top of page

Breaking Confidentiality

In this series of articles, medical students from across the country will discuss a range of topics from medical ethics to the NHS to public health to medical conditions to clinical governance.

 

🏢Importance

It could be thought that confidentiality is an absolute rule within healthcare, as it is confidentiality that builds the foundations of the patient-doctor relationship.

However, there are instances in which confidentiality can, and is required to be broken. In a bid to guide medical staff of what these cases are, the GMC (General Medical Council) has compiled specific guidance for confidentiality and when, within the realms of healthcare, it can be broken. They outline that the minimum necessary personal information should be used, information should be effectively protected, there should be compliance with the law and patients should be supported to access their information.

Patient confidentiality can be defined as: ‘The law whereby a doctor or medical practitioner cannot reveal anything said to them by their patients during consultation or treatment.”

Confidentiality is something that is protected, by law, by a myriad of legislations including the Data Protection Act 1998, The Computer Misuse Act 1990 and The NHS Confidentiality Code of Practice.


Breaking confidentiality is done when it is in the best interest of the patient or public, required by law or if the patient gives their consent to the disclosure. Patient consent to disclosure of personal information is not necessary when there is a requirement by law or if it is in the public interest.


Examples of when disclosures are required by law (according to GMC guidance) include:

  • Notifications of specific infectious diseases

  • Disclosures to various regulatory bodies

  • Disclosures to court




💉Public Interest

On the other hand, disclosures in the public interest are those which are designed to protect the greater population from the harm that would be caused if certain personal information was not disclosed. The patient despite not having to give consent for this disclosure of information does need to be informed of it. The Department of Health has published guidance on how to apply these principles in context. A lot of disclosures in this sense surround medical research, for which there are further regulatory bodies, such as the Caldicott Boards in which data is shared in the safest way possible to the patient.




🧠 Capacity

There is also the argument of capacity of a patient and how this can be assessed. When a patient does have capacity, it should be established with them what information they are comfortable with being shared and with who that would be. However, when a patient lacks capacity the issue becomes harder, and the care of the patient must become the first concern - taking into account their beliefs, previous wishes, feelings and values.

There are also legalities in place if the patient’s mental capacity has recently deteriorated, such as the Lasting Power of Attorney. If the patient whose information needs to be disclosed is a child who lacks capacity, personal information can be disclosed to parents or authorities if it is within the child’s best interest. There is also an overriding public interest in the disclosure when the child is at risk of abuse, as disclosure would prevent serious crime or in other instances where the child’s own behaviour would put them or others at risk of serious harm.


As stated previously, patient information can also be shared given the patient’s consent. This may be done in an effort to gain insight into management of their care from other colleagues, in referrals to other healthcare professionals and departments and when information is required by third party organisations – which could include insurers, employers or an agency assessing benefits. In these instances, it is crucial to gain patient consent, having explained why the information will be shared and in the context in which that will happen. Once consent has been given by the patient for their personal data to be shared, then it can proceed to be done.

📜 Further Reading

Comments


bottom of page