What is Patient Confidentiality?
Patient confidentiality is a legal requirement pertaining to the collection and storage of personal information belonging to another individual. Typically, this involves professions where you are dealing with someone else’ sensitive personal information. Specifically, you are not legally allowed to speak about matters discussed in a confidential conversation. Patients have a right to these confidential discussions without having to worry about the disclosed information being spread to other patients and individuals. These are often legally binding by contract, similar to a non-disclosure agreement. Generally, if you are in a situation where it is expected that you should receive confidentiality, you often will.
So you might be wondering who would need to provide patient confidentiality. The first one that comes to mind is a doctor. Whether this is a general physician or a psychiatrist, any information you provide is protected by patient confidentiality duties of the medical profession. Other examples include lawyers, bankers and more. Typically, this privacy involves professionals who deal with the confidential personal information of a client.
In addition to being required by law, respecting a desire for patient confidentiality is in good practice and will please your loyal customers. Otherwise, you run the risk of ruining your own reputation and potentially tarnishing the image of your profession. Think about it, is there any customer or client that would appreciate you discussing their matters with another individual? The answer is likely no, so why bother doing so in the first place? Industry professional groups often protect themselves by suspending or expelling your right to practice the profession if you breach or disregard certain rules.
There are instances where patient information can be legally obtained for court related purposes. This permission is typically only granted to law enforcement agencies, as certain information could be useful in an ongoing case. Of course, legal processes must first be approved including the issuance of court ordered affidavits or warrants – this usually only applies to bank and medical records. Other types of information cannot be accessed by any third party (including law enforcement agencies), such as that collected by lawyers, psychiatrists and priests. If you’re wondering what makes lawyers, psychiatrists and priests so special, you will find out shortly.
Patient Confidentiality Act
Patient confidentiality is a considered common law and a right for all individuals utilising services where this is relevant. Laws and regulations surrounding patient confidentiality primarily exist to protect individuals from utilizing services that are considered to be beneficial. For example, therapy is a common form of treatment but if patients did not feel safe or that their privacy was being respected, then the profession would lose credibility. As a result, people would begin to miss out on the advantages offered by going through therapy. Thus, certain laws are in place to protect the public’s trust toward these forms of treatment.
So in a way, patient confidentiality policies protect both the patients and those practicing the profession. Beginning with the patients, it mainly offers peace of mind and an increased ability to share one’s thoughts. Particularly, it offers them protection in the sense that:
- Feeling of security and respect for privacy. Specifically, patients can feel safe and that their privacy rights are being respected, so any disclosed information won’t be used against them at a later point in time. This way, patients can fully utilize the services being offered to them without feeling that they need to withhold certain information. This pertains particularly to information that is considered to be sensitive in nature.
- Confidential information won’t later be used against them or distributed to unauthorized individuals. Again, patients may not be as hesitant to share certain details if they know that the information is confidential and cannot be used for other purposes beyond those initially agreed upon.
On the other hand, practitioners are protected mainly in the sense that they are provided clear guidelines to direct their behavior and choices. Specifically, they benefit from patient confidentiality acts in the following ways:
- Helps to avoid ethical dilemmas. Now practitioners don’t have to worry about betraying the trust of a patient, unless legally required by law to do so. They won’t be put into an ethical dilemma where they must choose between handing sensitive information over to the courts and remaining loyal to their patients. There is a clear expectation that they are to protect their client’s best interests, unless ordered by the courts to release certain information. Often, in these cases where sensitive information is court ordered, it is because it is also in the public’s interest. Specifically, it typically involves dealing with a criminal proceeding.
- Provides a set of rules and guidelines about the proper use of confidential information. If practitioners follow the guidelines as specified by their profession’s regulatory body and that of the Data Protection Act, there should be no uncertainty as to whether they are upholding their duty to protect patient confidentiality.
Asides from the Data Protection Act as enforced by the ICO, general industry bodies typically have their own set of standards. That way, patients and clients can expect standard practices and policies from the professionals of an industry. For example, the General Medical Council governs the UK’s healthcare professionals and outlines strict code for upholding patient confidentiality. In other instances, the institutions themselves will also have legal documents outlining the right for privacy. However, any concerns regarding patient confidentiality often involves the topic of data privacy. Knowing this, it is the duty of the ICO to review any complaints and decide whether to investigate from there.
