Emma Cave - Reader in Law, Durham University
Al Dowie - School of Medicine, University of Glasgow, Glasgow
Amy L. Fairchild - Professor of Sociomedical Sciences, Mailman School of Public Health, Center for the History and Ethi
Angus H. Ferguson - Centre for the History of Medicine, Economic and Social History, School of Social and Political Scie
Fionnula Flannery - Policy Manager, Standards and Ethics Team, General Medical Council
Andreas-Holger Maehle - Professor of History of Medicine and Medical Ethics, Department of Philosophy, Durham University
Jean McHale - Professor of Health Care Law University of Birmingham, Birmingham
Michael Soljak - Imperial College London, London
The General Medical Council (GMC)’s guidance Confidentiality was last published in 2009. Since then the healthcare landscape in the four countries of the UK has continued to evolve and in 2015 the guidance will be reviewed to ensure that it remains compatible with the law and relevant to practice. This article summa-rises some of the practice issues that have been identified in enquiries to the GMC. These include the increasing emphasis on the use and integration of electronic health records systems to support patient care; the impacts of national policy debates around adult and child safeguarding; and ongoing debates about the use of health information for secondary purposes such as research, healthcare planning and audit. These issues raise questions and challenges, for example around models of consent, the definition and scope of public interest, and the relative weights that should be given to community needs and to individual autonomy that will need to be considered as part of the review of the guidance.
‘All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal.’ – Hippocrates, 5th century BC
Articles about medical confidentiality conventionally start with Hippocrates. Whether or not he actually wrote these famous words, they articulate a value that is deeply held by doctors and patients alike – confidentiality is central to medical practice. But it is not absolute. Hippocrates did not suggest that physicians should keep everything secret, only that ‘which ought not to be spread abroad’. Determining what should be ‘spread abroad’ – or, to put it another way, what are the exceptions to the general duty of confidentiality – is one of the most challenging decisions doctors regularly have to make.
It will therefore come as no surprise that confidentiality consistently tops the list of ethical enquiries received by the General Medical Council (GMC). The emails, letters and phone calls we receive reveal not only how seriously doctors and patients take confidentiality, but also how genuinely difficult it can be to weigh up competing interests and to reach a decision. Recent enquiries to the team include:
In this article I will consider what we know about the confidentiality challenges doctors face in practice from the enquiries we receive, and reflect on what the implications might be for GMC guidance in the future.
The GMC will never tell a doctor who asks us for ethical advice what decision to make or what course of action to take – these are professional judgments, which need to be made on the particular facts of the individual case. And, as the regulator, we must remain independent of the decisions and actions of doctors that we may later be called upon to investigate. But we do publish guidance, case studies, and other learning materials to help doctors to identify the relevant legal and ethical considerations and to make decisions that respect patients’ privacy, autonomy and choices, and that also benefit the wider community of patients and the public.Current and archived guidance can be found on the GMC website: www.gmc-uk.org/guidance. Accessed 24 February 2015.
Since 1971 we have published advice of increasing length on confidentiality, with discrete guidance on the topic first published in 1995. We published the current guidance in 2009. At that time, significant areas of debate included the increasing use of information technology, including the move towards electronic health records; the disclosure of genetic and other shared information; the reporting of knife crime to the police; and doctors responding to criticism in the press. A new, distinct section of the guidance was also introduced to explain how the guidance on disclosures in the public interest applies in the case of disclosures for ‘secondary uses’ such as research, epidemiology, public health surveillance, health service planning and education and training.An account of the development of the 2009 guidance is available on the GMC website: www.gmc-uk.org/The_Development_of_Confidentiality_2009.pdf_38718428.pdf. Accessed 24 February 2015.
Over the coming year we will be revising the guidance again. We think the core guidance remains sound, but we need to make sure it reflects the latest position in law and emerging ethical challenges, and that it is helpful to doctors and patients alike.
