understanding confidentiality and the law on access to medical records
TRANSCRIPT
![Page 1: Understanding confidentiality and the law on access to medical records](https://reader035.vdocuments.us/reader035/viewer/2022071718/575091451a28abbf6b9cdbbe/html5/thumbnails/1.jpg)
Remedies for breach of confidentiality
C Injunction
C Declaration
C Damages
C Suspension/removal from the GMC register
ETHICS/EDUCATION
Understandingconfidentiality and the lawon access to medical recordsNick Nicholas
Sotiris Nicholas
Box 1AbstractThe doctor patient relationship has never been so seriously threatened
with the public loss of confidence that has arisen because of the wide-
spread loss of data in both the public and private sectors. All data espe-
cially patient sensitive information must be treated with respect. Failure
to maintain confidentiality is a serious offence punishable in common
law but much more importantly the GMC has the statutory power to
suspend or remove a doctor from the medical register. Doctors therefore,
must have an understanding as to how data ought to be treated and pro-
tected within the working environment and what legal rights patients
have in accessing their data in certain circumstances. Transparency is
paramount in securing the trust between doctors and their patients,
who need reassurance that if they are to divulge sensitive and often
embarrassing information, that the healthcare professionals will respect
their data by keeping it secure and free from outside interference.
Keywords confidentiality; consent; Data Protection Act 1998
Criteria necessary prior to disclosure to third parties
C The patient must be aware of the purpose of the disclosure
and the extent of information that will be given
Introduction
This duty of confidence goes back to the time of Hippocrates
(300BC), when the Hippocratic oath refers to ‘‘Whatever in
connection with my professional service, or not in connection
with it, I see or hear, in the life of men, which ought not to be
spoken of abroad, I will not divulge, as reckoning that all such
should be kept secret.’’
Confidentiality is the cornerstone of the doctor patient rela-
tionship. It underpins the trust that patients have in the medical
profession and any breach in that trust can only lead to harm
caused by failure of patients to disclose sensitive information to
them. Thus, it comes as no surprise that the professional regu-
lator (GMC) takes the issue of confidentiality very seriously. Any
breach in the duty of confidence by doctors can lead to serious
consequences such as suspension and even removal of practising
privileges (Box 1).
Confidentiality also helps to confirm respect for patient
autonomy which is now enshrined within the Human Rights Act
Nick Nicholas BSc (Hons) MD FRCOG Grad Dip Law is a Consultant Obstetrician
and Gynaecologist and Caldicott Guardian at Hillingdon Hospital Trust,
Uxbridge, Middlesex, UK. Conflicts of interest: none.
Sotiris Nicholas BSc(Hons) MB BS is a Specialist Trainee in Anaesthetics
(Year 1) at Charing Cross Hospital, London, UK. Conflicts of interest:
none.
OBSTETRICS, GYNAECOLOGY AND REPRODUCTIVE MEDICINE 20:5 161
2000, under article 8 right to respect for private life. The main
case for this principle was established in the case of Campbell v
MGN [2004], when the right to confidentiality was no longer
considered to be in the public interest, but rather a private
interest. In this case, the publication of a famous model’s drug
taking was disclosed without her consent. The court had to
balance the public interests of freedom of expression under
article 10 of the HRA versus the private interests of an individual
under article 8 (right to private life). Thus, the right to privacy
and personal autonomy trumps the right to freedom of
expression.
The duty of confidentiality owed by the doctor has to be
weighed up against the public interest of disclosure that comes
with sharing information such as for research, crime reduction,
to reduce the spread of communicable diseases, and access to
patient records both whilst alive and after death. Wherever
possible, data sharing should be anonymized and coded or else
wherever possible, patient consent ought to be obtained for
disclosures that involve patient identifiable information.
Access to health records is often an area of concern for doctors
especially in regard to requests for patient notes by a third party
and access to deceased person’s records.
