Patient confidentiality and code of professional conduct

Different disciplines may have different views on patient confidentiality.  I have gone through code of professional conduct of different professions.

Doctors

In Code of Professional Conduct of the Medical Council of Hong Kong ("MCHK"), the word "confidentiality" appears 15 times [1].

A PHYSICIAN SHALL respect a patient’s right to confidentiality. It is ethical to disclose confidential information when the patient consents to it or when there is a real and imminent threat of harm to the patient or to others and this threat can be only removed by a breach of confidentiality.

A PHYSICIAN SHALL when medically necessary, communicate with colleagues who are involved in the care of the same patient. This communication should respect patient confidentiality and be confined to necessary information.   

(International Code of Medical Ethics published by the World Medical Association in 2006)

1. Medical records and confidentiality 

• 1.1.4 All medical records should be kept secure. This includes ensuring that unauthorized persons do not have access to the information contained in the records and that there are adequate procedures to prevent improper disclosure or amendment. Medical records should be kept for such duration as required by the circumstances of the case and other relevant requirements. 
• 1.1.5 Doctors should have due regard to their responsibilities and liabilities under the Personal Data (Privacy) Ordinance (Cap. 486), in particular, patient’s rights of access to and correction of information in the medical record and the circumstance.

1.4 Disclosure of medical information to third parties

• 1.4.1 A doctor should obtain consent from a patient before disclosure of medical information to a third party not involved in the medical referral. 
• 1.4.2 In exceptional circumstances medical information about a patient may be disclosed to a third party without the patient’s consent. Examples are: (i) where disclosure is necessary to prevent serious harm to the patient or other persons; (ii) when disclosure is required by law. 
• 1.4.3 However, before making disclosure without the patient’s consent a doctor must weigh carefully the arguments for and against disclosure and be prepared to justify the decision. If in doubt, it would be prudent to seek advice from an experienced colleague, a medical defence society, a professional association or an ethics committee. 

4.3.3 Confidentiality

• In general, a doctor is not required to disclose his infectious disease to patients. However he has to inform the Department of Health if it is a notifiable disease. A doctor who treats or counsels another doctor should keep confidentiality. In exceptional circumstances, breach of confidentiality may be warranted, as for instance, when an infected doctor fails to observe certain restrictions putting patients and other healthcare workers at risk. 
• Maintaining confidentiality is essential in encouraging the doctor to receive proper counselling and management.

23. Clinical research

• 23.13 The confidentiality of records that could identify subjects should be protected, respecting the privacy and confidentiality rules in accordance with the applicable regulatory requirements. 

I. SERIOUS INFECTIOUS DISEASE

32. Confidentiality 

• 32.2 Difficulties may clearly arise if the patient, after full discussion and consideration, refuses to consent to disclosure. If mutual trust between doctor and patient has been established such a case will, hopefully, be rare. In this case, it is covered by the general ethical standards of the profession and the refusal should be respected. Should permission be refused, however, the doctor will have to decide how to proceed, in the knowledge that the decision reached, may have to be justified subsequently. If the welfare of other health workers may be properly considered to be endangered, the Council would not consider it to be unethical if those who might be at risk of infection whilst treating the patient were to be informed of the risk. They in their turn would, of course, be bound by the general rules of confidentiality. 
• 32.4 Doctors involved in the diagnosis and treatment of HIV infection or AIDS must endeavour to ensure that all allied health and ancillary staff, e.g. in laboratories, fully understand their obligations to maintain confidentiality at all times. 

Nurses

The word "confidence", instead of "confidentiality" is used.

3. Hold in confidence personal information obtained in a professional capacity.

• 3.1 Nurses ensure that the information given by the individuals in confidence with only be used for the purposes for which it was given.
• 3.2 Nurses protect the information obtained in the course of professional practice and disclose only with the individuals' consent, or in exceptional circumstances, such as where a court order is made for disclosure.
• 3.3 When personal information is required for teaching, research or quality assurance procedures, nurses take care to protect the client's anonymity and privacy.

Physiotherapists/ Occupational therapists/ Radiographer [3, 4, 5]

A registered occupational therapist. physiotherapist shall:

7. Respect the confidence imparted to him in the course of his professional duties, and only discuss patients' affairs with other members of the medical team responsible for treatment.

5. Abuse of professional confidence

Disciplinary proceedings may be taken where it is alleged that an occupational therapist/ physiotherapist has improperly or carelessly disclosed information obtained in confidence from or about a patient in the process of clinic investigation or treatment.

Optometrist [6]

1.4 It is the duty of an optometrist to keep confidential all information concerning a patient unless disclosure is made in the course of referral to another professional or is required by law.

