TOG9_4_257–263
9/27/07
3:51 PM
The Obstetrician & Gynaecologist
Page 257
10.1576/toag.9.4.257.27356 www.rcog.org.uk/togonline
2007;9:257–263
Risk management
Risk management Confidentiality, disclosure and access to medical records Author Nick Nicholas
Key content: • Patient confidentiality is not absolute and there are situations where disclosure is allowed. • Consent is justification for disclosure. • Disclosure of anonymised information does not generally require patient consent, unless it is possible to identify the patient. • When the public interest in disclosure is greater than the public interest in confidentiality, disclosure is allowed.
Learning objectives:
• To clarify the legal issues, including General Medical Council (GMC) guidance on patient confidentiality. • To discuss the law relating to access to medical records; in particular, the Data Protection Act 1998. • To clarify when there is justification for disclosure.
Ethical issues: • Can confidential information be disclosed where a patient has refused specific consent? • How does the law differ from GMC guidance? • What should a gynaecologist do when a patient informs them that she is planning to inflict serious harm on a specific individual? Keywords Caldicott guardians / confidentiality / consent / Data Protection Act 1998 / Freedom of Information Act 2000 Please cite this article as: Nicholas N. Confidentiality, disclosure and access to medical records. The Obstetrician & Gynaecologist 2007;9:257–263.
Author details Nick Nicholas
BSc (Hons) MD FRCOG
Grad (Dip) Law
Email:
[email protected] (corresponding author)
Consultant Gynaecologist and Caldicott Guardian/Honorary Senior Clinical Lecturer Hillingdon Hospital Trust, Pield Heath Road, Uxbridge, Middlesex UB8 3NN, UK and; Imperial College Medical School, Exhibition Road, London SW7 2AZ, UK © 2007 Royal College of Obstetricians and Gynaecologists
257
TOG9_4_257–263
9/27/07
Risk management
3:51 PM
Page 258
2007;9:257–263
Introduction Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon counting such things to be as sacred as secrets. (The Hippocratic Oath, 4th Century BC)1 During the course of any consultation, sensitive or intimate information is disclosed to a doctor for him to manage his patient effectively. A duty of confidence arises when ‘confidential information comes to the knowledge of a person in circumstances where he has notice or is held to have agreed that the information is confidential’ (the ‘Spycatcher’ case, AG v Guardian Newspapers Ltd [1990]).2 Information is ‘that which informs, instructs, tells or makes aware’.3 Personal information can be about political affiliation, religious beliefs, medical history or sexuality. Such information can be deemed to be sensitive or intimate; the sensitivity very much depends upon the purpose to which it will be put. Confidentiality between a doctor and patient underpins one of the most important principles of good medical practice. Optimal medical care can only be provided if a patient is able to speak freely and honestly with a doctor without fear of embarrassment or social retribution. Thus, if a patient who discloses his HIV status to his doctor believes that his medical notes might be disclosed to his employer and he could, thus, be sacked, this would be a strong disincentive to seek medical advice. The aim of this paper is to consider the manner in which the law regulates the use of confidential information obtained by doctors and the circumstances in which they are lawfully entitled or obliged to disclose personal patient information to a third party. This paper also addresses the extent to which patient information collected in medical records can be controlled by doctors and the impact of the Data Protection Act 1998 and other legislation on access to medical records.
Confidentiality and the common law The overriding principle for the duty of confidence stems from the premise that ‘he who has received information in confidence shall not take unfair advantage of it’.4 Hence, confidentiality is an obligation of conscience. The following are important points:
• Information is not confidential if it is already in the public domain.
258
The Obstetrician & Gynaecologist
• There is no duty of confidentiality with regard to information that is useless information or trivia. • The duty to respect confidentiality is not absolute and can be overridden by the public interest need for disclosure.
Thus, it is the nature of the information and the circumstances in which it is disclosed that create the duty of confidentiality.
