GMC Guidance on Confidentiality: Good Practice in Handling Patient Information PDF

Summary

This document provides guidance on good medical practice relating to patient confidentiality. It includes ethical and legal duties, considerations for disclosing patient information, and a framework for managing and protecting patient information.

Full Transcript

Confidentiality: good practice in handling patient information Confidentiality: good practice in handling patient information The duties of a doctor registered with the General Medical Council Patients must be able to trust doctors with their lives and health. To justify that trust you must show...

Confidentiality: good practice in handling patient information Confidentiality: good practice in handling patient information The duties of a doctor registered with the General Medical Council Patients must be able to trust doctors with their lives and health. To justify that trust you must show respect for human life and make sure your practice meets the standards expected of you in four domains. Knowledge, skills and performance n n Make the care of your patient your first concern. Provide a good standard of practice and care. l Keep your professional knowledge and skills up to date. l Recognise and work within the limits of your competence. Safety and quality n n Take prompt action if you think that patient safety, dignity or comfort is being compromised. Protect and promote the health of patients and the public. Communication, partnership and teamwork Treat patients as individuals and respect their dignity. l Treat patients politely and considerately. l Respect patients’ right to confidentiality. n Work in partnership with patients. l Listen to, and respond to, their concerns and preferences. l Give patients the information they want or need in a way they can understand. l Respect patients’ right to reach decisions with you about their treatment and care. l Support patients in caring for themselves to improve and maintain their health. n Work with colleagues in the ways that best serve patients’ interests. n Maintaining trust n n n Be honest and open and act with integrity. Never discriminate unfairly against patients or colleagues. Never abuse your patients’ trust in you or the public’s trust in the profession. You are personally accountable for your professional practice and must always be prepared to justify your decisions and actions. Confidentiality: good practice in handling patient information Published January 2017. Came into effect 25 April 2017. This guidance was updated on 12 October 2017. We updated paragraphs 67 and 68 to refer to the patient’s and the public interest in maintaining confidentiality, rather than patients’ and the public interest in maintaining confidentiality. This guidance was updated on 25 May 2018 to reflect the requirements of the General Data Protection Regulation and Data Protection Act 2018. You can find the latest version of this guidance on our website at www.gmc-uk.org/guidance. General Medical Council | 01 Confidentiality: good practice in handling patient information Contents Paragraph(s) Page(s) About this guidance Other materials available 8 9 Ethical and legal duties of confidentiality Acting within the law The main principles of this guidance 1–4 5–7 10 11 8 12 Disclosing patients’ personal information: a framework 9–25 When you can disclose personal information 9–12 Disclosing information with a patient’s consent 13–15 Disclosing information when a patient lacks the capacity to consent 16 Disclosures required or permitted by law 17–19 Disclosures approved under a legal process 20–21 Disclosures in the public interest 22–23 Disclosures prohibited by law 24 Data protection law 25 Flowchart 02 | General Medical Council 13–21 13 14–15 16 16 17 18 19 19 20–21 Confidentiality: good practice in handling patient information Paragraph(s) Using and disclosing patient information for direct care Sharing information for direct care Implied consent and sharing information for direct care Patient objections to sharing information for their own care If a patient cannot be informed Sharing information with those close to the patient Establishing what the patient wants Abiding by the patient’s wishes Listening to those close to the patient Disclosures about patients who lack capacity to consent Considering the disclosure If a patient who lacks capacity asks you not to disclose Disclosures for the protection of patients and others Disclosing information to protect patients Disclosing information about children who may be at risk of harm Disclosing information about adults Page(s) 26–49 26–33 22–29 22–24 27–29 22–23 30–31 32–33 23–24 24 34–40 35–36 37–38 39–40 24–26 24–25 25 26 41–49 44–47 26–29 27–28 48–49 29 50–76 50–59 30–36 30–32 51 30 General Medical Council | 03 Confidentiality: good practice in handling patient information Paragraph(s) who may be at risk of harm Legal requirements to disclose information about adults at risk Disclosing information to protect adults who lack capacity The rights of adults with capacity to make their own decisions Disclosing information to protect others Legal requirements to disclose information for public protection purposes Disclosing information with consent Disclosing information in the public interest Responding to requests for information Disclosing genetic and other shared information Using and disclosing patient information for secondary purposes Anonymised information The process of anonymising information Disclosing anonymised information Disclosures required by statutes or the courts Disclosure required by statute Disclosing information to the courts, or to obtain legal advice 04 | General Medical Council Page(s) 52 30 53–54 30–31 55–56 31 57–59 60–76 32 32–36 61 62 63–70 71–72 33 33 33–35 35–36 73–76 36 77–116 81–86 84–85 86 87–94 87–89 38–48 39–40 39–40 40 40–42 40–41 90–94 41–42 Confidentiality: good practice in handling patient information Paragraph(s) Page(s) 95 42 96–114 96–98 42–47 42–43 99 43 100–101 44 102 44 103–105 44 106–112 113–114 45–47 47 115–116 47–48 Managing and protecting personal information 117–139 Improper access and disclosure 117–121 Knowledge of information governance and raising concerns 122–124 Processing information in line with data protection law 125–127 Records management and retention 128–130 The rights of patients to access their own records 131 49–55 49–50 Consent Disclosures for health and social care secondary purposes Clinical audit Disclosures for financial or administrative purposes The professional duty of candour and confidentiality Openness and learning from adverse incidents and near misses Disclosures with specific statutory support Public interest disclosures for health and social care purposes Ethical approval for research Requests from employers, insurers and other third parties 50 51–52 52 52 General Medical Council | 05 Confidentiality: good practice in handling patient information Paragraph(s) Page(s) Communicating with patients 132–133 Disclosing information after a patient has died 134–138 52 52–54 Legal annex Sources of law on confidentiality, data protection and privacy The common law Data protection law (UK) Human Rights Act 1998 (UK) Freedom of Information Acts