Dr Emyr Wyn Jones uses detailed case studies to offer advice on how to deal with requests for disclosure of clinical information.
Patients expect the NHS to keep their confidential information safe, whether in paper form or electronic. So regulatory bodies insist that the NHS has strong safeguards in place to protect patient information, with the NHS Constitution and NHS Care Record Guarantee setting out explicit commitments to achieving these goals.
The principles of information security require that all reasonable care is taken to secure the confidentiality, integrity and availability of the information:
• confidentiality – information secured against unauthorised access
• integrity – information safeguarded against unauthorised modification
• availability – information accessible to authorised users at times when they require it.
The third of these often proves the most difficult. Although it may be relatively straightforward to implement protocols and safeguards to protect confidentiality and integrity of information, making a decision about the appropriateness of a data request depends on an interpretation of what is meant by ‘authorised users’.
You need to be certain of the justification for disclosure before a decision can be made.
The general principle, based on an understanding of the common law duty of confidentiality, is that information given in confidence for the purpose of providing healthcare to an individual can only be used for that purpose, unless the individual has given explicit informed consent for other use or there is an overriding public interest or legal reason for disclosure without consent.
In general practice, questions may arise about how to respond to requests from individuals, primary care organisations, social care bodies and outside agencies for sharing of patient-identifiable information held in practice records. GPs can use the following case studies as a guide to whether requests are likely to be appropriate or not.
Requests that are likely to be appropriate and unlikely to cause concern
A healthcare professional working in another organisation requests details of a patient’s medication history, to facilitate clinical decision-making.
This is a common request – often from hospital doctors or pharmacists when patients have been admitted as an emergency and have not been able to confirm the medication they are taking and are not in a position to give informed consent.
Once the identity of the requester has been confirmed beyond doubt there is no problem with disclosing the requested information, applying the Caldicott principles that minimal required data should be disclosed and only to those who ‘need to know’.
A social worker requests access to data on the frequency and nature of a child’s hospital attendances as part of a safeguarding investigation.
This is slightly less easy but, provided the identity of the requester has been confirmed, then there is an obligation, as defined in the Government’s guidance to professionals following the Laming inquiry into the death of Victoria Climbié, to disclose information that may be of value to professionals taking action to safeguard the child. If it is thought seeking explicit consent from the parent or guardian may prejudice the investigation, disclosure of information should be made without seeking consent.
The PCT requests confirmation of clinical details because a patient is receiving an unusual, expensive treatment at a distant provider .
The PCT wants to determine whether to allocate funding to the provider. The patient is not in a position to give consent and relatives cannot be contacted. The question is whether disclosing confidential information can be justified for essentially financial purposes. The answer is that ensuring health interventions are appropriately resourced is part of the legitimate provision of healthcare. Use of confidential information, given for the sole purposes of securing healthcare, can be justified for ensuring funding of that healthcare. The PCT is itself subject to information governance, confidentiality and data protection legislation and must handle the sensitive data accordingly.
Potentially problematic requests that require a series of questions to be asked before responding
A private alternative-therapy practitioner requests a patient’s diabetes history because the patient’s spouse has bought a reflexology and massage session as a surprise gift and mentioned the diabetes on the application form.
It would be inappropriate to disclose clinical details without the patient’s consent – but not to do so would potentially cause harm if the patient was neuropathic and could suffer foot problems from heat or manipulation. Insistence on patient consent is the first line. But if this was not forthcoming, strict assurance might be sought about the practitioner’s professional status and registration, professional ethics and regulation, code of confidentiality, and whether they conform with accepted information-governance standards and records management. A decision on limited disclosure of information without consent might be made if such assurances were forthcoming. But consulting colleagues, the PCT’s Caldicott Guardian or its legal adviser would be recommended first.
The Samaritans charity contacts the practice requesting information about a patient’s psychotropic medication and whether the patient is picking up repeat prescriptions at appropriate intervals, as there is concern about stockpiling in preparation for a suicide attempt.