The doctor–patient relationship The doctor–patient relationship is one in which information divulged by patients imposes a duty of confidence. In W v Edgell5 the plaintiff, a convicted murderer, applied for transfer to a less secure hospital as a step towards release into a community hospital. His lawyers sought an independent psychiatric report from Dr Edgell, who concluded that the patient, W, was still a danger to the public. His advisers then withdrew the application. However, Dr Edgell chose to send the report to the medical director of the secure hospital and the Home Office. When W discovered this he sought an injunction restraining disclosure of the report and damages for breach of confidence. The court found for the defendant, Dr Edgell, as the breach was justified in the public interest. W appealed and lost. The Court of Appeal accepted that the obligation of confidence was not absolute, especially where there was a stronger public interest in disclosure. Where this is the case, disclosure can only be justified when it is necessary to counter a specific threat and, thus, a foreseeable danger of serious or physical harm. In such a situation, the doctor would have a duty of care to the potential victim. However, in UK law there is no duty to rescue and no liability for the acts of third parties.
Anonymised information There is no obligation of confidence with respect to information that cannot identify the patient, i.e. when it is anonymised. In R v Department of Health, ex parte Source Informatics,6 the Court of Appeal upheld this view. The applicant was a data collection company that wanted to collect anonymised data from pharmacists about the prescribing habits of general practitioners. The applicant planned to sell this information commercially. The Department of Health (DH) policy advised pharmacists that to disclose these data would be a breach of confidence. The applicant sought to disprove this. In the first instance it was decided that DH policy was lawful. However, on appeal the decision was reversed because the patients’ identities would be protected and, thus, their privacy safeguarded. Where information can identify a particular patient because their symptoms are very rare or the patient © 2007 Royal College of Obstetricians and Gynaecologists
TOG9_4_257–263
9/27/07
3:51 PM
Page 259
The Obstetrician & Gynaecologist
is one of a very small community, an obligation of confidence would be owed. Thus, in the case of H (a Health Care Worker) v Associated Newspapers Ltd7 and H (a Health Care Worker) v N (a Health Authority),8 the issue was one of disclosure of HIV status of a health care worker. The newspapers wanted to publish the place and specialty in which he worked. The court held that, even though his name would be excluded, there was enough information for people to identify the doctor. Thus, the court refused to allow disclosure of his name and the health authority in which he worked. However, it concluded that the risk of identification was minimal in relation to disclosing details of his specialty and, thus, allowed that information to be made available for public debate.
Justification for disclosure See Box 1. Consent It is perfectly reasonable for a doctor to disclose confidential client information to a third party if the client consents. Both the General Medical Council (GMC) ethical guidance9 and the DH code of practice on confidentiality10 emphasise this. Consent can only be valid if the patient has legal capacity to give consent and they understand the nature of the disclosure proposed. Consent need not be express but might be inferred from conduct. Thus, a patient can implicitly consent to information being shared with other members of the healthcare team responsible for their care. Thus, express consent would not be needed where a general practitioner dictates personal details about a patient so that a medical secretary can type a referral letter. Where patients have explicitly objected to specific information being shared with other healthcare providers, the GMC advises doctors to respect their wishes, although it should be made clear to the patient that this might restrict their treatment options.
Disclosure to third parties Where doctors are asked to write a report about patients or disclose information from existing records for third parties such as employers, insurance companies or local authorities, they must be satisfied that the patient is aware of the criteria shown in Box 2. Although GMC guidance expects written consent to be obtained before disclosure, in Kapadia v Lambeth London Borough Council,11 the court stated that consent to disclose a medical report may be implied where a person undergoes a medical examination at the request of a third party. Thus, it would seem that the law imposes a different set of standards from that of the government and © 2007 Royal College of Obstetricians and Gynaecologists
2007;9:257–263
Risk management
Patient consent
Box 1
Statutory requirements
Justifications for breach of confidentiality
•
Road Traffic Act 1988
•
Terrorism Act 2000
•
Health and Social Care Act 2001 s60
•
Abortion Act 1967 and Abortion Regulations 1991
•
Public Health (Control of Disease) Act 1984
•
Supreme Court Act 1981
Disclosure in the public interest •
Protecting the public (public policy)
•
Protecting the public from crime
•
Protecting third parties
•
The patient must be aware of the purpose of the disclosure and the extent of information that will be given
•
The patient must be aware that the information cannot be concealed or withheld
•
There must be written consent from the patient to the disclosure
•
Only information relevant to the request can be disclosed
•
Only factual information that can be substantiated and presented in an unbiased manner can be included
Box 2
Criteria necessary prior to disclosure to third parties
regulatory bodies. From a practical point of view, doctors would be prudent not to disclose information to a third party without prior written consent from the patient.