across the UK Computer Misuse Act 1990 (UK) Regulation of healthcare providers and professionals Laws on disclosure for health and social care purposes Health and Social Care Act 2012 (England) Health and Social Care (Safety and Quality) Act 2015 (England) Health and Social Care (Control of Data Processing) Act 2016 (Northern Ireland) Section 251 of the NHS Act 2006 (England and Wales) Statutory restrictions on disclosing information about patients Gender Recognition Act 2004 (UK) 06 | General Medical Council 56 56 56 57–60 62 63 63 64–65 66 66 66 67 67–69 69–70 69 Confidentiality: good practice in handling patient information Paragraph(s) Human Fertilisation Act and Embryology Act 1990 (UK) National Health Service (Venereal Diseases) Regulations 1974 and NHS Trusts and Primary Care Trusts (Sexually Transmitted Diseases) Directions 2000 Page(s) 70 70 Endnotes 71–78 General Medical Council | 07 Confidentiality: good practice in handling patient information About this guidance Our core guidance for doctors, Good medical practice, makes clear that patients have a right to expect that their personal information will be held in confidence by their doctors. This guidance sets out the principles of confidentiality and respect for patients’ privacy that you are expected to understand and follow. This guidance outlines the framework for considering when to disclose patients’ personal information and then applies that framework to: a b c disclosures to support the direct care of an individual patient disclosures for the protection of patients and others disclosures for all other purposes. This guidance also sets out the responsibilities of all doctors for managing and protecting patient information. In this guidance, we use the terms ‘you must’ and ‘you should’ in the following ways. a b c ‘You must’ is used for an overriding duty or principle. ‘You should’ is used when we are providing an explanation of how you will meet the overriding duty. ‘You should’ is also used where the duty or principle will not apply in all situations or circumstances, or where there are factors outside your control that affect whether or how you can follow the guidance. 08 | General Medical Council Confidentiality: good practice in handling patient information You must use your judgement to apply the principles in this guidance to the situations you face as a doctor, whether or not you hold a licence to practise and whether or not you routinely see patients. If in doubt, you should seek 1 the advice of an experienced colleague, a Caldicott or data guardian or equivalent, a data protection officer, your defence body or professional association, or seek independent legal advice. You must be prepared to explain and justify your decisions and actions. Only serious or persistent failure to follow our guidance that poses a risk to patient safety or public trust in doctors will put your registration at risk. Other materials available Further explanatory guidance is available on our website explaining how these principles apply in situations doctors often encounter or find hard to deal with. At the time of publishing this core guidance, we are also publishing explanatory guidance on: a b c d e f patients’ fitness to drive and reporting concerns to the DVLA or DVA disclosing information about serious communicable diseases disclosing information for employment, insurance and similar purposes disclosing information for education and training purposes reporting gunshot and knife wounds responding to criticism in the media. General Medical Council | 09 Confidentiality: good practice in handling patient information Ethical and legal duties of confidentiality 1 Trust is an essential part of the doctor-patient relationship and confidentiality is central to this. Patients may avoid seeking medical help, or may under-report symptoms, if they think their personal 2 information will be disclosed by doctors without consent, or without the chance to have some control over the timing or amount of information shared. 2 Doctors are under both ethical and legal duties to protect patients’ personal information from improper disclosure. But appropriate information sharing is an essential part of the provision of safe and effective care. Patients may be put at risk if those who are providing their care do not have access to relevant, accurate and up-to-date information about them. 3 There are also important uses of patient information for purposes other than direct care. Some of these are indirectly related to patient care in that they enable health services to function efficiently and safely. For example, large volumes of patient information are used for purposes such as medical research, service planning and financial audit. Other uses are not directly related to the provision of healthcare but serve wider public interests, such as disclosures for public protection reasons. 4 Doctors’ roles are continuing to evolve and change. It is likely to be more challenging to make sure there is a legal and ethical basis for using patient information in a complex health and social care environment than in the context of a single doctor-patient relationship. 10 | General Medical Council Confidentiality: good practice in handling patient information In this guidance, we aim to support individual doctors to meet their professional responsibilities while working within these complex systems. Acting within the law 5 Doctors, like everyone else, must comply with the law when using, accessing or disclosing personal information. The law governing the use and disclosure of personal information is complex, however, and varies across the four countries of the UK. 6 In the legal annex to this guidance, we summarise some key elements of the relevant law, including the requirements of the common law, data protection law and human rights law. In the main body of the guidance, we give advice on how to apply ethical and legal principles in practice, but we do not refer to specific pieces of law unless it is necessary to do so. 7 If you are not sure how the law applies in a particular situation, you should consult a Caldicott or data guardian, a data protection officer, your defence body or professional association, or seek independent legal advice. General Medical Council | 11 Confidentiality: good practice in handling patient information The main principles of this guidance 8 The advice in this guidance is underpinned by the following 3 eight principles. a b c d e f g h Use the minimum necessary personal information. Use anonymised information if it is practicable to do so and if it will serve the purpose. Manage and protect information. Make sure any personal information you hold or control is effectively protected at all times against improper access, disclosure or loss. Be aware of your responsibilities. Develop and maintain an understanding of information governance that is appropriate to your role. Comply with the law. Be satisfied that you are handling personal information lawfully. Share relevant information for direct care in line with the principles in this guidance unless the patient has objected. Ask for explicit consent to disclose identifiable information about patients for purposes other than their care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest. Tell patients about disclosures of personal information you make that they would not reasonably expect, or check they have received information about such disclosures, unless that is not practicable or would undermine the purpose of the disclosure. Keep a record of your decisions to disclose, or not to disclose, information. Support patients to access their information. Respect, and help patients exercise, their legal rights to be informed about how their information will be used and to have access to, or copies of, their health records. 