Dr Kathryn Leask, medico-legal adviser at the Medical Defence Union, on how practices can ensure they uphold confidentiality at all times
Maintaining patient confidentiality is essential to the trust that exists between practice and patients. Practice staff have a duty to protect a patient’s sensitive information and most breaches of confidentiality are made inadvertently.
It is important that all employees are aware of the practice’s confidentiality policies and its protocols for disclosing information to third parties, and that they receive regular training. Care also needs to be taken when information is being passed on to the patient themselves.
In MDU’s experience, some areas are particularly prone to inadvertent confidentiality breaches. Here we look at some of these and suggest ways to manage potential risks.
Electronic messages
Most practices now use email or text message to communicate with patients. This is what many patients would expect in a modern NHS but there are risks that need to be managed.
Data breaches involving emails are common and can be very costly, with the information commissioner in some cases issuing fines – where a breach of confidentiality has occured.
Errors can include getting an email address wrong or sending an email to a patient with a similar name. Another common pitfall which has the potential to breach a greater number of patients’ confidential information, is where an email is cc’ed to a number of patients rather than blind copied to a list.
This results in the personal email addresses of all of the patients being disclosed to the entire list. Depending on the nature of the email, confidential clinical information about patients may be revealed, such as that a patient has asthma or which clinic they are attending.
Care must also be taken if using auto select functions that predict the email address you want to use once you have typed in the first few letters of the recipient’s email address.
It is easy to make an incorrect selection and much safer to copy and paste an email address from the recipient’s original email to the practice. This will also prevent any typing errors that could be made if the address is added manually.
When texting the patient or leaving messages containing personal information, make sure you have the patient’s permission to communicate with them in this way. Be aware that phones, even personal mobiles, may be shared with other members of the household and may not be private.
Avoid leaving messages on answer machines that do not have a message from the patient, or where there is an automated message. It’s possible that you have been given or dialled the wrong number and that the information you have left could be accessed by someone other than the patient.
Requests by third parties
Practices regularly receive requests from third parties who need information about a patient. This might include insurance companies, solicitors or estranged parents who want access to their child’s medical records.
It is important that policies are in place for any type of disclosure and that staff follow these carefully and do not miss out any steps.
If a medical report is being shared with an insurance company, for example, staff need to check whether the patient has said that they want to view the report before it’s sent. This allows them to confirm that they are happy for that specific information to be disclosed.
Where a child’s records are being disclosed to an estranged parent, ensure that the person making the request has parental responsibility and that the child has consented to the disclosure if they are mature enough to be competent to do so.
Ensure that no information is being disclosed about the other parent. Has the parent the child lives with specifically said they do not want their address disclosed, for example?
If a solicitor is requesting information about a patient, it is important to establish who the solicitor is acting for.
Even where a solicitor is acting for the patient and, therefore, presumably carrying out their instructions, it is better to double check that the patient is aware of the request and what the disclosure will include.
If in doubt, contact MDU or your own medical defence organisation for advice.
The reception area
Reception areas are often open or situated close to waiting rooms which can cause difficulties in protecting confidential information. Computer screens should be positioned in such a way that they cannot be seen by anyone standing at reception or passing by.
Screen privacy filters can also be useful. Documents bearing patients’ names and other personal information should be kept out of sight and not left in view of other patients waiting at reception.
Conversations at reception can be easily overheard by those in the waiting room. Staff should always be mindful of being discrete, whether they are discussing personal issues with the patient or with another member of staff.
This is equally important for face-to-face conversations and for those taking place over the phone.
Where concerns about patient confidentiality do arise, for example, in the form of a complaint, these should be investigated so that lessons can be learnt and measures put in place to prevent a recurrence.
The MDU or your own medical defence organisation can support you in responding to complaints that may arise due to an alleged breach of confidentiality.