Search the website

Confidentiality as part of a bigger picture

A discussion paper from the BMA
May 2005

Executive summary
Introduction
The BMA currently advises that legally and ethically health professionals are responsible to patients for the confidentiality of the health information they hold. When they provide information, patients imply consent to some sharing with other healthcare professionals. There should be no use or disclosure of any confidential patient identifiable information gained in the course of professional work for any purpose other than the clinical care of the patient to whom it relates. There are three broad exceptions to this standard:

• where there is consent;
• where the law requires disclosure; or
• where there is an overriding public interest in disclosure.

It would seem timely, however, for the BMA to debate how data currently, and in the future, flow within the healthcare system given the move away from a more personalised healthcare service. In previous discussions within the BMA, some suggested a move away from a position on health information that primarily emphasises individuals’ duty of confidentiality, to a position more akin to data protection or information governance, thus establishing a policy framework that places emphasis on whether records are fit for purpose, in addition to maintaining confidentiality. Exploration of an information governance/data protection position in this paper is not for the purpose of advocating a change in BMA policy, but instead to reflect a viewpoint that differs from traditional policy and practice, and consequently to enliven debate about data issues.

Discussion in the BMA regarding the Association’s traditional confidentiality position has arisen out of a changing climate regarding how patient data are obtained and shared in the NHS. Given the importance both healthcare professionals and patients place on confidentiality, it is crucial that the BMA instigates when necessary and contributes to the wider debate surrounding these changes, raising questions such as:

• Whose information is it and who should benefit from it – the authors, the data subjects, the wider community, the State? At present, each of these has some claims on the control of information. How does this impact on individuals’ rights and responsibilities?
• What ethical principles are engaged in different methods of data handling – for example, confidentiality, privacy, consent, trust, beneficence, non-maleficence, autonomy, fairness, and equity? Which principles take precedence?
• Should future information sharing within the health service for the direct clinical care of patients follow the traditional implied consent model with its existing exceptions, or do modern day healthcare delivery changes require a different model, for example a predominantly “explicit” consent model? Or should there be a mixture of implied and explicit consent, depending on the circumstances? Or in some circumstances, neither implied nor explicit consent, but instead simply informing patients that their data are being used for certain purposes?
• Should all data be treated the same? For example, are there differences in how fertility treatment, genetic, sexual, psychiatric, and social data should be handled?
• Who is and should be responsible for the ongoing maintenance of the core information in a patient’s record – individual healthcare professionals/teams, one named healthcare professional/team, the patient? What data can be shared?
• Can there or should there be a “core” or aggregate record? Should records be segregated by author, team, organisation, or specialty? What impact does the concept of sharing data have on this and vice versa?
• What is meant by “sharing” information? Only relevant and appropriate data – can this be determined prospectively for certain types of “sharing”, or does it require a case by case assessment? Do data controllers always fully understand what is “relevant” for prospective data receivers?
• And most importantly – what do patients really think?

From the outset it should be stressed that this paper only applies to data that are, or can be, identifiable (i.e. this includes pseudonymised data). Data from which it is impossible to know or guess a person’s identity are excluded as they are generally no longer considered confidential. The paper is also not about the detail of current technological initiatives, for example the National Programme for Information Technology (NPfIT) in England, but rather about the broader ethical principles behind data handling.

Looking at the broader principles, it is a long-established tenet of medical ethics that doctors have a duty of confidentiality for all identifiable health information learnt in a professional capacity. The BMA has long emphasised this obligation to protect patients' personal health data but has also agonised over the fact that doctors increasingly have less actual control over data use. Naturally, patients not only expect doctors to maintain confidentiality but also to share relevant information appropriately, making it promptly accessible when necessary for effective patient care. This perceived diminution in control stems from a legitimate need to disseminate information more widely as working practices change and more healthcare professionals are involved in the care of an individual patient. Arguably though, the development of modern electronic systems opens up increasing possibilities to ensure greater control over data use, if developed and implemented appropriately.

