Over the years a common enquiry to the Royal College of Nursing telephone advice line has been about confidentiality. In particular, healthcare professionals are often unclear about the circumstances in which health information about a particular individual may be disclosed to a third party.
Everyone appears to know that such information is generally “confidential” and falls into a category of “sensitive personal data” under the Data Protection Act, 1998. Despite this understanding, when it comes to the following typical scenarios, uncertainty often arises:
- The individual has refused to give me permission to disclose her health information to anyone, and I believe that this could be detrimental to the person’s health and wellbeing. Can I disclose?
- Someone has arrived in A&E with evidence of involvement in a criminal activity. Do I have to tell the authorities, such as the police?
- As an occupational health nurse, I have been asked by the solicitors for the employer to disclose the occupational health records of an employee, without seeking the employee’s consent. Should I?
- I have been treating a 15-year-old girl as a school nurse and she has insisted that I do not tell her parents about her presenting health problems. Does a 15-year-old have a right to confidentiality?
As with my earlier articles in this Journal on legal accountability and consent, the basic principles governing the handling of confidential information are straightforward. The reasoning process that I suggest is adopted by healthcare professionals is a sequence of questions:
- Is the information confidential?
- If so, and I believe that I should disclose to a third party, have I got my patient’s consent? “Consent” implies that the patient is legally competent and suitably informed about what information will be disclosed, to whom, and why, and that the assent is freely given (without duress).
- If my patient withholds their consent to disclosure, does the law require me to disclose? (Am I under a legal duty and have no choice?)
- If the law does not oblige me to disclose, could I nevertheless disclose in breach of my patient’s confidentiality? In other words, does the public interest in disclosure outweigh the confidentiality of the patient?
- Have I told the patient? If I am going to breach my patient’s confidentiality, then ordinarily I should let the patient know in advance, except in very exceptional circumstances.
Legal duty of confidentiality
The courts (common law) have long recognised a legal duty of confidentiality imposed on healthcare professionals in relation to patient information. This is also an explicit requirement of the Nursing and Midwifery Council (NMC; 2015) code of practice (paragraph 5) and the General Medical Council’s (2009) confidentiality explanatory guidance, and it can be found in the ethical codes of all other health professions.
In addition, health information is “sensitive personal data” (i.e. information about an individual’s physical or mental health, or condition) as defined under the Data Protection Act and may only be processed in accordance with the provisions of that Act. Electronic data and administrative technology present a considerable challenge for healthcare organisations and professionals so far as the handling of health information is concerned, and the risks of inadvertent disclosure are the subject of almost weekly news reports. Therefore, extra care should be taken.
Fair and lawful disclosure
In relation to the Data Protection Act, one common error needs to be highlighted. The Data Protection Act states that sensitive personal data should only be processed (which obviously includes sharing) where it is done “fairly and lawfully” and at least one of the conditions in both Schedule 2 and Schedule 3 of the Act are met. However, simply satisfying a condition in Schedules 2 and 3, respectively, will not necessarily amount to “fair and lawful” processing. In other words, by way of illustration, the police may state that they require access to patient information that is relevant to the detection and prosecution of a serious crime (and this satisfies conditions in both Schedules), but that does not mean that, under the Act, the processing will be “fair and lawful”. To satisfy those requirements, I suggest you need to still follow the reasoning process I described above for handling all confidential information.
When a patient discloses personal health information to a health professional, it is recognised that the provision of health care often cannot function without the sharing of that information, whether in a hospital or community setting, with others who have a genuine “need to know”. This may be with other healthcare professionals or administrative staff. Consent to disclosure must generally be explicit, although in these circumstances it is arguable that by disclosing personal health information and seeking health care, the patient is impliedly consenting to the sharing of their information with others. However, do not rely mechanically on implied consent and ensure that disclosure is absolutely required for essential healthcare when you share it. In any event, anyone who handles patient information (not just the healthcare professional) must understand the duty of confidentiality.
When a patient does not consent to information being shared
Should the patient expressly state that they do not want the information to be shared with anyone else and even objects to the information being recorded, the healthcare professional has no permission to do either. Although this may prevent the healthcare professional from giving the care required, this should, of course, be discussed with the patient, but ultimately it may be that the healthcare professional is only able to record in the notes that the patient is withholding consent to record/disclose (unless public interest considerations warrant sharing – see below). Often, in my experience, patients will withhold consent because they do not fully understand what information will be disclosed, to whom, and why. Once this has been explained, most people are satisfied and give their consent.