Medical Laboratory Technologists [7]

A registered medical laboratory technologist shall respect the confidence imparted to him in the course of his professional duties, and will only discuss a patient’s affairs with other members of the medical team responsible for the treatment/diagnosis.

General Medical Council

The General Medical Council has revised and expanded its guidance on confidentiality for all doctors practising in the UK.   Here are five facts from the guidance, which comes into effect on Tuesday 25 April 2017 [8].

(1) Confidentiality is not absolute

Confidentiality is an important ethical and legal duty for doctors, but it is not absolute. Doctors may disclose personal information without breaching duties of confidentiality under certain circumstances, such as when the disclosure is of overall benefit to a patient who lacks capacity to consent.

(2) Explicit or implied

A patient’s consent to disclose information may be explicit or implied. Explicit consent is given when a patient actively agrees to the use or disclosure of information. Implied consent refers to circumstances in which it would be reasonable to infer that the patient agrees to the use of the information, even though this has not been directly expressed.

(3) Capacity

Doctors must work on the presumption that every adult patient has the capacity to make decisions about the disclosure of his or her personal information. Doctors must assess patients’ capacity to make a decision at the time that it needs to be made, recognising that fluctuations in patients’ illnesses may affect their ability to understand, retain, or weigh up information or to communicate their wishes.

(4) Disclosures required by statute

A doctor must disclose information if it is required by statute or if the doctor is ordered to do so by a judge or presiding officer of a court. If this is the case, the doctor must be satisfied that the disclosure is legally required and should disclose only information that is relevant to the request. Where possible, doctors should tell patients about such disclosures, unless that would undermine the purpose.

(5) Disclosure required by law

Many laws require disclosure of patients’ information for purposes as diverse as the notification of infectious diseases, the provision of health and social care services, the prevention of terrorism, and the investigation of road collisions.

American Academy of Family Physicians ("AAFP") [9]

A confidential relationship between physician and patient is essential for the free flow of information necessary for sound medical care.
The AAFP believes that patient confidentiality must be protected.

Data sharing is difficult, particularly across state lines given differing state patient privacy/confidentiality requirements. The AAFP believes that state and federal legislators and jurists should seek a greater degree of standardization by recognizing the following principles regarding the privacy of medical information:

• A. The right to privacy is personal and fundamental.
• B. Medical information maintained by physicians is privileged and should remain confidential. 
• D. The privacy of adolescent minors should be respected. Parents should not, in some circumstances, have unrestricted access to the adolescent’s medical records. Confidentiality must be maintained particularly in areas where the adolescent has the legal right to give consent.
• I. Electronic health information communication systems must be equipped with appropriate safeguards (e.g., encryption; message authentication, user verification, etc.) to protect physician and patient privacy and confidentiality. Individuals with access to electronic systems should be subject to clear, explicit, mandatory policies and procedures regarding the entry, management, storage, transmission and distribution of patient and physician information.

Disclosure:

• F. Any disclosure of medical record information should be limited to information necessary to accomplish the purpose for which disclosure is made. Physicians should be particularly careful to release only necessary and pertinent information when potentially inappropriate requests (e.g., "send photocopies of last five years of records") are received. Sensitive or privileged information may be excluded at the option of the physician unless the patient provides specific authorization for release. Duplication of the medical record by mechanical, digital, or other methods should not be allowed without the specific approval of the physician, taking into consideration applicable law.
• G. Disclosure may be made for use in conducting legal medical records audits provided that stringent safeguards to prevent release of individually identifiable information are maintained.
• H. Policy exceptions which permit medical records release within applicable law:

1. To another physician who is being consulted in connection with the treatment of the individual by the medical-care provider;
2. In compelling circumstances affecting the health and safety of an individual;
3. Pursuant to a court order or statute that requires the physician to report specific diagnoses to a public health authority; and
4. Pursuant to a court order or statute that requires the release of the medical record to a law enforcement agency or other legal authority.

Medical Protection Society ("MPS") [10]

Confidentiality is at the centre of maintaining trust between patients and doctors. As a doctor, you have access to sensitive personal information about patients and you have a legal and ethical duty to keep this information confidential, unless the patient consents to the disclosure, disclosure is required by law or is necessary in the public interest. This factsheet sets out the basic principles of confidentiality.

The Privacy Commissioner for Personal Data [11]

Privacy: Not a Door for Bullying and Intimidation, Nor a Sword for Arbitrary Law Enforcement; Not a Shield for Unlawful Acts.

