Confidentiality

Ethical and legal

Confidentiality

Confidentiality and codes of practice

Gillian M Lockwood

Hippocratic Oath ‘Whatever … I see or hear in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret.’ Declaration of Geneva ‘I will respect the secrets which are confided in me, even after the patient has died.’ GMC guidelines ‘Patients have a right to expect that information about them will be held in confidence by their doctors. Confidentiality is central to trust between doctors and patients … if you are asked to provide information about patients you should: • seek patients’ consent, whether or not you should judge that patients can be identified • anonymise data where unidentifiable data will serve the purpose • keep disclosures to the minimum necessary.’

Confidentiality and the basis of good medical practice Good medical practice depends on establishing a relationship of honesty and trust between doctor and patient. This belief has been enshrined in codes of professional ethics from the Hippo­ cratic Oath onwards, including the International Code of Medical Ethics and the Declaration of Geneva (Table 1). Underpinning the concept of medical confidentiality is the view that the information that a doctor learns about a patient in his professional capacity ‘belongs’ to the patient, and that the patient has the right to determine who has access to such infor­ mation. (We speak of a patient ‘giving’ and the doctor ‘taking’ a history.) Confidentiality supports the principle of respect for patient autonomy, a principle that emphasizes the patient’s right to have control over his own life. Respect for patient autonomy is categorically opposed to the ‘paternalistic’ attitudes of the past, whereby the doctor was deemed to ‘know best’ what was in the patient’s interests and who should be granted access to informa­ tion about the patient and his condition. The doctor–patient relationship may be interpreted as an agreement in which the doctor guarantees confidentiality (secrecy and discretion) in exchange for the confidence and honesty of the patient. Patients may give information solely because they believe there is an understanding that what they say will be kept confidential. If the doctor subsequently breaches confidentia­ lity, the patient may feel that the doctor has broken an implied ­promise. Breaching of confidences can have deleterious consequences, particularly for the doctor–patient relationship. If the patient discovers the breach, she may lose trust in that particular doc­ tor or in doctors in general, resulting in her receiving less effec­ tive health care. If her complaint of breach of confidentiality becomes more widely known, this may undermine the attitude of many people towards the medical profession, with the con­ sequences of general loss of trust and a deleterious effect on health care.

Table 1

Legal aspects The legal status of confidentiality lies principally in common law. Table 2 summarizes some key aspects. A doctor’s legal obligation of confidentiality is best seen as a public and not a private interest. It is for this reason that the obligation is not absolute (Table 3). When a doctor breaches confidentiality, the question that the law asks is: ‘Is the balance of public interests in favour of breaching confidentiality or of maintaining it?’

Key legal aspects of confidentiality • There is a general legal obligation for doctors to keep what patients tell them confidential • This obligation is not absolute – there are situations in which the law obliges doctors to breach confidentiality, and situations in which the law allows doctors to breach it • In both these situations, it is important that the doctor breaches confidentiality only to the relevant person or authority • The general obligation of doctors to maintain confidentiality is a public, not a private, interest; in other words, from the legal perspective, it is in the public interest for patients to be able to trust their doctors to maintain confidentiality • The issue of when it is lawful, and when not lawful, for a doctor to breach confidentiality is often a question of balancing public interests (not of balancing private and public interests)

Gillian M Lockwood MA DPhil MRCOG is Medical Director of Midland Fertility Services, Aldridge, UK. She qualified in philosophy, politics and economics and in medicine from the University of Oxford. She is a Fellow of the Ethox Centre at the University of Oxford, Chair of the British Fertility Society Ethics Committee, and a member of the Ethics Committee of the Royal College of Obstetrics and Gynaecology.

THE FOUNDATION YEARS 3:3

When unsure, contact the GMC. Table 2

107

© 2007 Published by Elsevier Ltd.