It is already clear that much has changed since 2009. The debate about the use of information technology has shifted from questions about the responsibilities of doctors in commissioning and using electronic systems, to questions about the ethical and legal implications of integrated or shared record systems. The explosion in mobile technology, and the growing interest in e-health and tele-health are also posing new practical challenges for doctors and may raise new issues of principle. Questions about the legal and ethical considerations around secondary uses of patient information have taken on a new urgency as each of the UK nations grapples with the opportunities and challenges posed by ‘big data’ and the use of healthcare data for activities such as research, planning of services and commissioning. National programmes – care.data in England;www.england.nhs.uk/ourwork/tsd/care-data/. Accessed 24 February 2015. SPIRE in Scotland,www.spire.scot.nhs.uk/. Accessed 24 February 2015. with similar plans in Northern Ireland;www.bmj.com/content/348/bmj.g2380. Accessed 24 February 2015. SAIL in Waleswww.saildatabank.com/. Accessed 24 February 2015. – have generated significant debates about governance, consent, patient expectations and the legitimate uses of patient data.
These changes in the management and use of information in health and social care are creating challenges in practice that are reflected in enquiries to the GMC. In one case, a GP asked us for our view on a shared record system, which appeared to her to provide ‘all or nothing’ access to the whole record, once patient consent had been given, rather than role based or graded access. Her concern was that it was unclear who was responsible for the integrity of the record, and that the system design posed legal risks for the GP as data controller. It also raised the wider question of whether patients who had given consent really understood who could access their records, and under what circumstances.
Another GP asked us for advice about how to manage subject access requests for disclosure of information that had been entered into the primary care record by other professionals, such as health visitors in the community. Such a record could include the health visitor’s observations about the use of drugs or alcohol by the family members of a child. The concern was that, if release of the record was not properly managed, health visitors might be reluctant to record relevant information in future.
Safeguarding is another area where we are seeing significant national policy debates reflected in GMC enquiries. In 2012, we published new guidance for doctors on child protection, which gives detailed advice on sharing confidential information in circumstances where a child or young person may be at risk of abuse or neglect.General Medical Council (2012) Protecting children and young people: the responsibilities of all doctors. Available at www.gmc-uk.org/guidance/ethical_guidance/13257.asp. Accessed 24 February 2015. The guidance appears to have provided helpful clarity about the GMC’s expectations of doctors but debate continues about whether professional guidance is enough, and whether or not doctors and other professionals should be mandated by law to report concerns about the possible abuse or neglect of children in certain circumstances.For example, in England the Serious Crime Act 2015 has introduced a mandatory duty on certain professionals (including doctors) to report female genital mutilation in under-18s.
Even with guidance to refer to, decisions about whether or not to share information, and what information to share with whom, can be complex. For example, in the child protection guidance we say that doctors must cooperate with requests for information from formal inquiries such as serious case reviews (SCRs) carried out after a child or young person has died or been seriously harmed. A doctor asked us how this applied in the case of a father whose child had died, who had refused consent for his medical records to be shared with the SCR, and whose lawyers were applying pressure on the doctor not to release the records. The doctor could not see anything of relevance to the SCR in the father’s medical records, but was unsure whether or not this was his decision to make.
Considerable professional concern is also being expressed in relation to adult safeguarding, where we have seen some policy shifts in the direction of mandated sharing of information in certain circumstances. In Scotland, the Adult Support and Protection (Scotland) Act 2007 includes powers to examine health records for making inquiries about adults at risk.Adult Support and Protection (Scotland) Act 2007, section 5. Available at www.legislation.gov.uk/asp/2007/10/contents. Accessed 24 February 2015. In England and Wales, the Care Act 2014 contains provisions that require persons or bodies to supply information to a safeguarding adults board at its request, if certain conditions are met.The Care Act 2014, section 45. The explanatory notes say ‘this would potentially encompass, for instance, a GP who provided medical advice or treatment to an adult in respect of whom a SAB was carrying out a serious case review, or to a family member or carer of that adult.’ Available at www.legislation.gov.uk/ukpga/2014/23/contents/enacted. Accessed 24 February 2015. In Wales, the Social Services and Well-being (Wales) Act 2014 places a duty on a ‘relevant partner’ of a local authority to inform the authority if they suspect that a person in its area is an adult at risk. The Welsh Government’s White Paper on ending violence against women, domestic abuse and sexual violence contained proposals to require public sector bodies to share information with multi-agency fora convened to promote the safety of individuals at risk of domestic or sexual violence.National Assembly for Wales (2013) Consultation on legislation to end violence against women, domestic abuse and sexual violence (Wales). Available at http://wales.gov.uk/consultations/people-and-communities/vawwhitepaper/?lang=en. Accessed 24 February 2015. These duties were not included in the Bill introduced to the Welsh Assembly, but are expected to be included in statutory guidance.As reported in the Equality and Local Government Committee Gender-based Violence, Domestic Abuse and Sexual Violence (Wales) Bill: Stage 1 Committee Report, November 2014. Available at www.senedd.assembly.wales/mgIssueHistoryHome.aspx?IId=10028. Accessed 24 February 2015.