12 | General Medical Council Confidentiality: good practice in handling patient information Disclosing patients’ personal information: a framework When you can disclose personal information 9 Confidentiality is an important ethical and legal duty but it is not absolute. You may disclose personal information without breaching duties of confidentiality when any of the following circumstances applies. a b c d e The patient consents, whether implicitly or explicitly, for the sake of their own care or for local clinical audit (see paragraphs 13–15). The patient has given their explicit consent to disclosure for other purposes (see paragraphs 13–15). 4 The disclosure is of overall benefit to a patient who lacks the capacity to consent (see paragraphs 41–49). The disclosure is required by law (see paragraphs 17–19), or the disclosure is permitted or has been approved under a statutory process that sets aside the common law duty of confidentiality (see paragraphs 20–21). The disclosure can be justified in the public interest (see paragraphs 22–23). 10 When disclosing information about a patient you must: a b use anonymised information if it is practicable to do so and if it will serve the purpose be satisfied the patient: i has ready access to information explaining how their personal information will be used for their own care or local clinical audit, and that they have the right to object ii has not objected General Medical Council | 13 Confidentiality: good practice in handling patient information c d e get the patient’s explicit consent if identifiable information is to be disclosed for purposes other than their own care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest keep disclosures to the minimum necessary for the purpose follow all relevant legal requirements, including the common law 5 and data protection law. 11 When you are satisfied that information should be disclosed, you should act promptly to disclose all relevant information. You should keep a record of your decision and actions. 12 You should tell patients about disclosures you make that they would not reasonably expect, or check they have received information about such disclosures, unless that is not practicable or would undermine the purpose of the disclosure – for example, by prejudicing the prevention, detection or prosecution of serious crime. Disclosing information with a patient’s consent 13 Asking for a patient’s consent to disclose information shows respect, and is part of good communication between doctors and patients. Under the common law duty of confidentiality, consent may be explicit 6 or implied. a b Explicit (also known as express) consent is given when a patient actively agrees, either orally or in writing, to the use or disclosure of information. Implied consent refers to circumstances in which it would be reasonable to infer that the patient agrees to the use of the information, even though this has not been directly expressed. 14 | General Medical Council Confidentiality: good practice in handling patient information 14 You may disclose information on the basis of implied consent for direct care when the conditions in paragraphs 28 and 29 are met, and for local clinical audit when the conditions in paragraph 96 are met. In other cases, you should ask for explicit consent to disclose personal information unless it is not appropriate or practicable to do so. For example, this might be because: a b c d e f g h the disclosure is required by law (see paragraphs 17–19) you are satisfied that informed consent has already been obtained by a suitable person7 the patient does not have capacity to make the decision. In such a case, you should follow the guidance on disclosures about patients who lack capacity to consent (see paragraphs 41–49) you have reason to believe that seeking consent would put you or others at risk of serious harm seeking consent would be likely to undermine the purpose of the disclosure, for example by prejudicing the prevention, detection or prosecution of a serious crime action must be taken quickly, for example in the detection or control of outbreaks of some communicable diseases where there is insufficient time to contact the patient seeking consent is not feasible given the number or age of records, or the likely traceability of patients you have already decided to disclose information in the public interest (see paragraphs 63–70). 15 If you disclose personal information without consent, you must be satisfied that there is a legal basis for breaching confidentiality (see paragraph 9). You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10). General Medical Council | 15 Confidentiality: good practice in handling patient information Disclosing information when a patient lacks the capacity to consent 16 You may disclose relevant personal information about a patient who lacks the capacity to consent if it is of overall benefit to the patient. You can find more guidance on this in paragraphs 41–49. Disclosures required or permitted by law 17 You must disclose information if it is required by statute, or if you are ordered to do so by a judge or presiding officer of a court (see paragraphs 87–94). 18 You should satisfy yourself that the disclosure is required by law and you should only disclose information that is relevant to the request. Wherever practicable, you should tell patients about such disclosures, unless that would undermine the purpose, for example by prejudicing the prevention, detection or prosecution of serious crime. 19 Laws and regulations sometimes permit, but do not require, the 8 disclosure of personal information. If a disclosure is permitted but not required by law, you must be satisfied that there is a legal basis for breaching confidentiality (see paragraph 9). You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10). 16 | General Medical Council Confidentiality: good practice in handling patient information Disclosures approved under a legal process 20 You may disclose personal information without consent if the disclosure is permitted or has been approved under section 251 of the National Health Service Act 2006 (which applies in England and Wales) or the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016. These pieces of law allow the common law duty of confidentiality to be set aside for defined purposes where it is not possible to use anonymised information and where seeking consent is not practicable. There is no comparable legal framework in Scotland. 