What do patients think?
Patients’ views are crucial but research on them is scanty. A review of the available research on patients’ views showed that there is no evidence to suggest that patients give higher weight to confidentiality or to the need for health professionals to have timely access to relevant information. (There is of course no need for them to be mutually exclusive.) The research suggests that patients would be sympathetic to increased information exchange between healthcare professionals within the NHS, provided it leads to improved care and information is secure from unauthorised external access. The greater the distance from those directly involved in patient care, the greater the concerns about access. It is clear, however, that more research is needed about what patients really think.

An “information governance/data protection” model
In June 2004 a BMA Council working party met to discuss the issues surrounding uses of patient identifiable information. Diverse views were expressed on the day. Nevertheless, there appeared to be a majority view that the BMA’s position on confidentiality needed to be modified to meet the expectations of modern-day patients. An alternative position was put forward – a data protection/information governance model which placed confidentiality in a much larger context. Subsequent consultation within the BMA has shown, however, that there are many, particularly from the general practitioner community, who still strongly support and promote the traditional confidentiality model and desire to maintain the traditional doctor-patient relationship. For example, in response to an earlier draft of this discussion paper, the Joint General Practitioners IT Committee argued forcefully that “Not changing [the traditional confidentiality position] will not be a loss to either patients or profession”.

General practitioners’ views are of particular significance given the traditional role of GPs as holders of patients’ lifelong records, continually and holistically charting patients’ care throughout their life, rather than the intermittent, episodic and condition-driven exposures to patients that characterises secondary care. As a result, it is unsurprising that GPs have developed valuable expertise in the management of patient data that needs due consideration in this continuing debate.

The Data Protection Act 1998 might provide a structure on which to base an information governance position. The Act contains eight principles designed to make sure that information is handled properly. Data must be:

1. fairly and lawfully processed;
2. processed for limited purposes;
3. adequate, relevant and not excessive;
4. accurate;
5. not kept for longer than is necessary;
6. processed in line with data subjects’ rights;
7. secure; and,
8. not transferred to countries without adequate protection.

A data protection model would ensure the proper protection of individuals’ personal medical data, within the context of a modern day healthcare system. It would emphasise confidentiality and privacy, punishing any individuals who access or use other people’s personal medical information inappropriately. In addition, it would also aim to ensure that records are “fit for purpose” by ensuring, for example, that they are accurate, adequate, and relevant.

Fairly and lawfully processed – consent and confidentiality
Patient consent is of prime importance. Patients must know when and what information about them is being processed and shared. But what is the appropriate consent model in the future healthcare setting – implied or explicit? Is consent an absolute principle, or can there be circumstances where patients can be informed without the opportunity to opt out of data-sharing?

Confidentiality is also encompassed in processing data “fairly and lawfully”. Although confidentiality remains part of a data protection model, the emphasis is arguably slightly different to how it is applied under the traditional confidentiality model. Confidentiality can have connotations of secrecy and privacy; however, criticisms have been made that often in medical practice the emphasis is on secrecy rather than privacy.

Due to the changing relationships in healthcare – primarily a move away from a doctor-patient relationship to a patient-healthcare service relationship – it is argued that a shift from individuals keeping information secret, to trusted and trustworthy systems keeping information private, is crucial. But is this possible?

Responsibility and liability
Due to changes in how healthcare is delivered, doctors will continue to have less control over the patient data they obtain from treating patients as this will potentially be disseminated a lot more widely as healthcare is delivered by multiple healthcare professionals/teams. This makes it impossible for there to be an expectation that individual healthcare professionals can be the sole guardians of confidentiality. Therefore, there needs instead to be a more collective responsibility within the NHS to safeguard confidentiality with each individual healthcare professional still maintaining their duty of confidentiality and privacy.

A data protection model clearly places the confidentiality responsibilities on whoever is processing/handling the patient data, whoever that might be, and also aims to ensure that systems are set up so that information is held securely.

Safe and effective care
The interest and safety of patients should be the primary concern, with due regard to patient confidentiality, to ensure that relevant information is made available to the various care providers and the patient is not harmed. This requires good communication between healthcare professionals, with the patient’s consent, so that relevant medical information can be shared in connection with the care of the patient. This will become increasingly important as multi-disciplinary healthcare teams are involved in the care of an individual patient.

In order to ensure that all health professionals have the information they need to deliver care to patients safely and effectively, there needs to be a system that allows relevant information to flow to those who have a legitimate right of access for as long as they need it, whilst maintaining patients’ privacy.