The challenges can be particularly acute in cases where a competent adult may be at risk of serious harm, but is refusing consent that information can be shared. For example, a doctor wrote to us asking whether he should share information with a multi-agency forum about a woman who was experiencing domestic abuse when she was adamantly refusing consent. Several police officers and doctors have asked us about doctors’ responsibilities to disclose information about patients who may be at risk of suicide, who also hold firearms licences.
In our guidance, we take as the starting point that a competent adult has the right to make decisions in his or her own best interests, even if others consider that decision to be irrational or unwise. After all, a competent adult can refuse medical treatment even if that results in their death. We therefore advise that a doctor should usually abide by a competent adult patient’s refusal to consent to disclosure, even if their decision leaves them, but nobody else, at risk of serious harm. In such a case, the doctor should focus on providing patients with the information and support they need to make decisions in their own interests, for example by arranging contact with agencies that can provide support.General Medical Council (2009), Confidentiality, paras 51 and 52. Available at www.gmc-uk.org/guidance/ethical_guidance/confidentiality.asp. Accessed 24 February 2015.
This is not an absolute position however – we say that doctors should ‘usually’ abide by a competent adult’s decision, which leaves open the possibility that there might be circumstances in which the doctor discloses without consent. But what are those circumstances? Could it include situations in which extreme fear, or duress, or some other influence, was inhibiting the patient from making a free and independent decision about the disclosure of their information? How should such decisions be made?
Emma Cave explores the problem elsewhere in this special edition and proposes a solution that focuses on the best interests of the patient. In our current guidance, the justification is rooted in the public interest – that is, we consider that there may be exceptional cases in which ‘the benefits to an individual or society of the disclosure outweigh both the public and the patient’s interest in keeping the information confidential’.Ibid., para. 37. A question for the review will be whether that is right and, if so, how far we can expand on the current position, and give helpful advice, in what is an uncertain and complex area of law.
In this short paper I have only been able to give a partial overview of the confidentiality issues that we have identified in the early stages of our guidance review. Others that I haven’t mentioned are equally important. For example, in her 2013 review of information governance in England, Dame Fiona Caldicott found that loss of professional confidence about when it is appropriate to share confidential information for the direct care of patients is undermining the provision of safe care.Department of Health (2013), Information: to share or not to share? The information governance review. Available at www.gov.uk/government/publications/the-information-governance-review. Accessed 24 February 2015. She introduced a new Caldicott principle – ‘The duty to share information can be as important as the duty to protect patient confidentiality’ – and a key question for us will be whether we have got this balance right in our guidance.
Other challenges include when information should be shared in the public interest (for example in the context of serious communicable disease, or serious crime, or when a patient may not be fit to drive), the responsibilities of doctors with ‘dual’ obligations (such as occupational health doctors) and disclosures for purposes beyond the immediate care of the individual such as research, commissioning and financial audit. So there will be much for us to consider as we review the guidance over the next year.
Hippocrates’ core tenet clearly survives. But in the 21st century we face new and pressing questions about what confidentiality means in practice – no doubt Hippocrates would have been astonished to know that Google could find nearly 5 million records relating to his name and work in less than a second. The medical profession has a strong track history in protecting information, both in the care environment and beyond. But we need to make sure that, as medical practice and technology develops, public trust is maintained that doctors are using patient information wisely and safely.