21 If you know that a patient has objected to information being disclosed for purposes other than their own care, you should not usually disclose the information unless it is required under the regulations. You can find more guidance on disclosures with specific statutory support in paragraphs 103–105. General Medical Council | 17 Confidentiality: good practice in handling patient information Disclosures in the public interest 22 Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information if the benefits to an individual or society outweigh both the public and the patient’s interest in keeping the information confidential. For example, disclosure may be justified to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime. You can find guidance on disclosing information in the public interest to prevent death or serious harm in paragraphs 63–70. 23 There may also be circumstances in which disclosing personal information without consent is justified in the public interest for important public benefits, other than to prevent death or serious harm, if there is no reasonably practicable alternative to using personal information. The circumstances in which the public interest would justify such disclosures are uncertain, however, so you should seek the advice of a Caldicott or data guardian or a legal adviser who is not directly connected with the use for which the disclosure is being considered before making the disclosure. You can find further guidance in paragraphs 106–112. 18 | General Medical Council Confidentiality: good practice in handling patient information Disclosures prohibited by law 24 Health professionals are required by certain laws to restrict the disclosure of some types of information. You can find examples of disclosures prohibited by law in the legal annex. Data protection law 25 This guidance focuses on doctors’ ethical and legal duties of confidentiality. But the processing of personal data must also satisfy the requirements of data protection law, which imposes various duties on data controllers. Individual doctors can be data controllers in their own right (for instance if they are partners in general practice, or hold data about patients whom they treat privately), but in many cases the data controller will be the doctor’s employer. This guidance aims to be consistent with data protection law, but it is not guidance on the law. You can however find an overview of data protection law and its relationship with the common law duty of confidence in the legal annex. General Medical Council | 19 Confidentiality: good practice in handling patient information Flowchart This flowchart can help you decide whether personal information needs to be disclosed and, if so, what the justification is for doing so. Would anonymised information be sufficient for the purpose? See paragraphs 81–83. Yes No Is it appropriate or practical to seek explicit consent? See paragraph 14 for examples of when this might not be the case. Yes No Is it reasonable to rely on implied consent? See paragraphs 28–29 and 96. Yes No Is the disclosure about a patient who does not have capacity to make the decision and of overall benefit to that patient? See paragraphs 41–49. Yes No Is the disclosure of identifiable information required by law? See paragraphs 17–19. Yes No Is the disclosure of identifiable information approved through a statutory process? See paragraphs 20–21. Yes No Is disclosure justified in the public interest? See paragraphs 22–23. No No obvious legal basis for disclosure. Ask person or body requesting information to identify the legal basis. 20 | General Medical Council Yes Confidentiality: good practice in handling patient information Ensure that appropriate controls are in place to minimise the risks of individual patients being re-identified. The controls that are required will depend on the risk of re-identification. See paragraph 86. Has the patient given consent? No Yes Disclose or provide access to relevant information. See paragraphs 10–12. Disclose or provide access to information that is relevant, in the way required by law. Tell patients about disclosures if practicable. See paragraphs 87–94. You may disclose or provide access to relevant information. If you are aware that a patient has objected to information being disclosed for such purposes, you should not usually disclose information unless it is required under the regulations. See paragraphs 103–105. Only disclose or provide access to information that is relevant. Tell patients about disclosures if practicable. See paragraphs 63–70 for public protection disclosures, and 106–112 for other disclosures. General Medical Council | 21 Confidentiality: good practice in handling patient information Using and disclosing patient information for direct care Sharing information for direct care 26 Appropriate information sharing is an essential part of the provision of safe and effective care. Patients may be put at risk if those who provide their care do not have access to relevant, accurate and up-to-date 9 information about them. Multidisciplinary and multi-agency teamwork is also placing increasing emphasis on integrated care and partnership working, and information sharing is central to this, but information must be shared within the framework provided by law and ethics. Implied consent and sharing information for direct care 27 Most patients understand and expect that relevant information must 10 be shared within the direct care team to provide their care. You should share relevant information with those who provide or support direct care to a patient, unless the patient has objected (see paragraphs 30 11 and 31). 28 The usual basis for sharing information for a patient’s own care is the patient’s consent, whether that is explicit or implied (see paragraph 13 for definitions). You may rely on implied consent to access relevant information about the patient or to share it with those who provide (or support the provision of) direct care to the patient if all of the following are met. a You are accessing the information to provide or support the individual patient’s direct care, or are satisfied that the person you are sharing the information with is accessing or receiving it for this purpose. 22 | General Medical Council Confidentiality: good practice in handling patient information b c d Information is readily available to patients, explaining how their information will be used and that they have the right to object. This can be provided in leaflets and posters, on websites, and face to face. It should be tailored to patients’ identified communication requirements as far as practicable. You have no reason to believe the patient has objected. You are satisfied that anyone you disclose personal information to understands that you are giving it to them in confidence, which they must respect. 