Disclosure required by law In Hunter v Mann12 the court considered the question of whether a doctor had a legal obligation to provide information to the police investigating a dangerous driving offence. The conclusion was that the doctor must disclose information where he is compelled by law. Section 60 of the Health and Social Care Act 2001 gives the power to override patient consent when patient-identifiable information is needed for essential National Health Service (NHS) activity. It can only be applied where the interests of the wider public are contemplated, such as medical research and preventative medicine when it is impracticable to seek written consent from a large number of patients. The Secretary of State can also make regulations under Section 60 in the interests of improving patient care or the public interest, i.e. for the establishment of cancer and disease registries. Concerns have been raised over the potential use of this power with regard to HIV results, drug trials and genetic information. Section 60 regulations could potentially permit the NHS to have information about patients that is not known by the individuals themselves. Doctors must also disclose information under the Terrorism Act 2001, The Abortion Regulations 1991, Public Health (Control of Disease) Act 1984 and the Supreme Court Act 1981. 259
TOG9_4_257–263
9/27/07
Risk management
3:51 PM
Page 260
2007;9:257–263
Disclosure in the public interest Legal guidance on what this actually means is unclear, making it difficult to know when the duty of confidence can be overridden. The balance of public interest was considered in X v Y.13 In this case the defendants intended to publish the identities of two HIV-positive doctors who were working in general practice. The health authority that held their medical records sought an injunction to restrain publication. The question was whether it was in the public interest to publish their names. The judge also heard evidence that the risks of HIV transmission by the doctors was extremely small. The injunction was granted on the basis that the public interest in maintaining confidence and loyalty outweighed the public interest in disclosure by having a free press and informed public debate. In W v Edgell,5 the question was raised as to what risks of harm might be sufficient to justify disclosure of confidential information in the public interest. The suggestion was made that the risk of harm must be ‘real’, not fanciful, and that it must be a risk of physical harm. If this is the case, then does the doctor need to have a reasonable belief that such a risk exists or must he have to prove objectively that a risk of physical harm does, in fact, exist? The British Medical Association (BMA)14 allows disclosure of the minimum amount of information necessary to achieve the objective when considering breach of confidentiality for anticipated harm. The GMC allows disclosure without consent when it would be justifiable in the public interest if ‘failure to do so [could] expose the patient or others to risk of death or serious harm’.9 Such situations can arise in child abuse cases. What if the patient has never actually harmed anyone, but has dangerous thoughts or aspirations of doing so? Is the doctor duty bound to breach the code of confidence and disclose the information to the appropriate authorities? This was considered in the US case of Tarasoff v Regents of the University of California.15 In this case, the patient confided in his psychotherapist that he intended to harm T. The therapist told the university police, but not the potential victim. The patient then murdered T. T’s family successfully sued the university for the employees’ (i.e. the police’s) failure to protect T. The court held that it was the doctor’s duty to use reasonable care to disclose information where there was a risk of serious danger or violence to another. There is no legal precedent in UK law, but if this situation were to arise, any breach of disclosure would probably be justified. Note, however, that in UK law there is no duty to rescue. Doctors are often faced with a dilemma when they are aware that a patient who is HIV-positive has not informed her sexual partner of her HIV status. Although it can be valuable for one partner to be honest about their HIV status so that the other 260
The Obstetrician & Gynaecologist