Ethical and legal

treated for AIDS. When an attempt to prevent publication was made, a ‘public interest’ claim was advanced citing the free­ dom of the press and the right of the public to informed debate about the problem of doctors with AIDS. The judge accepted that there was some public interest in publishing the names of the doctors, but decided that this was substantially outweighed by the public interest in maintaining confidentiality, both gen­ erally and with particular reference to AIDS patients’ hospital records. In the key case of W v Egdell (1989 1 All ER 835), the Court of Appeal approved a doctor’s disclosure of confidential informa­ tion in the public interest. W was a patient detained in a secure hospital for an indefinite period of time because he had killed five people and wounded two others. He was diagnosed with schizophrenia and found not guilty by reason of insanity. Then, 10 years into his detention, he appealed to a mental health review tribunal for transfer to a less secure hospital. W’s solici­ tors asked Dr Egdell, a consultant psychiatrist, for a report on W’s condition, hoping that the report would support W’s trans­ fer. However, Dr Egdell formed the opinion that W was suffering paranoid psychosis and remained highly dangerous. His report strongly opposed W’s transfer. When Dr Egdell discovered that W’s solicitors would not make his report available either to W’s consultant or to the review tribunal, he sent a copy to the medi­ cal director of the hospital with a suggestion that it be forwarded to the Home Secretary. When W realized what Dr Egdell had done, he issued an injunction restraining the use of the report and seeking damages for breach of confidence. The case went to the Court of Appeal. The judgment found that Dr Egdell was right to breach confidentiality, because the public interest was in favour of disclosure. The GMC guidelines are helpful in decision-making in the ­difficult area when the balance of interests is unclear (Table 4).1

Confidentiality and medical practice Examples of situations in which doctors must not breach confidentiality • ‘Casual breaches’ (e.g. for amusement, to satisfy another person’s curiosity, by failure to anonymize details in reports or publications) • To prevent minor crime, or to help conviction in minor crime (most crimes against property are probably considered minor crimes in this context) • To prevent minor harm to another individual • Doctors working in genitourinary clinics – no information that might identify a patient examined or treated for any sexually transmitted disease should be provided to a third party (except in a few specific situations) • Doctors should not write a report or fill in a form disclosing confidential information (e.g. for an insurance company) without the patient’s consent (preferably written) Examples of situations in which doctors must breach confidentiality (to specific authorities only) • Notifiable diseases – Notifiable Diseases [Public Health (Control of Diseases)] Act (1984) • Drug addiction – Misuse of Drugs Act (1973) • Termination of pregnancy – Abortion Act (1967) • Births – Births and Deaths Registration Act (1953) • Deaths – Births and Deaths Registration Act (1953) • To police on request – name and address (but not clinical details) of driver of vehicle who is alleged to be guilty of an offence under the Road Traffic Act (1988) • Under court orders • Identification of patients undergoing in vitro fertility treatment with donated gametes (and the outcome of such treatment) – Human Fertilization and Embryology Act (1990) • Identification of donors and recipients of transplanted organs – Human Organ Transplants Act (1989) • Prevention, apprehension or prosecution of terrorists connected with Northern Ireland – Prevention of Terrorism Act (2000)

Disclosure to third parties Doctors must respect requests by patients that information should not be disclosed to third parties, other than in exceptional circumstances (e.g. when the health or safety of others would

Situations in which doctors have discretion to breach confidentiality • Sharing of information with other members of the health-care team in the interests of the patient • A patient who is not medically fit to drive continues to do so (NB: the GMC now advises doctors to inform the DVLA medical officer in such circumstances) • A third party is at significant risk of harm (e.g. partner of HIV- positive person)

Some GMC guidelines on confidentiality1 Disclosure of personal information without consent may be justified when failure to do so may expose the patient, or others, to risk of death or serious harm. In such circumstances, you should disclose information promptly to an appropriate person or authority. Such circumstances may arise, for example, when: • a patient continues to drive, against medical advice, when unfit to do so (see Table 3) • a colleague, who is also a patient, is placing patients at risk as a result of illness or another medical condition • disclosure is necessary for the prevention or detection of a serious crime.

Table 3

Some legal cases Certain cases brought before the law courts have tested the prin­ ciple of medical confidentiality. In one case (X v Y, 1988 2 All ER 648), employees of a Health Authority divulged to a national newspaper the names of two practising doctors who were being

THE FOUNDATION YEARS 3:3

The BMA also produces useful guidelines on confidentiality and disclosure of health information (web.bma.org.UK/public/ethics.nsf). Table 4

108

© 2007 Published by Elsevier Ltd.

Ethical and legal

be at serious risk). However, to provide patients with the best ­possible care, it is often essential to pass confidential information between members of the health-care team.

Data Protection Act (1998) This Act sets out principles that apply to both computer records and records held in manual form (e.g. patients’ medical notes). The principles are designed to ensure that personal data is: • accurate • relevant • held only for specific, defined purposes for which the user has been registered • not kept for longer than necessary • not disclosed to any unauthorized persons.