29 If you suspect a patient would be surprised to learn about how you are accessing or disclosing their personal information, you should ask for explicit consent unless it is not practicable to do so (see paragraph 14). For example, a patient may not expect you to have access to information from another healthcare provider or agency on a shared record. Patient objections to sharing information for their own care 30 If a patient objects to particular personal information being shared for their own care, you should not disclose the information unless it would 12 be justified in the public interest, or is of overall benefit to a patient who lacks the capacity to make the decision. You can find further guidance on disclosures of information about adults who lack capacity to consent in paragraphs 41–49. General Medical Council | 23 Confidentiality: good practice in handling patient information 31 You should explain to the patient the potential consequences of a decision not to allow personal information to be shared with others who are providing their care. You should also consider with the patient whether any compromise can be reached. If, after discussion, a patient who has capacity to make the decision still objects to the disclosure of personal information that you are convinced is essential to provide safe care, you should explain that you cannot refer them or otherwise arrange for their treatment without also disclosing that information. If a patient cannot be informed 32 Circumstances may arise in which a patient cannot be informed about the disclosure of personal information, for example in a medical emergency. In such cases, you should pass relevant information promptly to those providing the patient’s care. 33 If the patient regains the capacity to understand, you should inform them how their personal information was disclosed if it was in a way they would not reasonably expect. Sharing information with those close to the patient 34 You must be considerate to those close to the patient and be sensitive and responsive in giving them information and support, while respecting the patient’s right to confidentiality. Establishing what the patient wants 35 The people close to a patient can play a significant role in supporting, or caring for, the patient and they may want or need information about the patient’s diagnosis, treatment or care. Early discussions about the patient’s wishes can help to avoid disclosures they might object to. 24 | General Medical Council Confidentiality: good practice in handling patient information Such discussions can also help avoid misunderstandings with, or causing offence or distress to, anyone the patient would want information to be shared with. 36 You should establish with the patient what information they want you to share, with whom, and in what circumstances. This will be particularly important if the patient has fluctuating or diminished capacity or is likely to lose capacity, even temporarily. You should document the patient’s wishes in their records. Abiding by the patient’s wishes 37 If a patient who has capacity to make the decision refuses permission for information to be shared with a particular person or group of people, it may be appropriate to encourage the patient to reconsider that decision if sharing the information may be beneficial to the patient’s care and support. You must, however, abide by the patient’s wishes, unless disclosure would be justified in the public interest (see paragraphs 63–70). 38 If a patient lacks capacity to make the decision, it is reasonable to assume the patient would want those closest to them to be kept informed of their general condition and prognosis, unless they indicate (or have previously indicated) otherwise. You can find detailed advice on considering disclosures about patients who lack capacity to consent in paragraphs 41–49. General Medical Council | 25 Confidentiality: good practice in handling patient information Listening to those close to the patient 39 In most cases, discussions with those close to the patient will take place with the patient’s knowledge and consent. But if someone close to the patient wants to discuss their concerns about the patient’s health without involving the patient, you should not refuse to listen to their views or concerns on the grounds of confidentiality. The information they give you might be helpful in your care of the patient. 40 You should, however, consider whether your patient would consider you listening to the views or concerns of others to be a breach of trust, particularly if they have asked you not to listen to specific people. You should also make clear that, while it is not a breach of confidentiality to listen to their concerns, you might need to tell the patient about information you have received from others – for example, if it has 13 influenced your assessment and treatment of the patient. You should also take care not to disclose personal information unintentionally – for example, by confirming or denying the person’s perceptions about the patient’s health. Disclosures about patients who lack capacity to consent 41 You must work on the presumption that every adult patient has the capacity to make decisions about the disclosure of their personal information. You must not assume a patient lacks capacity to make a decision solely because of their age, disability, appearance, behaviour, medical condition (including mental illness), beliefs, apparent inability to communicate, or because they make a decision you disagree with. 26 | General Medical Council Confidentiality: good practice in handling patient information 42 You must assess a patient’s capacity to make a particular decision at the time it needs to be made, recognising that fluctuations in a patient’s condition may affect their ability to understand, retain or weigh up information, or communicate their wishes. 43 We give detailed advice on assessing a patient’s mental capacity in our guidance Decision making and consent. Practical guidance is also given in the Adults with Incapacity (Scotland) Act 2000 and Mental Capacity Act 14 2005 codes of practice. Considering the disclosure 44 You may disclose personal information if it is of overall benefit to a patient who lacks the capacity to consent. When making the decision about whether to disclose information about a patient who lacks capacity to consent, you must: a b c make the care of the patient your first concern respect the patient’s dignity and privacy support and encourage the patient to be involved, as far as they want and are able, in decisions about disclosure of their personal information. 45 You must also consider: a b c whether the patient’s lack of capacity is permanent or temporary and, if temporary, whether the decision to disclose could reasonably wait until they regain capacity any evidence of the patient’s previously expressed preferences the views of anyone the patient asks you to consult, or who has legal authority to make a decision on their behalf, or has been appointed to represent them General Medical Council | 27 Confidentiality: good practice in handling patient information d e the views of people close to the patient on the patient’s preferences, feelings, beliefs and values, and whether they consider the proposed disclosure to be of overall benefit to the patient what you and the rest of the healthcare team know about the patient’s wishes, feelings, beliefs and values. 46 You might need to share personal information with a patient’s relatives, friends or carers to enable you to assess the overall benefit to the patient. But that does not mean they have a general right of access to the patient’s records or to be given irrelevant information about, for example, the patient’s past healthcare. 