partner can take steps to avoid infection, there is also the public interest argument that people might not wish to come forward to be tested if they know that a positive result is liable to disclosure. Where the HIV-positive patient refuses to allow the doctor to inform other health care workers and cannot be convinced that disclosure is in the best interest of their care, the doctor is under a duty to respect the patient’s wishes unless failure to disclose would pose a risk of serious harm or death to other health care workers (GMC guidance).9
Disclosure to prevent crime Both the GMC and the DH code of practice allow disclosure to prevent or detect crime. According to the Police and Criminal Evidence Act 1984, police can only request medical records if they are investigating a ‘serious arrestable offence’. Section 11 of this Act classifies medical records as ‘excluded material’, thus not allowing access. In Hunter v Mann a doctor treated two people who had been involved in a hit-and-run accident. The doctor refused to provide information to the police on the grounds that he would be breaching their confidence. The doctor was convicted under the Road Traffic Act 1972, which was upheld on appeal. The less serious the crime, the less likely it is that the public interest in maintaining confidentiality will be trumped by the public interest in facilitating crime prevention.
Teaching, research and audit Wherever possible, data used for audit and research should be anonymised. The GMC recommends that patient consent be obtained to justify disclosure. With regards to research, consent may not be needed where the research has been sanctioned through the appropriate ethics committee.
Publication of photographs The GMC states that express consent must be obtained from the patient before information about them is published in journals and textbooks, even if the doctor believes that the patient cannot be identified.
Deceased patients The law on whether the obligation of confidence continues after a patient has died is still unclear, although the most likely outcome is that, once the patient has died, the legal duty of confidentiality dies with the patient. Paradoxically, there is little that is confidential about a death itself, since the death certificate is a public document. However, the DH code of practice and the GMC both argue that the ethical obligation continues after death. Box 3 identifies the criteria that need to be taken into account regarding disclosure. © 2007 Royal College of Obstetricians and Gynaecologists
TOG9_4_257–263
9/27/07
3:51 PM
Page 261
The Obstetrician & Gynaecologist
Confidentiality and the child All patients, regardless of their age, can expect a duty of confidentiality from their doctor. Disclosure is justifiable, however, where the doctor is concerned about the possibility of child abuse. In such cases there is a wider public interest in protecting the child’s best interests that outweighs parental autonomy. Confidentiality between parent and child becomes even more strained when a minor wishes to conceal details of their sexual affairs from their parents. The leading case of Gillick v West Norfolk and Wisbech AHA,16 involving the dilemma between the rights of the parents to know and the right to confidentiality owed to a minor requesting contraception, was clarified by Lord Fraser (Box 4). Thus, the right to confidentiality can be expected when the doctor is acting in a minor’s best interests, although there is an obligation for the doctor to try to persuade the minor to allow parental disclosure. However, the BMA view is that even a minor who lacks capacity has a right to expect confidentiality after a consultation.17
Remedies to breach of confidentiality See Box 5. Injunction A patient can apply to the court for an injunction to restrain publication of confidential information in full or in part. The court has discretionary power to do this. Declaration The claimant may be satisfied with a declaration from the court that an anticipated disclosure will amount to a breach of confidence or that a breach has actually taken place. Damages Where a doctor’s breach of confidence has caused financial harm to the patient by affecting the patient’s business opportunities or employment prospects, the loss could be compensated. Where the harm is merely anxiety and mental stress, the law is less certain about what, if any, damages can be retrieved. However, in Lady Archer v Williams18 the claimant received £2,500 damages for breach of confidence and injury to feelings. Restitutionary damages Where a doctor makes financial gain by breaching a confidence, for example, by selling a patient’s story to the press, it is likely that the patient will be awarded the earned profits.