私隱：禁作欺凌恫嚇之門； 莫為任意執法之矛；不作蓄意違法之盾

The Privacy Commissioner made the following observations and gave an explanation of the relevant laws:

• (1) Freedom of speech, free flow of information and personal data privacy, which are unique and plays an irreplaceable role in this country, have been protected by the laws of Hong Kong (including the Basic Law). However, these fundamental rights are not absolute rights; they are subject to legal restrictions, including others’ reputation and privacy, public order and national security.
• (7) The Privacy Commissioner states that the Ordinance aims to prevent personal data from being misused or abused. The Data Protection Principles under the Ordinance regulate the collection, storage, retention, use, security, transparency, access and correction of personal data. Patients’ personal data must be used for the purpose stated at the time of collection and for any other use, patients’ consent must be obtained (Principle 3 – Data Use). 
• (8) Under the Ordinance, there are exemption provisions for certain circumstances, one of which is about emergency life saving - personal data is disclosed to prevent patients or others from suffering serious harm. For example, disclosing a patient’s identity and location to a third party so that the third party can provide immediate rescue service to prevent causing serious harm to the physical or mental health of the patient or others (Section 59 of the Ordinance).
• (9) Disclosure of personal data for detection or prevention of crime; apprehension, prosecution or detention of offenders is another condition for exemption. However, the hospital has no responsibility to provide data by relying on this exemption. The hospital should determine if the criteria are met before relying on this exemption. The hospital should first ask the enforcement authority requesting personal data to provide sufficient information, including the purpose of data collection, the nature of the case being investigated, the relevance of the requested data to the investigation, the reason why the investigation will be hindered if the data is not provided, etc. Moreover, this exemption provision does not empower the enforcement authority to collect data arbitrarily. When the enforcement authority requests the data, it has the duty to inform the hospital whether the supply of the data is obligatory, or the enforcement authority may contravene the Ordinance due to misleading the hospital or abuse of power (Section 58 of the Ordinance). If there is a dispute between them, the requestor may apply for a search warrant from the court.
• (10) It is not difficult to understand the logic of this exemption provision. If the enforcement authority is investigating a criminal case and possesses information of the suspects, when it requests personal data from an organisation or a person by proving that there is reasonable ground to believe that non-disclosure of the data may prejudice the detection of crime, the organisation or the person may not use privacy as a “shield” for not providing the data.

Hospital Authority's breach of data security in connection with disposal of patient records [12]

The Privacy Commissioner has served an Enforcement Notice on the Hospital Authority as it has contravened Data Protection Principle 4 of the Ordinance for having failed to take all reasonably practicable steps to ensure that patient’s personal data were protected against accidental access.

Conclusion 

42. The precise cause leading to the abandonment of the hospital wastes on Kui Sik Street is still unknown. The leakage of the personal data in question was clearly an outcome of incomplete or improper shredding of the wastes. The mistake is attributable to CMDS but HA is ultimately accountable. The findings set out above indicate that the Contract between HA and CMDS is inadequate to ensure proper and complete shredding of thermal ribbons, and HA has not competently managed the Contract. On this basis, I conclude that HA had contravened DPP4 of the Ordinance for having failed to take all reasonably practicable steps to ensure patients’ personal data were protected against unauthorised or accidental access. 

Police General Orders [13]

n/a

Summary

Confidentiality is an important ethical and legal duty for doctors, but it is not absolute. 

Doctors may disclose personal information without breaching duties of confidentiality under certain circumstances:

• patient's consent
• to prevent serious harm to the patient or other persons
• required by statute, e.g. to report specific diagnoses to a public health authority
• required by law

Different disciplines may have different views on patient confidentiality.

REFERENCES

[1] Code of Professional Conduct of the Medical Council of Hong Kong

[2] Code of Ethics and Professional Conduct for Nurses in Hong Kong

[3] Code of Practice for Registered Occupational Therapists (with effect from 17 July 2017)

[4] Code of Practice for Registered Physiotherapist (with effect from 13 January 2014)

[5] Code of Practice for Registered Radiographers

[6] Code of Practice for Registered Optometrists

[7] Code of Practice for Registered Medical Laboratory Technologists

[8] Five facts about patient confidentiality. BMJ 2017; 356

[9] Confidentiality, Patient/Physician. American Academy of Family Physicians 

[10] Confidentiality - General principles.  Medical Protection Society

[11] Privacy: Not a Door for Bullying and Intimidation, Nor a Sword for Arbitrary Law Enforcement; Not a Shield for Unlawful Acts.  The Privacy Commissioner for Personal Data, 2019-6-23

[12] Hospital Authority's breach of data security in connection with disposal of patient records.  The Privacy Commissioner for Personal Data, 2013-10-24 (Chinese version)

[13] Police General Orders available to the public

Dr. Pierre Chan

26 Oct 2019