In the absence of consent, where the healthcare professional believes that it is nevertheless necessary for others to be informed, when does the law place the professional under a legal obligation to disclose? The fact is that the circumstances where the law requires disclosure are very few. Without listing the Acts of Parliament here, they generally cover public health, sexually transmitted diseases, terrorism offences, abortion, drugs and so on. There is a limited duty under road traffic legislation to provide the police, on request, with information that might identify a driver who has committed a traffic offence, but generally it should be noted there is no legal obligation on anyone to volunteer information to the police to assist them with their enquiries into alleged criminal offences. Many of us will decide to do so, however, out of a sense of public responsibility. But if you do, it is important to take note of the following considerations.
Assuming that the healthcare professional is in possession of confidential health information, which the patient has refused permission to disclose, and there is no Act of Parliament obliging the professional to share, in what circumstances may disclosure nevertheless be legally justified? All healthcare professional codes of ethical behaviour recognise that the duty of confidentiality is not absolute, and that it may be qualified in certain circumstances. In this respect, the various codes mirror the general law (for example, the human rights legislation is clear that the right to privacy – Article 8 of the European Convention on Human Rights – is not absolute and may be breached in exceptional circumstances).
Example cases
In W versus Egdell [1990] 1 All ER 835, W was detained in a secure hospital following a string of serious offences. In accordance with his right under the mental health legislation, he applied for a review of his detention and requested a transfer to a less secure regional unit. His solicitors sought a medical report to support W’s application, and approached a consultant psychiatrist, Dr Egdell. Dr Egdell was very unsupportive and so the review/application was withdrawn. Owing to information that had come to light during Dr Egdell’s examination of W, and which he believed was very relevant to the issue of public safety and future reviews of W’s detention, he disclosed a copy of his report to the Home Office and to the medical director of the secure hospital. W sued for breach of confidentiality. W lost in both the High Court and Court of Appeal.
From this judgement, I suggest that in weighing up whether a disclosure in breach of confidence is justified – for example, the public interest in disclosure outweighs the public interest in the confidentiality of health information – the healthcare professional should consider the following:
- Was there a real and serious (not hypothetical) risk of danger to the public or identifiable individual, which would justify a breach of patient confidentiality?
- Disclosure must be to a person who has a legitimate interest to receive the information. So, for example, a disclosure to the press in the Egdell case would have been an actionable breach of confidentiality and unjustified.
- Disclosure must be confined to that which is strictly necessary in order to avert or mitigate the danger that would otherwise be presented by maintaining confidentiality.
Conversely, in the case of X versus Y [1988] 2 All ER 649, the High Court held that the public interest in favour of freedom of the press in debating the risks presented by healthcare professionals with HIV infection, and identifying them, did not outweigh the public interest in respecting the confidentiality of the healthcare professionals concerned, particularly given the risks to the public health policy of encouraging individuals to present themselves for testing, counselling and treatment.
Protection of the patient
Is it justified to breach patient confidentiality to protect the patient him- or herself? It may be, particularly in the case of a child or young person, or someone who is legally competent but vulnerable, perhaps. The balancing exercise is, I suggest, rather more acute in these circumstances, with arguments around paternalism and so on.
Summary
You may be justified in breaching your patient’s confidentiality because of public interest considerations, although the onus is clearly on you to satisfy the above requirements. It is my advice to healthcare professionals in this situation to clearly record the above reasoning process and, in most instances, to warn the patient in advance of the disclosure why you are having to take this step. It is far better to afford the patient an opportunity to further discuss your concerns, than to wait for them to be surprised to learn that their confidence has been broken.
Finally, do under 16-year-olds have a legal right to confidentiality? The answer is yes and I refer readers back to the Gillick case, described in my previous article on the law of consent (Cox, 2016). A mature minor has a legal right to confidentiality, though, again, it is not absolute and may be breached in certain circumstances (such as child protection concerns).
In my experience, the most difficult situation is often presented in schools, with a nursing or medical service that comes under pressure from either teachers or the parents of children, or both, to disclose information about a child in the care of the healthcare professional. To avoid conflicts, I suggest that all healthcare providers (whether in community, primary or acute care settings) have appropriate policies on confidentiality and the handling of patient information, irrespective of the age of the patients concerned. These should be shared with everyone who may come into contact with the health service and, in particular, those (such as parents) who believe (often mistakenly) that they have a legal right to access such information, with or without the consent of the patient. Nothing undermines a health service more quickly than a reputation for inappropriate handling of confidential health information.
Acknowledgement
This article has been modified from one previously published in the Journal of Diabetes Nursing (2015, 19: 378–84).
Scotland-wide advice to inform the process of making injectable weight management drugs available and to prevent variation between Health Boards.
14 Nov 2024