Access to medical records and confidentiality Who actually owns the information? If it were the patients, there would be no legal restriction on © 2007 Royal College of Obstetricians and Gynaecologists
2007;9:257–263
Risk management
access to the records. However, in law, the treating institution, i.e. the NHS, owns the medical records and thus the patient has no automatic right of access other than by common law or statutory provisions. The Data Protection Act 1998 The Data Protection Act 1998 applies to manual and computerised records. Breach of the Act is a criminal offence. Data controllers (who control the purposes and manner in which personal data are processed) are expected to comply with the eight data protection principles (Box 6). Although patients have a right to access their personal data, it is not an absolute right. The data controller need not comply in any of the following circumstances:
• he is unsure of the identity of the person seeking the information • disclosure of information relating to a third party • •
would result; unless, of course, the third party consents to the information being given compliance would cause serious harm disclosure is not in the best interests of the data subject.
Schedule 1 requires that data shall be fairly and lawfully processed; schedule 2 sets out the conditions that permit data processing of personal
•
Whether disclosure of information could cause distress to or be of benefit to the patient’s partner or family
•
Whether disclosure about the deceased will, in effect, disclose information about the patient’s family or other people
•
Whether the information is already in the public domain or can be anonymised
•
The purpose of the disclosure
A doctor can give contraceptive advice or treatment to a person under 16 years of age without parental consent providing the doctor is satisfied that:
Box 3
Criteria that need to be taken into account prior to disclosure of information about deceased patients
Box 4
Fraser guidelines
• the girl would understand the advice • she could not be persuaded to inform her parents or allow the doctor to do so • she was likely to have intercourse with or without contraception • unless she received contraceptive advice or treatment, her physical or mental health or both were likely to suffer • her best interests required her doctor to give her contraceptive advice, treatment or both without parental consent
• Injunction
Box 5
• Declaration
Remedies for breach of confidentiality
• Damages • Suspension/removal from the GMC register
261
TOG9_4_257–263
9/27/07
3:51 PM
Risk management
Box 6
Data protection principles
Page 262
2007;9:257–263
• Personal data should be processed fairly and lawfully. • Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with those purposes. • Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed. • Personal data shall be accurate and, where necessary, kept up to date. • Personal data shall not be kept for any longer than is necessary for those purposes. • Personal data shall be processed in accordance with the rights of data subjects within the Act. • Appropriate technical and organisational measures shall be taken against unauthorised processing of data and against accidental loss, damage or destruction of personal data. • Personal data shall not be transferred to a country outside the EU unless that country ensures adequate protection for the rights and freedoms of the data subjects in relation to processing of personal data.
Box 7
Exemptions to the Access to Health Records Act 1990
• Information likely to cause serious physical or mental harm to any individual • Information relating to an individual, other than the patient, who could be identified from that information, unless prior consent has been given • Where the record has a note from the deceased patient denying access to personal representatives
data, namely consent. Schedule 3 states that the data subject must give implicit consent to data processing necessary to protect the medical interests of the data subject or for the administration of justice. The relationship between the Data Protection Act 1998 and the Freedom of Information (FOI) Act 2000 The FOI Act 2000 creates a right of access to information held by public authorities, subject to certain exemptions:
• where information is given in confidence • where disclosure of information is prohibited under law • where disclosure could cause harm to an individual.