47 You must share relevant information with anyone who is authorised to make health and welfare decisions on behalf of, or who is appointed to support and represent, a patient who lacks capacity to give consent. This might be a welfare attorney, a court-appointed deputy or guardian, or an independent mental capacity advocate. You should also share information with independent mental health advocates in some 15 circumstances. 28 | General Medical Council Confidentiality: good practice in handling patient information If a patient who lacks capacity asks you not to disclose 48 If a patient asks you not to disclose personal information about their condition or treatment, and you believe they lack capacity to make that decision, you should try to persuade them to allow an appropriate person to be given relevant information about their care. In some cases, disclosing information will be required or necessary, for example under the provisions of mental health and mental capacity laws (see paragraph 47). 49 If the patient still does not want you to disclose information, but you consider that it would be of overall benefit to the patient and you believe they lack capacity to make that decision, you may disclose relevant information to an appropriate person or authority. In such cases, you should tell the patient before disclosing the information and, if appropriate, seek and carefully consider the views of an advocate or carer. You must document in the patient’s records your discussions and the reasons for deciding to disclose the information. General Medical Council | 29 Confidentiality: good practice in handling patient information Disclosures for the protection of patients and others Disclosing information to protect patients 50 All patients have the right to a confidential medical service. Challenging situations can however arise when confidentiality rights must be balanced against duties to protect and promote the health and welfare of patients who may be unable to protect themselves. Disclosing information about children who may be at risk of harm 51 For specific guidance on confidentiality in the context of child protection, see our guidance Protecting children and young people: 16 the responsibilities of all doctors. For general advice on confidentiality when using, accessing or disclosing information about children and 17 young people, see our guidance 0–18 years: guidance for all doctors. Disclosing information about adults who may be at risk of harm 52 As a rule, you should make decisions about how best to support and protect adult patients in partnership with them, and should focus on empowering patients to make decisions in their own interests. You must support and encourage patients to be involved, as far as they want and are able, in decisions about disclosing their personal information. Legal requirements to disclose information about adults at risk 53 There are various legal requirements to disclose information about adults who are known or considered to be at risk of, or to have suffered, 18 abuse or neglect. You must disclose information if it is required by law. 30 | General Medical Council Confidentiality: good practice in handling patient information You should: a b c satisfy yourself that the disclosure is required by law only disclose information that is relevant to the request, and only in the way required by the law tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so. 54 You can find advice about disclosures that are permitted but not required by law in paragraphs 17–19. Disclosing information to protect adults who lack capacity 55 You must disclose personal information about an adult who may be at risk of serious harm if it is required by law (see paragraph 53). Even if there is no legal requirement to do so, you must give information promptly to an appropriate responsible person or authority if you believe a patient who lacks capacity to consent is experiencing, or at risk of, neglect or physical, sexual or emotional abuse, or any other kind of serious harm, unless it is not of overall benefit to the patient to do so. 56 If you believe it is not of overall benefit to the patient to disclose their personal information (and it is not required by law), you should discuss the issues with an experienced colleague. If you decide not to disclose information, you must document in the patient’s records your discussions and the reasons for deciding not to disclose. You must be able to justify your decision. General Medical Council | 31 Confidentiality: good practice in handling patient information The rights of adults with capacity to make their own decisions 57 As a principle, adults who have capacity are entitled to make decisions in their own interests, even if others consider those decisions to be irrational or unwise. You should usually ask for consent before disclosing personal information about a patient if disclosure is not required by law, and it is practicable to do so. You can find examples of when it might not be practicable to ask for consent in paragraph 14. 58 If an adult patient who has capacity to make the decision refuses to consent to information being disclosed that you consider necessary for their protection, you should explore their reasons for this. It may be appropriate to encourage the patient to consent to the disclosure and to warn them of the risks of refusing to consent. 59 You should, however, usually abide by the patient’s refusal to consent to disclosure, even if their decision leaves them (but no one else) at risk of 19, 20 You should do your best to give the patient death or serious harm. the information and support they need to make decisions in their own interests – for example, by arranging contact with agencies to support 21 people who experience domestic violence. Adults who initially refuse offers of assistance may change their decision over time. Disclosing information to protect others 60 Doctors owe a duty of confidentiality to their patients, but they also have a wider duty to protect and promote the health of patients and the 22 public. 32 | General Medical Council Confidentiality: good practice in handling patient information Legal requirements to disclose information for public protection purposes 61 Some laws require disclosure of patient information for purposes such as the notification of infectious diseases and the prevention of terrorism. You must disclose information if it is required by law, including by the courts (see paragraphs 87–94). Disclosing information with consent 62 You should ask for a patient’s consent to disclose information for the protection of others unless the information is required by law or it is not safe, appropriate or practicable to do so (see paragraph 14). You should consider any reasons given for refusal. Disclosing information in the public interest 63 Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information to protect individuals or society from risks of serious harm, such as from serious 23 communicable diseases or serious crime. 64 If it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm. The benefits to an individual or to society of the disclosure must outweigh both the patient’s and the public interest in keeping the information confidential. 