Quality information
Good quality information is adequate, relevant, not excessive and accurate – all virtues espoused in a data protection model. Nevertheless, practical questions arise as to whose job it is to ensure that records – particularly when shared by various healthcare providers – are always accurate and up-to-date.

Traditionally there has not been sufficient emphasis on the quality of the patient data held, as illustrated by the Victoria Climbié case. (Child abuse was missed by healthcare professionals partly through insufficient information sharing.) Even if Victoria Climbié’s records had been disclosed to the appropriate people involved in her case (which would have been justifiable under current statute and standards of confidentiality) it may have been of little use due to the limited extent and quality of the information.

Focus on the quality of information will become increasingly important with multi-disciplinary healthcare providers recording and accessing patients’ information. Different kinds of healthcare providers have placed different emphasis on what is relevant patient information, and how this should be presented, as have different specialties. A data protection model would focus attention on the actual data itself.

No surprises
A change from a traditional confidentiality model to a data protection model should not, and does not, reduce any obligations to ensure patients are informed about how their data are used and managed. Indeed it arguably places more emphasis on the need for patients to be clear on how their data should and should not be used. Questions arise, however, as to whether patients should be informed or should actively control how data are shared. The Association would, therefore, continue to welcome considerably more awareness-raising information for the public about the use of health information. Arguably what is required is a shift from trust between identifiable individuals to trust between the individual and a trustworthy system (however that may be organised) with respect to how their data are stored and accessed. This too, however, raises issues about the reliability of the particular system chosen.

Research
There is mounting concern that the present climate around uses of patient data is becoming counter-productive, particularly for research. Anecdotally there are reports that obtaining ethical approval for research projects has become increasingly difficult over the last five years due to complex bureaucracy and uncertainty over the law surrounding uses of data.

There are clearly benefits to society in conducting research for the future development of healthcare in the UK. Thus, society has an interest in promoting research and innovative treatment within an acceptable and workable framework. Such an acceptable framework, however, involves positively consulting patients whenever possible if identifiable data are used. This potentially raises problems for some research, particularly involving incapacitated or unconscious people. On the other hand, impossibly high standards run the risk of pushing some research out of the UK.

An information governance model might address some of the concerns in the current debate in a couple of ways. First, there is an opportunity to highlight to the healthcare profession and the public the ways in which data can helpfully be used for purposes other than for patients’ direct clinical care, for example for research and teaching purposes. It should be possible to integrate consent procedures into everyday clinical care for patients to permit subsequent approaches by authorised researchers seeking consent for the use of their data, thus enabling patients to be partners in research. (Anonymised or pseudonymised data should still be used where possible.) Second, good quality health information, which is part of the focus in a broader information model, also provides quality research data which improves epidemiological and other study outcomes that advance medical knowledge and understanding, irrespective of whether the data are subsequently used on an anonymised or consent footing.

Potential ways forward
If there is a deployment of new and different data systems to aid changing working practices, these should be driven and underpinned by considered and agreed principles. Given the paramount importance that many place on the confidentiality and privacy of their health information, debate around this should take place in an open and transparent manner, led by patients and the healthcare profession.

Any new system needs adequately to consider the following key questions:

• What data would be held and where? Is the physical location of data important or is it the access controls placed on data that are important?
• Who would input the data, and how?
• How would it be ensured that only “relevant” data were shared with other healthcare professionals, rather than whole records?
• How would patients and the various healthcare communities, e.g. GPs, GUM clinicians, be assured that there was adequate security of patients’ data managed by the health service, and thus embrace any system?
• Who would be the guardian if there were a more composite record – the GP as per tradition, the patient, a healthcare professional specified by the patient?

One of the key problems appears to be that there are no tested, known, proven systems that are readily available that address all of these issues. This is potentially problematic for gaining acceptance of and trust in new systems from patients and clinicians.

Summary
With a move away from this vision of a personalised one-to-one health service, it is arguable whether the concept of a traditional confidentiality-based relationship is sustainable. A data protection/information governance model has been raised as a possible alternative, although considerably more debate is needed around this and the more general issues of future data management.