It is not thought advisable to seek consent for fear of causing the patient to cease attending the Samaritans for support. The patient had originally contacted the Samaritans at the suggestion of the GP. It is likely their volunteers’ training will have included client confidentiality and informing clients how information would be handled and consent sought if disclosure became necessary. Seeing the Samaritans’ policies would help clarify the situation.
GPs should consider consent issues, but if the Samaritans can provide assurance of compliance with obligations under data protection legislation, they could make a balanced judgment that disclosure of clinical information may be appropriate and in the patient’s best interest. Again, it would be advisable to consult the colleagues or the PCT’s Caldicott Guardian or legal adviser before your final decision.
The occupational health department of the patient’s employer seeks information about the patient’s chronic disease status, because of concerns they have not disclosed information relevant to their continued employment.
Doctors and nurses working in occupational health are bound by confidentiality rules but also have a contractual duty to the employer to ensure employees are fit to carry out their contracted duties and disclose information relevant to this.
The first step is to seek the patient’s consent to disclose confidential information to the occupational health practitioner or, at the very least, persuade them to discharge their obligation as an employee to divulge relevant information themselves. If that does not succeed there is a need to understand the compelling reason why the employer needs to know and the impact disclosure will have on the patient’s continued employability. They must then balance that against the risk non-disclosure might carry if the medical condition made it unsafe for the individual or others should their job continue.
A balanced judgment needs to be made once all information has been considered. A patient with uncontrolled epilepsy working in a driving job, for example, would warrant disclosure despite explicit withholding of consent, on the grounds of safety.
Requests that are likely to be problematic with substantial assurance needed
An insurance firm contacts the practice to request access to the patient’s clinical record to gather information relating to a potential serious fraud inquiry involving the patient’s partner.
Patient consent has not been sought for fear of prejudicing the inquiry. In this situation, disclosure of confidential information is inappropriate unless the company can produce a court warrant for disclosure or demonstrate public safety issues or overwhelming public interest.
A detective requests information about a patient’s clinical status to help him with investigations into a suspected violent crime.
Again, an informal request made without first seeking patient consent should be resisted unless there are significant public safety issues or an overwhelming public interest in disclosure.
The police have recourse to the provisions of Section 29 (3) and Schedule III (3) of the Data Protection Act 2008, to require disclosure of personal data for the purposes of prevention or detection of crime, prosecution of offenders and in emergencies, if non-disclosure would prejudice an investigation. The Association of Chief Police Officers has approved a standard form for making requests for information under Section 29 (3) of the Data Protection Act. It should include an outline of the investigation, individual, their role in the investigation, the requesting officer’s signature and authorisation by a senior officer at inspector rank or higher. A Section 29 (3) form should be issued before any information is disclosed and evidence of the identity of the requesting police officer must be sought and verified.
The Inland Revenue requires disclosure of personal information about a patient for the purposes of an investigation.
Patient consent should always be sought in the first instance but if consent is not forthcoming the provisions of Section 29 of the Data Protection Act do allow for a statutory requirement for the disclosure of personal data to the Inland Revenue, HM Revenue and Customs or Home Office upon request. It is wise to seek the opinion of the Caldicott Guardian or legal adviser before disclosing without consent.
These examples are not definitive guidance but are intended to stimulate thought about the appropriateness or otherwise of disclosure. Advice should always be sought from Information Governance experts, Caldicott Guardians or legal sources where there is doubt. GPs must be able to justify their decisions and be prepared to defend them and show evidence of the steps they have taken in reaching them.
Dr Emyr Wyn Jones is the secondary care clinical lead for the Summary Care Record programme, working for Connecting for Health, and was chair of the UK Council of Caldicott Guardians between 2009 and March 2010
Telephone consultation Click here to read the rest of our special issue on IT and information governance. Guest editor