65 Such a situation might arise, for example, if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious General Medical Council | 33 Confidentiality: good practice in handling patient information crime, especially crimes against the person. When victims of violence refuse police assistance, disclosure may still be justified if others remain at risk, for example from someone who is prepared to use weapons, or from domestic violence when children or others may be at risk. 66 Other examples of situations in which failure to disclose information may expose others to a risk of death or serious harm include when 24 a patient is not fit to drive, or has been diagnosed with a serious 25 communicable disease, or poses a serious risk to others through being 26 unfit for work. 67 Before deciding whether disclosure would be justified in the public interest you should consider whether it is practicable or appropriate to seek consent (see paragraph 14). You should not ask for consent if you have already decided to disclose information in the public interest but you should tell the patient about your intention to disclose personal information, unless it is not safe or practicable to do so. If the patient objects to the disclosure you should consider any reasons they give for objecting. 68 When deciding whether the public interest in disclosing information outweighs the patient’s and the public interest in keeping the information confidential, you must consider: a b c the potential harm or distress to the patient arising from the disclosure – for example, in terms of their future engagement with treatment and their overall health the potential harm to trust in doctors generally – for example, if it is widely perceived that doctors will readily disclose information about patients without consent the potential harm to others (whether to a specific person or people, or to the public more broadly) if the information is not disclosed 34 | General Medical Council Confidentiality: good practice in handling patient information d e f the potential benefits to an individual or to society arising from the release of the information the nature of the information to be disclosed, and any views expressed by the patient whether the harms can be avoided or benefits gained without breaching the patient’s privacy or, if not, what is the minimum intrusion. If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority. 69 You must document in the patient’s record your reasons for disclosing information with or without consent. You must also document any steps you have taken to seek the patient’s consent, to inform them about the disclosure, or your reasons for not doing so. 70 Decisions about whether or not disclosure without consent can be justified in the public interest can be complex. Where practicable, you should seek advice from a Caldicott or data guardian or similar expert adviser who is not directly connected with the use for which disclosure is being considered. If possible, you should do this without revealing the identity of the patient. General Medical Council | 35 Confidentiality: good practice in handling patient information Responding to requests for information 71 You must consider seriously all requests for relevant information about patients who may pose a risk of serious harm to others. For example, you must participate in procedures set up to protect the public from violent and sex offenders, such as multi-agency public protection arrangements (MAPPA) in England, Wales and Scotland and public 27 protection arrangements in Northern Ireland (PPANI). You must also consider seriously all requests for information needed for formal reviews (such as inquests and inquiries, serious or significant case reviews, case management reviews, and domestic homicide reviews) that are established to learn lessons and to improve systems and services. 72 If you disclose personal information without consent, you must be satisfied that there is a legal basis for breaching confidentiality (see paragraph 9). You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10). Disclosing genetic and other shared information 73 Genetic and some other information about your patient might also be information about others with whom the patient shares genetic or other links. The diagnosis of a patient’s illness might, for example, point to the certainty or likelihood of the same illness in a blood relative. 74 Most patients will readily share information about their own health with their children and other relatives, particularly if they are told it might help those relatives to: a b c get prophylaxis or other preventative treatments or interventions make use of increased surveillance or other investigations 28 prepare for potential health problems. 36 | General Medical Council Confidentiality: good practice in handling patient information 75 If a patient refuses to consent to information being disclosed that would benefit others, disclosure might still be justified in the public interest if failure to disclose the information leaves others at risk of death or serious harm (see paragraphs 63–70). If a patient refuses consent to disclosure, you will need to balance your duty to make the care of your patient your first concern against your duty to help protect the other person from serious harm. 76 If practicable, you should not disclose the patient’s identity in contacting and advising others about the risks they face. General Medical Council | 37 Confidentiality: good practice in handling patient information Using and disclosing patient information for secondary purposes 77 Many important uses of patient information contribute to the overall delivery of health and social care. Examples include health services management, research, epidemiology, public health surveillance, and education and training. Without information about patients the health and social care system would be unable to plan, develop, innovate, conduct research or be publicly accountable for the services it provides. 78 There are also important uses of patient information that are not connected to the delivery of health or social care, but which serve wider purposes. These include disclosures for the administration of justice, and for purposes such as financial audit and insurance or benefits claims. 79 Anonymised information will usually be sufficient for purposes other than the direct care of the patient and you must use it in preference to identifiable information wherever possible. If you disclose identifiable information, you must be satisfied that there is a legal basis for breaching confidentiality. 80 You may disclose personal information without breaching duties of confidentiality when any of the following circumstances apply. a b c d The disclosure is required by law, including by the courts (see paragraphs 87–94). The patient has given explicit consent (see paragraph 95). The disclosure is approved through a statutory process that sets aside the common law duty of confidentiality (see paragraphs 103–105). The disclosure can, exceptionally, be justified in the public interest (see paragraphs 106–112). 