Access to health records by a third party
Individuals have a right to apply for access to health records
irrespective of when they were compiled under the Data
Protection Act 1998. This Act only covers disclosure of records
relating to living persons. The request has to be accompanied by
a valid signed and dated consent from the patient. Data should
not be released to any third party, for if doing so would result in
‘harm to the physical or mental health of the data subject or other
person’ (Box 2).
C The patient must be aware that the information cannot be
concealed or withheld
C There must be written consent from the patient to the
disclosure
C Only information relevant to the request can be disclosed
C Only factual information that can be substantiated and
presented in an unbiased manner can be included
Box 2
� 2010 Elsevier Ltd. All rights reserved.
![Page 2: Understanding confidentiality and the law on access to medical records](https://reader035.vdocuments.us/reader035/viewer/2022071718/575091451a28abbf6b9cdbbe/html5/thumbnails/2.jpg)
Exceptions to the Access to Health Records Act 1990
C Information likely to cause serious physical or mental harm to
any individual
C Information relating to an individual, other than the patient,
who could be identified from that information, unless prior
consent has been given
C Where the record has a note from the deceased patient
denying access to personal representatives
Box 3
Data protection principles
C Personal data should be processed fairly and lawfully.
C Personal data shall be obtained only for one or more specified
and lawful purposes and shall not be further processed in any
manner incompatible with those purposes.
C Personal data shall be adequate, relevant and not excessive in
relation to the purposes for which they are processed.
ETHICS/EDUCATION
Access to Medical Reports Act 1988
This Act gives patients the right to inspect or receive a copy of
medical reports that have been prepared for employment or
insurance purposes. Before a report is prepared, the Act provides
that consent be obtained from the individual and that it is
conditional on being given access to the report before being sent
on to the employer or insurance company. Access is not absolute
and there are three exceptions, which are the same as the Access
to Health Records Act 1990 1 and 2 (Box 3). The only difference
is in the third reason, which is ‘where disclosure would indicate
the intentions of the doctor in respect of the individual.’
Access to deceased person’s records
The new GMC guidance on Confidentiality (2009) provides more
clarity on this issue. If the patient has asked for information to be
kept confidential even after death, then clearly the patient’s
wishes should be respected.
The duty of non-disclosure continues after death. In the case
of Bluck v Information Commissioner, the judgement concluded
that the ‘public interest in maintaining confidentiality in the
medical records of a deceased outweighs, by some way, the
countervailing public interest in disclosure’. Also more recently
Lewis v Secretary of State for Health (2008) confirms this
principle.
Thus medical records should not be disclosed because they
fall within the scope of the Freedom of Information Act 2000
(FOI) section 41 and accordingly are exempt from disclosure.
Prior to disclosure certain criteria have to be considered (Box 4).
Criteria that need to be taken into account prior todisclosure of information about deceased patients
C Whether disclosure of information could cause distress to or
be of benefit to the patient’s partner or family
C Whether disclosure about the deceased will, in effect, disclose
information about the patient’s family or other people
C Whether the information is already in the public domain or can
be anonymized
C The purpose of the disclosure
Box 4
OBSTETRICS, GYNAECOLOGY AND REPRODUCTIVE MEDICINE 20:5 162
Freedom of Information Act 2000
The FOI Act (2000) creates a right of access to information held
by public authorities, subject to certain exemptions:
� where information is given in confidence,
� where disclosure of information is prohibited under law,
� where disclosure could cause harm to an individual.
Thus, a patient seeking medical information about herself cannot
do so through the FOI Act 2000, since this is an absolute
exemption.
The Data Protection Act 1998
The Data Protection Act 1998 applies to manual and computer-
ized records. Breach of the Act is a criminal offence. Data
controllers (who control the purposes and manner in which
personal data are processed) are expected to comply with the
eight data protection principles (Box 5).
Although patients have a right to access their personal data, it
is not an absolute right. The data controller need not comply in
any of the following circumstances:
� he isunsureof the identityof thepersonseeking the information,
� disclosure of information relating to a third party would
result; unless, of course, the third party consents to the
information being given,
� compliance would cause serious harm,
� disclosure is not in the best interests of the data subject.
