Confidentiality – Disclosure to Third Parties

Doctors have a legal and ethical duty to keep all information relating to patients secure. However, whilst the duty of confidentiality is an important principle, it is not without exceptions.

Exceptions to the duty may arise where disclosure is required by statute, is ordered by a judge or presiding officer of a court of law or under a doctor’s ethical or contractual obligations. If a doctor decides to disclose information without consent, they should be prepared to justify their decision.

The General Medical Council (GMC) sets out in Confidentiality: good practice in handling patient information the principles of confidentiality and respect for patients’ privacy that doctors are expected to understand and follow.

The GMC confirms that doctors may disclose patient information, where:

• the patient has capacity and consents to the disclosure for the sake of their care or clinical audit
• it is required by statute, such as in relation to certain communicable diseases
• it is required by a court order
• it is justified in the public interest.

Disclosure with consent

Most disclosures of confidential information require a patient’s consent, including:

• Sharing information with other members of the healthcare team.
  • The doctor should explain to the patient the reason for the disclosure. If a patient objects to the transfer of information, but it is deemed necessary, the doctor should explain that they cannot arrange referral or treatment by another healthcare provider without disclosing the information.
• Discussing the patient’s diagnosis or care with family members and carers.
• Using case studies or images for research, education, training and clinical audit.
  • If a doctor provides patient information pursuant to any of these activities, the information must be anonymised or coded before it is disclosed outside the healthcare team. If that is not possible, a doctor must make sure a patient is told about the disclosure in advance and given the opportunity to object. A doctor must respect a patient’s wishes in respect of the disclosure.
• Writing reports for insurers or the patient’s employer.
• Disclosing medical records to solicitors.
  • Solicitors may contact a clinician for disclosure of medical records. A release of records must only be with the consent of the patient. If the patient is the solicitor’s client, the doctor should treat the disclosure as a subject access request (SAR). They must be satisfied that the solicitor has provided evidence of the patient’s consent to the disclosure and be satisfied that the patient understands the scope of the request. If the clinician is concerned that the consent may not be valid, they must address this with the solicitor or directly with the patient, if appropriate. If in any doubt, PMP clients should contact the PMP medicolegal helpline for advice.
• Release of information to the media or online.

If the patient does not consent to the disclosure of information, the doctor should respect that decision, except where failure to make the disclosure would put the patient or others at risk of serious harm.

Disclosure without consent

In certain limited circumstances, a doctor will be required to disclose patient information by law or in the public interest (to protect the patient, other identifiable people or the wider community). A doctor should inform the patient in advance of such an intended disclosure unless this would cause the patient serious harm or undermine the purpose of the disclosure.

A doctor must disclose patient information where required by law; for example, if the disclosure is pursuant to a court order or infectious disease notification, or if a doctor holds a reasonable belief that a crime involving a sexual assault or other violence has been committed against a child or other vulnerable person.

The disclosure should be limited to the minimum information and least number of people necessary.

If a patient lacks the capacity to give consent and is unlikely to regain capacity, the doctor should consider making a disclosure only if it is in the best interests of the patient. If disclosing without consent, the discussion with the patient and the reasons for the decision should be carefully documented and retained.

Disclosing information after a patient has died

Doctors should be aware that patient information remains confidential even after death.

If it is unclear whether a patient consented to the disclosure of information after their death, consider:

• how the disclosure might benefit or cause distress to the family or carers
• the effect of disclosure on the reputation of the deceased
• the purpose of the disclosure.

A doctor’s discretion may be limited if disclosure of a patient’s record is required by law, such as:

• to help a coroner, procurator fiscal or another similar officer with an inquest or fatal accident inquiry
• on death certificates
• when a personal representative of the patient, such as an executor or administrator of the estate, makes an application for access to the health record, under the Access to Health Records Act 1990 or Access to Health Records (Northern Ireland) Order 1993, unless an exemption applies. (The exemption would be if the patient clearly stated in life that they would not wish such a disclosure to be made.)
• when disclosure is necessary to meet the statutory duty of candour.

Generally, doctors may face difficult decisions regarding:

• access requests from patients and third parties
• record disclosure of a deceased patient.

Each case should be considered on an individual basis, and doctors should always act in the patient’s best interests. The GMC states in Confidentiality: good practice in handling patient information, para 136:

“In other circumstances, whether and what personal information may be disclosed after a patient’s death will depend on the facts of the case. If the patient has asked for information to remain confidential, you should usually abide by their wishes. If you are unaware of any instructions from the patient when you are considering requests for information, you should take into account:

1. Whether disclosing information is likely to cause distress to, or be of benefit to, the patient’s partner or family
2. Whether the disclosure will also disclose information about the patient’s family or anyone else
3. Whether the information is already public knowledge or can be anonymised or de-identified
4. The purpose of the disclosure.”

The police

In most cases, information should only be disclosed with the patient’s consent.

However, there are limited exceptions justified in the public interest when information can be provided without the patient’s consent, eg:

• If a driver suspected of a road traffic offence seeks treatment, the police can ask the clinician for the patient’s name and address under the Road Traffic Act 1988.
• The clinician must disclose information that may be of material assistance in preventing an act of terrorism or securing a person’s arrest for a terrorist offence. Failure to do so without reasonable excuse is a criminal offence.
• If a practitioner suspects that a girl under the age of 18 has had female genital mutilation (FGM) performed on her or is at risk of FGM, safeguarding procedures must be implemented, as with any suspected abuse. The FGM Act 2003 (as amended by the Serious Crime Act 2015) in England and Wales, introduced a mandatory duty for all regulated health and social care professionals to report FGM found in girls under the age of 18 years to the police. The duty came into force on 31 October 2015.
• When the police have obtained a valid court order compelling a clinician to disclose information.
• Clinicians are obliged to inform the police whenever a patient presents with a gunshot or knife wound. This information is required to assist the police in collating statistical information. The patient’s name and address should not be disclosed at this initial reporting. Knife injuries that are accidental or self-inflicted do not need to be reported. The GMC provides guidance on when to report incidents involving guns or knives in Reporting gunshot and knife wounds.
  • It is important to remember that, in the event of treating a patient following a knife crime, just because the police arrive and ask for some identifiable information, it does not mean that the clinician must provide this. If the clinician thinks that disclosure may be required, they should first consider what exceptions there are to the duty of confidentiality. Such as:
    • Consent – could the doctor ask the patient for consent to disclose? They need to consider if, by doing so, they would put themselves or others in the department at risk.
    • Law – do the police have a court order or warrant? If not, there is no legal duty to disclose.
    • Public Interest – the doctor may disclose without the patient’s consent if they believe that disclosure is justified in the public interest, ie, if the disclosure is likely to assist in the prevention, detection or prosecution of a serious crime or if failing to disclose may put someone other than the patient at risk of serious harm or death.

If you have any queries or concerns surrounding the issues raised in this article, please do not hesitate to call the PMP medicolegal helpline. The PMP medicolegal helpline team, provided by Clyde & Co LLP (a law firm), can assist customers in preparing an appropriate response.