genitalmutilation/enacted iii. Notifications required by the Abortion regulations, 1991. See: http://www.legislation.gov.uk/cy/uksi/1991/499/made If you are required by statute to disclose, make sure: 1. Personal information is needed and is indeed required by law. 2. You disclose only information relevant to the request and only in the way required by law. 3. You tell patients about the disclosure unless it would undermine the purpose of the disclosure 4. You abide by patient objections if there are provisions to do so. If you are ordered by the court to disclose information, ensure: 1. You only disclose information required by the court. 2. You object to attempts to get you to disclose irrelevant information. 3. You tell the Judge if you think a disclosure might put someone at risk of harm 4. You understand the basis for the disclosure There is extensive guidance published by the General Medical Council advising practitioners about the issues regarding confidentiality, available at: https://www.gmc-uk.org/ethical-guidance/ethical-guidance-fordoctors/confidentiality 3. Teaching, Research and Audit Relevant case law: R v Department of Health, ex parte Source Informatics [2001] QB 242 – this relates to anonymisation of data for research purposes. However, it should be noted, that under the Data Protection Act 2018, the process of anonymisation, involves ‘processing’ of sensitive personal data, and is therefore subject to the Data Protection Act. The following, allow for processing of data, when it is not possible to use anonymised data and seeking consent is impracticable for activities such as medical research or the proper running of the health service: NHS Act 2006 section 251 – England and Wales Confidentiality Advisory Group See: https://www.hra.nhs.uk/approvals-amendments/what-approvals-do-ineed/confidentiality-advisory-group 251(1) The Secretary of State may by regulations make such provision for and in connection with requiring or regulating the processing of prescribed patient information for medical purposes as he considers necessary or expedient – a. In the interests of improving patient care, or b. In the public interests (4) Regulations under subsection (1) may not make provision requiring the processing of confidential patient information for any purpose if it would be reasonably practicable to achieve that purpose otherwise than pursuant to such regulations, having regard to the cost of and the technology available for that purpose. Health and Social Care (Care of Data Processing) Act (Northern Ireland) 2016 – Northern Ireland In Scotland the regulations are different and as such reference should be given to the Scottish Government’s publication: “Scottish Government Records Management: NHS Code of Practice (Scotland) Version 2.0” available at: https://www.gov.scot/publications/scottish-government-recordsmanagement-nhs-code-practice-scotland-version-2-0/pages/6 Gender Recognition Act 2004 (UK) – Protected information or information about a patient’s application for gender recognition or their gender history after a gender change is protected and it is an offence to disclose this information unless a named exception is present to make it justified. Human Fertilisation and Embryology Act 1990 (UK) – Protects the confidentiality of information kept by the Human Fertilisation and Embryology Authority and such information can only be accessed or disclosed in circumstances laid out in the legislation. The National Health Service (Venereal Diseases) Regulations 1974 (Wales) - provide that any information capable of identifying an individual who is examined or treated for any STD shall not be disclosed other than to a medical practitioner in connection with the treatment of the individual in relation to that disease or for the prevention of the spread of the disease. What does lacking mental capacity mean? The Mental Capacity Act, 2005 [https://www.legislation.gov.uk/ukpga/2005/9/contents] s2: ‘For the purposes of this Act, a person lacks capacity in relation to a matter if at the material time he is unable to make a decision for himself in relation to the matter because of an impairment of, or a disturbance in the functioning of, the mind or brain.’ s3: ‘For the purposes of section 2, a person is unable to make a decision for himself if he is unable a. to understand the information relevant to the decision, b. to retain that information, c. to use or weigh that information as part of the process of making the decision, or d. to communicate his decision (whether by talking, using sign language or any other means). The relevant legislation pertaining to these matters: England & Wales Mental Capacity Act 2005 Scotland Adults with Incapacity (Scotland) Act 2000 Northern Ireland Mental Capacity (NI) Act 2016 - not yet fully in force General principles: Relevant information about a patient who lacks capacity to consent may be disclosed if it is of overall benefit to the patient – ‘best interests’. Students should review Mental Capacity Act 2005 guidance on how to assess best interests Capacity should be presumed Capacity is time and decision specific Regarding the disclosure – if disclosure is of overall benefit to the patient lacking consent, when making the decision whether to disclose you must: Make patient care primary concern Respect the patient’s dignity and privacy Support and encourage the patient to be involved in decision making if possible. Also consider: Is the patient’s capacity temporary or permanent Are there any previously expressed preferences The views of other relevant persons i.e. those close to the patient, one the patient asks you to consult or a legal representative/appointee What the healthcare team know about the patient’s wishes, feelings, beliefs and values. See MCA Code of Practice: https://www.gov.uk/government/publications/mental-capacity-act-code-ofpractice See NHS England: Records Management Code of Practice for further details. However, GP electronic patient records must not be deleted, see: https://www.bma.org.uk/advice/employment/ethics/confidentiality-andhealth-records/retention-of-health-records THE DUTY OF CONFIDENTIALITY CONTINUES AFTER A PATIENT HAS DIED. The Access to Health Records Act 1990 (England, Wales and Scotland) and the Access to Health Records (Northern Ireland) Order 1993 have been repealed to the extent that they now only affect the health records of deceased patients. When can deceased patients’ records be disclosed? 1. If disclosure is required by law or Court order e.g. if a child has died and abuse or neglect is suspected. 2. To assist the Coroner with an inquest. 