Schedule 1 requires that data shall be fairly and lawfully
processed.
Schedule 2 sets out the conditions that permit data processing of
personal data, namely consent.
Schedule 3 states that the data subject must give implicit consent
to data processing necessary to protect the medical interests of
the data subject or for the administration of justice.
C Personal data shall be accurate and, where necessary, kept up
to date.
C Personal data shall not be kept for any longer than is neces-
sary for those purposes.
C Personal data shall be processed in accordance with the rights
of data subjects within the Act.
C Appropriate technical and organizational measures shall be
taken against unauthorized processing of data and against
accidental loss, damage or destruction of personal data.
C Personal data shall not be transferred to a country outside the
EU unless that country ensures adequate protection for the
rights and freedoms of the data subjects in relation to
processing of personal data.
Box 5
� 2010 Elsevier Ltd. All rights reserved.
![Page 3: Understanding confidentiality and the law on access to medical records](https://reader035.vdocuments.us/reader035/viewer/2022071718/575091451a28abbf6b9cdbbe/html5/thumbnails/3.jpg)
Justification for disclosure
C Consent by the patient
C Statutory
B Notifiable diseases such as smallpox, cholera, typhus
B Department of Health for Termination of Pregnancy
B Births and Deaths
B Police on request: name and address of driver of the
vehicle who is allegedly guilty of a motoring offence under
the Road Traffic Act 1988
B Police when investigating a serious crime such as rape,
murder, terrorist activities.
Disclosure in the public interest
C Protecting the public (public policy)
B Reporting concerns about patients to the DVLA
C Protecting the public from crime
B Reporting gunshot and knife wounds
C Protecting third parties.
Box 6
ETHICS/EDUCATION
Disclosure is not absolute, and there are circumstances when
the doctor can and must divulge information when appropriate
(Box 6).
Statutory exemption to consent
Section 251 of the NHS Act 2006 replaces s40 of the Health and
Social Care Act 2001. Section 251 can only be used for medical
purposes in situations where disclosure of patient identifiable
information is necessary and consent is not practical. Consent for
s251 approval has to be made through application to the National
Information Governance Board (NIGB). The NIGB is a statutory
body empowered by the Secretary of State for Health under the
Health and Social Care Act 2008, to oversee applications for the
OBSTETRICS, GYNAECOLOGY AND REPRODUCTIVE MEDICINE 20:5 163
use of patient data in the interests of patients and the wider
public.
Conclusion
Recent disclosures around the loss of sensitive public data by
careless civil servants have raised the public interest in confi-
dentiality. The government and the professional bodies have
attempted to reassure patients that their medical records and the
way in which data are stored, handled and utilized in the NHS is
kept safe and confidential so that only those healthcare workers
with legitimate access to their data have access to it. The gate-
keepers within the NHS, local authority social care and partner
organizations are the Caldicott Guardians, responsible primarily
for protecting patient information and more increasingly infor-
mation governance in general. Codes of conduct around confi-
dentiality, issued by the GMC will help doctors wade through these
muddied waters so that ultimately the doctor patient relationship
will be strengthened and patients can have confidence that the
founding principles of confidentiality expressed by Hippocrates so
long ago are maintained. A
FURTHER READING
Access to Health Records Act 1990.
Access to Medical Reports Act 1988.
Bluck v Information Commissioner and Epsom and St Helier University NHS
Trust (EA/2006/0090), 17 September 2007.
Campbell v MGN [2004], HL 22.
Confidentiality (GMC) 2009.
Data Protection Act 1998.
Freedom of Information Act 2000.
Health and Social Care Act 2001.
Hippocrates 300BC.
Human Rights Act 2000.
NHS Act 2006.
Nicholas Lewis v Secretary of State for Health & Michael Redfern [2008]
EWHC 2196 (QB).
Road Traffic Act 1988.
� 2010 Elsevier Ltd. All rights reserved.