Thus, a patient seeking medical information about herself cannot do so through the FOI Act 2000, since this is an absolute exemption. Access to Health Records Act (AHR) 1990 This Act applied to manual records created on or after 1 November 1991. The right of access to medical records now falls within the Data Box 8
Caldicott principles
262
•
Justify the purpose for using confidential information
•
Only use it when absolutely necessary
•
Use the minimum that is required
•
Access should be on a strict need-to-know basis
•
Everyone must understand his or her responsibilities
•
Understand and comply with the law
The Obstetrician & Gynaecologist
Protection Act 1998, except with regard to personal representatives of a deceased patient seeking disclosure of information to claim compensation for medical negligence. The Data Protection Act 1998 only covers disclosure of records relating to living persons. There are three exemptions to the AHR Act 1990 (Box 7). Access to Medical Reports Act 1988 This Act gives patients the right to inspect or receive a copy of medical reports that have been prepared for employment or insurance purposes. Before a report is prepared, the Act provides that consent be obtained from the individual and that it is conditional on being given access to the report before being sent on to the employer or insurance company. Access is not absolute and there are three exceptions, which are the same as the AHR Act 1990 1 and 2 (Box 7). The only difference is in the third reason, which is ‘where disclosure would indicate the intentions of the doctor in respect of the individual.’ Caldicott guardians in the NHS In 1997, Caldicott guardians were appointed in each NHS Trust to act as gatekeepers and to develop a framework for handling patient-identifiable information and confidentiality. Since then, the Caldicott role has expanded into information governance in the broader context of security procedures relating to all information held. Guardians are responsible for monitoring and reviewing internal protocols governing the protection of patient and other identifiable information within an organisation. The Caldicott Committee agreed that flow of information should be regularly justified and tested against the principles developed in the Caldicott Report 1997.19 (See Box 8).
Conclusion The doctor–patient relationship is one in which there is an expectation or promise that the doctor will keep secret anything that the patient imparts. The information must have been conveyed in circumstances that give rise to a position of trust. The duty of confidence cannot be absolute and there must be exceptions that allow disclosure without legal penalty. As the NHS moves ultimately into a fully electronic patient record service, the need to protect patient confidentiality becomes an increasingly difficult task. Internal policies have to be put into place to safeguard the access and use of sensitive data in such a way that the confidence of the doctor–patient partnership is maintained and, indeed, strengthened. Patient autonomy must underpin all these processes. Failure to reassure the patient could result in © 2007 Royal College of Obstetricians and Gynaecologists
TOG9_4_257–263
9/27/07
3:51 PM
Page 263
The Obstetrician & Gynaecologist
erosion of trust and potential harm to the health of the patient who would be reluctant to come forward and seek medical help. References 1 Edelstein L. The Hippocratic Oath: Text, Translation and Interpretation. Baltimore: Johns Hopkins Press; 1943. 2 Attorney-General v Guardian Ltd Newspapers (No 2) (The Spycatcher) [1990] 1 AC 109. 3 Pattenden R. The Law of Professional–Client Confidentiality. Oxford: Oxford University Press; 2003. p. 3. 4 Grubb A. Principles of Medical Law. Oxford: Oxford University Press; 2004. p. 555. 5 W v Edgell [1990] Ch 359 (CA). 6 R v Department of Health, ex parte Source Informatics [2001] QB 424 (CA). 7 H (a Health Care Worker ) v Associated Newspapers Ltd [2002] EWCA Civ 195.
© 2007 Royal College of Obstetricians and Gynaecologists
2007;9:257–263
Risk management
8 H (a Health Care Worker) v N (a Health Authority) [2002] Lloyd’s Rep Med 210. 9 General Medical Council. Confidentiality: Protecting and Providing Information. GMC: London; 2000. 10 Department of Health. Confidentiality: NHS Code of Practice. DH: London; November 2003. 11 Kapadia v Lambeth London Borough [2000] 57 BMLR 170 (CA). 12 Hunter v Mann [1974] QB 767. 13 X v Y [1988] 2 All ER 648. 14 British Medical Association. Confidentiality and disclosure of health information. London: BMA; October 1999 [www.bma.org.uk/ap.nsf/Content/Confidentialitydisclosure]. 15 Tarasoff v Regents of University of California [1976] 551 P 2d 334 (cal Sup Ct). 16 Gillick v West Norfolk and Wisbech AHA [1985] 3 All ER 402. 17 British Medical Association. Medical Ethics Today. London: BMJ Books; 2004. p. 165–97. 18 Lady Archer v Williams [2003] EWHC; 1670. 19 Department of Health. Protecting and Using Patient Information. A Manual for Caldicott Guardians. London: DH; 1997.
263
