Patients value their privacy and expect what they share with doctors will in most cases remain confidential, but there is also wider public interest in having a confidential medical service. Patients will be more likely to attend their doctors and be transparent about their problems knowing their information will generally not be shared without their consent.
The ethical obligation of confidentiality is recognised by the Medical Council. For example, its Guide to Professional Conduct and Ethics for Registered Medical Practitioners says:
- "Confidentiality is central to the trust between you and your patients, and is a core element of the doctor/patient relationship. However, sharing information, in appropriate circumstances, is also important, both for patient care and for the safety of the patient and others1."
As well as these ethical obligations, legal considerations include the following:
- the requirements of the General Data Protection Regulation and Data Protection Act 2018 - many doctors will be familiar with these obligations
- the right to privacy, as outlined in Article 8 of the European Convention on Human Rights
- the provisions of Article 40 of the Constitution of Ireland, as interpreted by the courts
- the Common law (otherwise known as case law).
There may also be contractual obligations relating to confidentiality of patient information.
These points do not offer an absolute right to privacy or confidentiality, however. In each case, as with the ethical guidance, there may be exceptions to the general rule.
These considerations can be particularly challenging for doctors, who often have to weigh the expectations of the individual patient with the possible wider benefits of sharing information that would normally be confidential. Cases like this may give rise to complaints when patients believe their confidentiality has been breached.
It's worth remembering that all of the information you hold about a patient - including the simple fact that they are your patient - is confidential.
Nevertheless, you can share information about a patient with others in a number of circumstances, and it can be helpful to consider these in several categories.
Sharing information with patient consent
The most common reason for sharing patient information is for the purposes of direct patient care, such as writing to their GP or referring them to a colleague. While you may wish to rely on the possibility that consent to do so is implied by the patient, the Medical Council expects you to, "explain to the patient that information is being shared for their benefit and with whom the information is being shared"2.
If a patient does not want you to share information you believe is relevant, you should discuss the possible consequences of this with them, and see if you can reach a compromise. If they cannot be persuaded, you should not share that information - and may need to explain that you can't refer them or arrange treatment without providing the information you believe is necessary and relevant.
If you have consent, you can also share information for other reasons, such as with a patient's solicitor or an insurance company, but you will usually wish to see explicit, written consent in this context.
For example, a patient may understand that a solicitor will ask for records directly relevant to injuries sustained in an accident, but may not understand that the solicitor will ask for their entire record. If you're in doubt, it's worth checking the patient understands what is to be disclosed.
Sharing information when required by law
- There are a number of laws that require disclosure of relevant information, such as infectious diseases regulations.
- In such cases you should ensure that the disclosure is actually required and that you only disclose that which is relevant and necessary.
- In most cases, you should tell the patient you are making the disclosure as is required by law.
You must also share information if you are ordered to do so by a court or other body that has authority to do so. If you receive any correspondence suggesting you're being ordered to share confidential medical information, and if you are in any doubt, you can seek advice from the MDU. Again, it would be usual to tell the patient you are making a disclosure in the situation, unless this would undermine the purpose of the disclosure.
If you are sharing information without a patient's consent, even if required by law, you should document carefully what you have disclosed, on what basis and (if appropriate) what discussions you have had with the patient about this - or reasons why you have not discussed it.
Sharing information in the public interest
- Sharing information with consent, or if legally required, is usually straightforward.
- Weighing up a decision to share information without consent when it is not required can be much more difficult.
There may be situations where disclosing information is permitted, but not necessarily required, by a particular law. For example, the Data Protection Act 2018 permits the disclosure of information (which would normally be confidential under the terms with the Act), "for the prevention, detection, investigation and prosecution of criminal offences.
The relevant part of the Act allows you to share information for this purpose without being in breach of the Act generally. However, it does not oblige you to share this information - and importantly does not override your ethical obligations of confidentiality. You may need to consider the nature of the information being sought and the seriousness of the alleged offence, as well as the option of seeking consent for the disclosure.
There will be other circumstances where disclosure without consent and contrary to the patient's wishes might be justified in the wider public interest. Examples may include where there are child protection or safeguarding concerns, or if a patient acts in a way likely to put others at risk and cannot be dissuaded from doing so (like driving a car when medically unfit to do so).
In such cases it's appropriate to discuss any proposed disclosure with the patient before you make it, unless this would undermine the purpose of the disclosure, as well as telling the patient (preferably in writing) afterwards.
In all such cases, you should carefully document your reasons for sharing the information (or not sharing it if that is your decision) and your discussions with the patient. You should share the minimum amount of information necessary and relevant for the intended purpose.
These are often finely balanced decisions and the MDU can assist when you are faced with them.
Patients who lack capacity
If a patient lacks capacity to make an informed decision about their information being shared then it is generally acceptable to do so if:
- it is of overall benefit to the patient
- it is required by law
- the wider public interest in disclosing the information outweighs the patient's own interest in it remaining confidential.
Disclosure after death
Your ethical obligation of confidentiality continues after a patient has died, but it may be still acceptable to share information about them. This may depend on:
- who has asked for the information
- what information is being sought
- what that information is to be used for.
It would be important to consider any wishes the patient expressed before dying, as well as whether sharing the information would be beneficial or distressing to their family - for example, being given relevant information could help the family understand the circumstances of the patient's death, or assist in managing the patient's estate.
This would not usually mean that they are entitled to see the entire medical record, as it is usually enough to only disclosure of information relevant to a specific need.
Sharing information for secondary purposes
Sharing information for clinical audit, education and similar activates is a necessary aspect of providing safe healthcare. Information should be anonymised or coded if being used for these purposes, particularly if it is being shared with those not involved in the patient's care.
If the information cannot be anonymised, and is to be used for a secondary purpose, then consent should be sought, and the patient's wishes respected3.
The Medical Council requires doctors to "comply with data protection and other legislation relating to storage, disposal and access to records. You should understand the eight rules of data protection"4. You should also comply with local policies or any contractual obligations you may have.
If you have any questions about confidentiality and disclosure, you can contact our advisory department on 1800 535 935 or by email at email@example.com.
2 Guide to Professional Conduct and Ethics for Registered Medical Practitioners, para 30.3
This page was correct at publication on 08/03/2021. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.