The scene

A GP contacted the MDU for advice after receiving a complaint from a patient.

The patient had instructed a solicitor to investigate a possible claim against their employer following a work related injury. As part of the solicitor's initial investigations she had asked the GP to release copies of the patient's medical records for the last five years. The solicitor provided evidence of consent from the patient for this limited disclosure.

The GP had prepared copies of the records, with the usual redactions as required under the Data Protection Act 2018, and had given these to the solicitor.

Unfortunately, the records provided to the solicitor included a copy of a referral letter to dermatology outpatients about a pigmented skin lesion. The GP's IT system had automatically populated the referral letter with the patient's significant past medical history, including the fact that he had a history of drug-induced psychosis resulting in a hospital admission under the Mental Health Act around 20 years ago.

The patient complained to the GP, saying that this information was not relevant to the dermatology referral, and also that since it related to his health before the five-year period requested by the solicitor, it should not have been disclosed.

MDU advice

The MDU adviser suggested that the practice consider investigating the concerns raised as a significant event, and in doing so, could review relevant GMC guidance, such as that contained in Confidentiality: good practice in handling patient information.

The GMC says that, "most patients understand and expect that relevant information must be shared within the direct care team to provide their care", and that, "you may rely on implied consent to access relevant information about the patient or to share it with those who provide (or support the provision of) direct care to the patient". The patient may feel that his past history of psychosis - which had never recurred - was not relevant in the context of a dermatology referral.

The practice was also advised to consider whether the data breach met the threshold for reporting - for example, to the Information Commissioner's Office. The NHS Digital Data Security and Protection Toolkit includes Guide to the Notification of Data Security and Protection Incidents. Following this guidance would help reassure the patient that his concerns had been taken seriously, as well as protecting the practice's position if he chose to refer his concerns to the ICO.

The practice held an internal significant event review, and discussed the concerns raised with their Caldicott guardian. They did not feel that they were required to notify the incident, having used NHS Digital's toolkit. They did revise their own policies on data sharing, both for clinical and non-clinical purposes, to ensure that only relevant information is provided in both settings.

The MDU assisted the GP with a detailed response to the patient, explaining how his concerns had been investigated and what steps the practice would take in future to prevent similar occurrences. The patient expressed his gratitude that his concerns had been taken seriously, and did not take his complaint any further.

Accidental disclosure of patient information

Related articles

Membership in your pocket