38 | General Medical Council Confidentiality: good practice in handling patient information You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10). Anonymised information 81 The Information Commissioner’s Office anonymisation code of practice (ICO code) considers data to be anonymised if it does not itself identify any individual, and if it is unlikely to allow any individual to be identified 29 through its combination with other data. Simply removing the patient’s name, age, address or other personal identifiers is unlikely to 30 be enough to anonymise information to this standard. 82 The ICO code also makes clear that different types of anonymised data pose different levels of re-identification risk. For example, data sets with small numbers may present a higher risk of re-identification than large data sets. The risk of re-identification will also vary according to the environment in which the information is held. For example, an anonymised data set disclosed into a secure and controlled environment could remain anonymous even though the same data set could not be made publically available because of the likelihood of individuals being identified. 83 You should follow the ICO code, or guidance that is consistent with the ICO code, or seek expert advice, if you have a role in anonymising information or disclosing anonymised information. The process of anonymising information 84 Information may be anonymised by a member of the direct care team who has the knowledge, skills and experience to carry out the anonymisation competently, or will be adequately supervised. General Medical Council | 39 Confidentiality: good practice in handling patient information 85 If it is not practicable for the information to be anonymised within the direct care team, it may be anonymised by a data processor under contract, as long as there is a legal basis for any breach of confidentiality (see paragraph 80), the requirements of data protection law are met (see the legal annex) and appropriate controls are in place to protect the information (see paragraph 86). Disclosing anonymised information 86 If you decide to disclose anonymised information, you must be satisfied that appropriate controls are in place to minimise the risk of individual patients being identified. The controls that are needed will depend on the risk of re-identification, and might include signed contracts or agreements that contain controls on how the information will be used, kept and destroyed, as well as restrictions to prevent individuals being identified. You should refer to specialist advice or guidance when 31 assessing risk, or considering what level of control is appropriate. Disclosures required by statutes or the courts Disclosure required by statute 87 There are a large number of laws that require disclosure of patient information – for purposes as diverse as the notification of infectious diseases, the provision of health and social care services, the prevention of terrorism and the investigation of road accidents. 88 You must disclose information if it is required by law. You should: a satisfy yourself that personal information is needed, and the disclosure is required by law b only disclose information relevant to the request, and only in the way required by the law 40 | General Medical Council Confidentiality: good practice in handling patient information c d tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so 32 abide by patient objections where there is provision to do so. 89 You can find advice about disclosures that are permitted but not required by law in paragraph 19. Disclosing information to the courts, or to obtain legal advice 90 The courts, both civil and criminal, have powers to order disclosure of information in various circumstances. You must disclose information if ordered to do so by a judge or presiding officer of a court. 91 You should only disclose information that is required by the court. You should object to the judge or the presiding officer if attempts are made to compel you to disclose what appears to you to be irrelevant information, such as information about a patient’s relative who is not involved in the proceedings. You should also tell the judge or the presiding officer if you think disclosing the information might put someone at risk of harm. 92 If disclosure is ordered, and you do not understand the basis for this, you should ask the court or a legal adviser to explain it to you. You should also tell the patient whose information the court has asked for what information you will disclose in response to the order, unless that is not practicable or would undermine the purpose for which disclosure is sought. 93 You must not disclose personal information to a third party such as a solicitor, police officer or officer of a court without the patient’s explicit consent, unless it is required by law, or ordered by a court, or can be justified in the public interest. You may disclose information without consent to your own legal adviser to get their advice. General Medical Council | 41 Confidentiality: good practice in handling patient information 94 In Scotland, the system of precognition means there can be limited disclosure of information in advance of a criminal trial, to both the Crown and defence, without the patient’s explicit consent. You should cooperate with precognition, but the disclosure must be confined solely to the nature of injuries, the patient’s mental state, or pre-existing conditions or health, documented by the examining doctor, and their likely causes. If they want further information, either side may apply to the court to take a precognition on oath. If that happens, you will be given advance warning 33 and you should seek legal advice about what you may disclose. Consent 95 You should ask for consent to disclose personal information for purposes 34 other than direct care or local clinical audit unless the information is required by law, or it is not appropriate or practicable to obtain consent (see paragraph 14 for examples of when this might be the case). Disclosures for health and social care secondary purposes Clinical audit 35 96 All doctors in clinical practice have a duty to participate in clinical audit 36 and to contribute to clinical outcome review programmes. If an audit is to be carried out by the team that provided care, or those working to support them, such as clinical audit staff, you may disclose personal information on the basis of implied consent, as long as you are satisfied that it is not practicable to use anonymised information and that the patient: 42 | General Medical Council Confidentiality: good practice in handling patient information a b has ready access to information that explains that their personal information may be disclosed for local clinical audit, and they have the right to object has not objected. 97 If a patient does object to personal information about them being included in a local clinical audit related to their care, you should explain why the information is needed and how this may benefit their current and future care. If the patient still objects, you should remove them from the audit if practicable. If that is not practicable, you should make sure this is explained to the patient, along with any options open to them. 98 If a clinical audit is to be carried out, but not by the team that provided care or those wor

Use Quizgecko on...
Browser
Browser