We have placed cookies on your device to help make this website better.
If you choose to customise the site it will help you to find the most relevant content for your needs. You will still be able to access all content on the site.
0800 716 646
Login to comment
Confidentiality is an essential part of the bond of trust that exists between doctor and patient. Failure to maintain confidentiality may mean a patient is reluctant to reveal private or sensitive information that you may need to know in order to treat them appropriately.
You have a legal and ethical duty to keep all information relating to patients securely and not to disclose any information to third parties without a patient's consent. The only exceptions are when you are required to disclose information by law or under your ethical or contractual obligations. If you decide to disclose information without consent, you should be prepared to justify your decision.
Confidentiality is a patient's right and must be respected by the entire healthcare team.
You must get the patient's express consent before disclosing confidential information about them, or which might identify them, to third parties, unless the law allows or requires otherwise. The patient can give consent orally or in writing.
To give consent, the patient needs to understand:
When a patient gives consent, you must only disclose information the patient has agreed you may disclose, and only to the third party that requested it. No other use can be made of the information without seeking further consent from the patient.
Competent patients can give consent. This includes children under 16 who are competent to make decisions (Gillick competent).
To show competence, generally the patient must:
Every patient must be assumed to have capacity unless it is established that he or she lacks it.
Patients who lack capacity (eg some patients with a mental disorder or young children) require special consideration. Any decisions to disclose information should be taken in the patient's best interests. You ought to consider what action will be likely to benefit the patient, as well as what you know about the patient's views, values and wishes. The views of relatives, carers and close friends should be taken into account. You should also consult anyone able to make relevant healthcare decisions about the patient.
Healthcare professionals who are responsible for patient information must make sure it is effectively protected from improper disclosure, intentional or unintentional, at all times – even after a patient has died.
Patient information should not be disclosed to third parties without consent except in certain circumstances (see MDU Medico-legal Guide: Confidentiality 3.3). You may be called on to justify a decision to disclose information without consent.
Before disclosing information you will need to consider your legal duty, GMC and/or other relevant ethical guidance and the Department of Health's Confidentiality: NHS Code of Practice. For expert advice, please speak to an MDU medico-legal adviser.
Where disclosure (with or without consent) is appropriate, only the minimum relevant information should be disclosed. Disclosure should be made promptly.
Disclosure of confidential information without consent or ethical or lawful justification carries the risk of legal action by the patient and/or investigation by the relevant regulatory body, healthcare trust or the Information Commissioner.
All information about a patient is confidential. This includes any information that could identify an individual, for example:
The duty of patient confidentiality is enforced through four principal mechanisms:
Patients alleging breach of confidentiality may seek redress from a court in a civil action. However, it is rare for this to be the sole cause of action in a civil court case.
The main statute governing patient confidentiality is the Data Protection Act 1998 (DPA). The DPA sets out the rights and responsibilities of data subjects and data users. It regulates the processing of information about individuals, including the obtaining, use or disclosure of information. It covers both paper and computer records. A breach of the DPA can result in civil or criminal proceedings. The Information Commissioner may also impose a Monetary Penalty Notice of up to £500,000 for reckless flouting of the data protection laws.
Data subjects (individuals who are the subject of personal data) are entitled to:
Although in most cases patients have the right to access information held about them, there may be rare occasions when you believe that giving a patient access to the information you hold about him or her may cause serious harm to the physical or mental health or condition of the individual or another person.
This may justify refusing disclosure, but you should talk to the healthcare professional most directly involved in the patient's care and seek advice from the MDU before doing so.
Confidential patient information which includes data about identifiable third parties (other than third parties who are themselves health professionals who have contributed to the record) should not be disclosed without the consent of the third party. Again, the MDU can advise you on any decision to disclose or not.
The data protection principles require that personal data shall:
The guidance document Use and Disclosure of Health Data, published by the Information Commissioner, is a useful source of further information.
Other statutes which affect confidentiality are listed on our website and cover a range of areas including:
Confidentiality of patient information is a requirement of employment under NHS and many independent sector contracts.