3. Where disclosure is justified in the public interest to protect others from risk of death or serious harm. 4. Where a person has a right to access under the Access to Health Records Act/Order. Who has the right of access under the Act/Order? A personal representative of the deceased (the executor or administrator of the deceased person's estate) OR A person who may have a claim arising from the patient’s death. N.B Only information directly relevant to the claim will be disclosed. See: https://www.nhs.uk/common-health-questions/nhs-services-andtreatments/can-i-access-the-medical-records-health-records-of-someonewho-has-died A deceased’s patient’s records SHOULD NOT be disclosed if a. they identify a third party without that person’s consent unless the third party is a health professional. b. if disclosure is likely to cause serious harm/death to a third party’s physical or mental health. c. the deceased patient gave the information in the record in the past on the understanding that it would be kept confidential. Protecting children and vulnerable young people from harm is a high priority for all doctors but for those in general practice and in forensic practice there is more likely to be occasions when intervention to protect a child from the risk of serious harm will be required. The need to disclose information across specialties and professions to protect a child must “trump” ethical concerns about breaching confidentiality and will apply equally to information about third parties such as an adult who may be a threat to a child. At all times the best interests of the child must be of paramount importance. In July 2012, the GMC published guidance entitled “Protecting Children and Young People” which outlines the duties and responsibilities of doctors in relation to the protection of children. It has a section on Confidentiality and Sharing Information. In the context of protecting children and young people a doctor can share confidential information and otherwise breach the duty of confidentiality if it is: 1. Justified in the public interest e.g. if the benefits to a child or young person that will arise from the sharing of the information outweigh both the public and the individual’s interest in keeping the information confidential. A doctor must weigh the harm that is likely to arise from not sharing the information against the possible harm, both to the person and to the overall trust between doctors and patients arising from releasing the information. 2. Required by law/statutory duty. 3. Ordered by a Court. A doctor must tell an appropriate agency promptly if he is concerned that a child or a young person is at risk of or is suffering abuse or neglect UNLESS it is not in their best interests to do so. A doctor should ask for consent before sharing confidential information unless there is a compelling reason for not doing so e.g. 1. delay in sharing the information would increase the risk of harm 2. asking for consent may increase the risk of harm 3. disclosure is justified in the public interest. If a child or young person objects to disclosure, a doctor must consider the reasons and weigh the possible consequences of not sharing the information against the harm that sharing the information might cause. If a child or young person is at risk of or is suffering abuse or neglect it will usually be in their best interests that information is disclosed to an appropriate agency. If information is shared without consent the patient should be told why and what information has been shared and with whom unless doing so would put the child or young person or anyone's at increased risk. If a doctor delays in sharing information he must be able to justify his decision and a record should be kept explaining the decision not to immediately share information. Doctors should be aware that in sharing concerns about possible abuse and neglect they are not making the final decision about how best to protect a child or young person. That is the role of the local authority and ultimately the Court. Freedom of Information Act 2000 (England, Wales, Northern Ireland) Relevant legislation in Scotland: Freedom of Information (Scotland) Act 2002 (available at: https://www.legislation.gov.uk/asp/2002/13/contents) The Freedom of Information Act 2000 provides access to information held by public authorities. For example: Local authorities, health bodies and regulators, dentists, GPs, optical contractors and pharmacies. It requires public authorities to publish certain information about their activities and entitles members of the public to request information. The FOIA does not give people the right to: access information about themselves (this should be a Subject Access Request); access personal, private or sensitive information about others; access information about deceased patients. For a request to be valid, it must be in writing. The organisation has 20 working days within which to respond. Governs access to medical reports made for insurance or employment purposes. The report must be made by a medical practitioner that is (or has been) responsible for the patient’s clinical care. Patients must be asked for consent before the report is prepared. Patients have the following rights: To see the report before sent to insurer/employer (subject to the grounds for withholding access) To ask for amendments To be asked for consent before the report sent To refuse to allow supply of the report The patient can apply for access to the report at any time before it is supplied to the employer/insurer and the medical practitioner should not supply the report until this access has been provided unless 21 days have passed since the patient has communicated with the doctor about making arrangements to see the report. Once the patient has access to the report, it should not be supplied to the employer/insurer until the patient has given their consent. If an amendment is requested, the medical practitioner should either: a. Amend the report, if he/she/ deems or they deem it appropriate b. Attach to the report a note of the patient’s views on the part of the report which the doctor is declining to amend. A medical practitioner may make a reasonable charge for supplying the patient with a copy of the report. The doctor should retain a copy of the report for at least six months following its supply to the employer/insurer. During this period patients continue to have a right of access. Clinicians should ensure that they do not disclose confidential information about patients on social media. GMC guidance is available at: https://www.gmc-uk.org/ethicalguidance/ethical-guidance-for-doctors/doctors-use-of-social-media NHS Employers has published guidance at: https://www.nhsemployers.org/~/media/Employers/Publications/NOVE MBER%20Your%20guide%20to%20using%20social%20media%20in%20t he%20NHS.pdf All sensitive information should be stored securely. Patients are increasingly communicating with Healthcare Professionals via text messages and emails. Such exchanges form part of the patient's records in the same way as written correspondence. When communicating with colleagues about patients, secure emails should be used e.g. nhs.net.