Disclosure to employers and insurance companies When assessing a patient on behalf of a third party (e.g. employer, insurance company), it must be clear at the outset that the patient is aware of the purpose of the assessment, of the obligation that the doctor has towards the third party concerned, and that this may necessitate disclosure of personal information. Written consent should be obtained before such an assessment is made. Even after a patient has died, the obligation to keep informa­ tion confidential remains. If an insurance company seeks infor­ mation about a deceased patient to decide whether to make a payment under a life assurance policy, information should not be released without the consent of the patient’s executor, or a close relative who has been fully informed of the consequences of disclosure.

Data subjects A key term is ‘data subjects’. These are the people to whom the data apply (e.g. patients, participants in research). The Act gives statutory rights for data subjects to have access to personal information held on them, with certain exceptions (see below). The Act enables data subjects to be: • informed whether personal data has been processed • given a description of the data held, the purposes for which it is processed, and knowledge of the persons to whom the data may be disclosed • given a copy of the information constituting the data • given information on the source of the information.

Confidentiality and access to medical records Every NHS organization must appoint a ‘Caldicott guardian’, who is normally a senior health professional, to oversee all pro­ cedures that affect access to person-identifiable information. The general principle is that NHS organizations must take the confidentiality of patient information seriously. This includes anonymizing such information when possible, and restricting access to information to those with a ‘need to know’ – which generally means a need to know for the patient to receive good clinical care. Widening of access to personal medical records came with the Data Protection Act (1984) and the Access to Health Records Act (1990). These have been effectively replaced by the Data Protection Act (1998), which was enacted to comply with Euro­ pean legislation giving individuals the right to see information about them held on computer (Table 5). The Access to Medical Reports Act (1988) covers all reports generated for insurance or employment purposes by doctors responsible for the clinical care of patients; however, this stipulation leaves a loop-hole through which reports commissioned by, for example, a company doctor could slip. The issue of confidentiality in the context of child patients is complex and not legally clear. If a child is competent to consent to a treatment and tells the doctor that she does not want her parents to know certain clinical information, the doctor should not normally inform the parents. However, when the child is not competent to consent to treatment, it is legally unclear whether the doctor can inform the parents against the child’s wishes.2

NB: The Act defines the ‘processing’ of data as: ‘obtaining, recording, or carrying out any operation including retrieval or consultation, or use of information, and disclosure.’ Data subjects also have the right of rectification; that is, the right to have inaccuracies in the data corrected. Data subjects may seek compensation for any harm suffered as a result of inaccuracy. For a patient to gain access to his personal health record, a request must be made in writing. A response must be given by the appropriate person or institution within 40 days of the request, or the applicant must be informed that there are grounds for withholding the information. Information can be withheld in certain circumstances; for example: • When access ‘would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person’. • ‘Giving access would reveal the identity of another person, unless that person has given consent to the disclosure or it is reasonable to comply with the access request without that consent. This does not apply if the third party is a health professional who has been involved in the care of the patient unless serious harm to that health professional’s physical or mental health or condition is likely to be caused by giving access.’ Table 5

The future Confidentiality remains the cornerstone of the doctor–patient relationship and has a therapeutically significant role. However, as medicine becomes increasingly technologically sophisticated and the clinical team enlarges to involve more diagnosticians and therapists, there is a danger that the individual nature of

THE FOUNDATION YEARS 3:3

the trust relationship between primary health-care provider and patient could become strained. New genetic advances involving accurate assessment of the likelihood of individuals developing specific diseases (genetic screening – information of interest to 109

© 2007 Published by Elsevier Ltd.

Ethical and legal

both patients and insurance companies) seem likely to further test the fundamental nature of confidentiality. ◆

Further reading Beauchamp TL, Childress JF. Principles of biomedical ethics, 5th edn. Oxford: Oxford University Press, 2001. Grubb A, Pearl D. Blood testing, AIDS and DNA profiling: law and policy. Bristol: Jordan, 1990. Medical ethics today. London: BMA, 2003. Symposium on consent and confidentiality 2003. J Med Ethics 2003; 29: 2–40. www.ethics-network.org.uk (UK Clinical Ethics Network)

References 1 www.gmc-uk.org 2 Montgomery J. Health care law. Oxford: Oxford University Press, 1997.

THE FOUNDATION YEARS 3:3

110

© 2007 Published by Elsevier Ltd.