In the NHS, misuse of patient information is treated as a serious disciplinary matter. GPs are required under the terms of their contract with their primary care body to designate a person to be responsible for practices and procedures relating to the confidentiality of patient information and to comply with all the relevant guidance issued by their health body or the secretary of the state.
Arrangements for keeping patient information confidential may be scrutinised and monitored – for example, during a trust inquiry, an external review of clinical performance, under GMC performance review procedures, or by the Care Quality Commission.
Professional registration bodies may investigate alleged breaches of confidentiality and, where required, impose sanctions, which may include erasure from the register.
If you are in any doubt about the circumstances in which patient information may be disclosed, please call the MDU's 24-hour helpline for expert advice.
I gave a patient a statement of fitness to work confirming he would be unable to work for four weeks because of backache. Today, his human resources director rang and asked me to confirm that the patient would be unfit to work for 14 weeks. He faxed me a copy of the statement I had provided to the patient and it's clear that someone has added a one in front of the four. What information can I provide?
It is not a breach of confidentiality to tell a person who has been properly given a document by a patient that it is a document you signed. In this case, you can confirm that you did not sign the certificate as faxed through to you. The principle is that you should supply only the minimum information to answer the questions. You may also wish to contact your patient to discuss the matter with him.
A newborn baby was found abandoned outside our local church. A social worker has asked me for contact details of any pregnant patients with expected delivery dates of around this time. I suspect I know the mother concerned. Should I pass on this information?
Your duty of confidentiality prevents you from releasing a blanket list of the names of all your pregnant patients. Even the fact that these are your patients is confidential. You may think you know the mother, and it may be appropriate to arrange to see her and to offer counselling and treatment.
To justify breaching the presumed mother's confidentiality, you would have to argue that failing to do so would put her or someone else at risk of serious harm or death.
A hospital porter slipped on a wet floor and was treated for a fracture in the hospital's A&E department where I work. He is now pursuing a claim against the hospital (his employer) alleging that the floor cleaner was negligent by failing to put up a sign warning of the wet floor. The hospital management have asked for his records to deal with the claim. The patient has not given his consent to the release of the records. Should I, as the A&E consultant, agree to release them?
Had this patient been treated in another hospital's A&E department, his consent would have been needed for the disclosure of his records from that hospital to his employer and the same principle applies in your hospital. Hospital managers have a right to look at documents in the custody of their hospital only for the ordinary administration of healthcare and this includes records of a patient who is pursuing a claim against the hospital alleging that the treatment provided by a member of their healthcare team was negligent. But your hospital's managers cannot use their power to ask for his records just because he was treated in your hospital's A&E department. You need to seek the patient's consent to disclosure in the same way that you would if the request came from any other employer.
This guidance was correct at publication on . It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.
Dear Dr Beugelaar, Thanks for posting your query. If you would like to discuss with an adviser, please do call the advisory line on 0800 716 646. If you would prefer to receive an email response, please forward your query to email@example.com and one of our team will be in touch shortly.
Hello, I am no longer a licensed medical doctor and plan to practice complementary medicine (talking therapies including NLP and Hypnotherapy). I am however still on the GMC register.
Can you provide any advice or reading material regarding what I can and cannot advertise as being able to treat/help and the terminology I may use now that I am no longer licenced?
I will have insurance with a complementary medicine provider.
Dear Dr Huda,
Thanks for posting your query. If you would like to discuss with an adviser, please do call the advisory line on 0800 716 646. If you would prefer to receive an email response, please let us know and one of our team will be in touch shortly.
My question is about patients with conditions like DIABETIC KETOACIDOSIS or chest infection and who could full fill the criteria of 4 question for assessing capacity. If these patients decide to leave accident and emergency department, should we consider that they have the capacity and can make their own decision?
© 2017 The MDU
We have detected you are in and some website content may have been personalised to be more relevant to you.
You can change your region setting here or at the top of the page.