Breach of Patient Confidentiality
A breach of patient confidentiality refers to a particular situation where a patient’s confidential information is compromised in some way, shape or form. It can be something as simple as the practitioner revealing sensitive information to an unauthorised individual through verbal or physical means. Another situation would be if a practitioner left delicate data displayed on their computer screen that can easily be viewed by other people who are nearby, but not authorised to do so. In addition to verbally conducting a breach of patient confidentiality, an individual who does not properly secure personal data and has it stolen can also be in violation with a breach of patient confidentiality.
Surely you can see the importance of taking the necessary precautions to protect this sensitive and confidential information. Not only do you have to worry about speaking about any of the information, you must also protect it from unauthorized access. It doesn’t end there though, because when it comes time to dispose of the information, you are also liable. So, you better destroy any chance of it being obtained through secondhand means altogether. For example, say you were to dispose of some information, but then someone else managed to get their hands on this sensitive data. Well, unfortunately you would be implicated and likely fined for the improper handling and disposal of the data.
This very situation occurred in the UK when Brighton and Sussex University Hospitals NHS Trust didn’t take the necessary measures to fully destroy patient data. What happened was that the old hard drives containing sensitive information were later resold on eBay – a big red flag in terms of the Data Protection Act. The ICO stepped in and eventually issued fines for the amount of £325,000. The entire situation could have and should have been avoided had they properly disposed of and destroyed confidential patient information. Not only have these individuals been compromised and exposed to the intentions of whoever decided to purchase these hard drives, but a huge amount of public distrust was cast upon the institution at fault. Companies that provide data and document shredding services exist to help mitigate the chance of situations like these. Knowing this, you should be very careful as to where you keep and store sensitive information.
Thus, you should be concerned with protecting your patient confidentiality from the minute you collect sensitive information up until the moment it is safely disposed of. Specifically, at each stage you should be concerned with the following:
- Collection: at this stage of the process, you are concerned with the ethical, legal and safe gathering of information from the patient. You should be doing so in a manner that they can comfortably communicate private information with you. Specifically, you will want to create an environment that will respect their privacy. If you are speaking in person, then this means going to a location where other clients and unauthorized individuals will not be able to listen in.
- Input and Storage: this refers to your method of storing the information that you have gathered. You are also responsible for protecting the stored data from unauthorized access. Failing to do so will result in a breach of patient confidentiality. Even if you don’t grant someone permission to your files, you may still be at fault if a hacker gains access.
- Use: when using the information, it is only meant to be used and discussed with other individuals who have been given consent to access such data. If you share the information beyond the consented individuals or for purposes not consented to by the patient, then that is a breach of patient confidentiality.
- Disposal: after collecting and using the confidential information, you cannot simply toss it into the wind and forget about it. It is absolutely essential that you destroy confidential information so it cannot be obtained after you dispose of it. If someone else were to get their hands on it after you’ve disposed of it, you will be at fault for committing a breach of patient confidentiality. Contact your local data and document shredding company to take some weight off of your shoulders.
Common causes of breaches to patient confidentiality directly relate to each stage of the information gathering process outlined above. Essentially, if the necessary measures for each stage are not followed, you and your patients are likely exposed to risk. The difference is that they will be a victim of the breach and you may be at fault for the breach.
In the case that you are aware of a breach of patient confidentiality, it is your legal and ethical duty to take the necessary actions, even if you may be at fault. The consequences will be much worse if you try to hide the unfortunate situation and it is later revealed to the public eye. Thus, it is important to report the incident and can be done by doing the following:
- You should immediately notify the ICO for incidences in the UK involving a patient confidentiality breach. Often, a breach of patient confidentiality involves concerns related to the practices regarding data privacy. The ICO handles all matters related to data protection – they will investigate the matter on your behalf.
- Report the incident to the appropriate body that oversees that industry and profession. As mentioned, each professional body has its own set of rules and regulations. Representatives from the group will likely address the situation since it has the potential of impacting the profession as whole. Specifically, it could tarnish trust in the industry if the matter isn’t dealt with and resolved appropriately.
- You should also consider reporting it the local authorities. This is especially true in situations where an individual could be exploited as a result of the confidentiality breach. If you think someone has become vulnerable as a result of the breach, it is in their best interest that you report the situation.
Ultimately, if a patient is trusting you by providing confidential information, it is your responsibility to ensure the proper use and protection of such details. There is no sense in taking shortcuts that may put your patient in harm’s way or expose them to unnecessary risks. It is up to you as the professional practitioner to provide confidentiality during the collection, storage and disposal stages of the information handling process. Not only is this a legal duty of yours, it should also be an ethical consideration on a human level.