How can confidentiality be breached

In , the Caldicott Report was commissioned to provide a framework for the storage and use of patient information as shown in Table 1. As a result, each NHS Trust has a nominated Caldicott Guardian responsible for protecting patient confidentiality by ensuring the Caldicott principles are followed when breaching confidentiality.

All users and handlers of patient-identifiable data should be aware of their responsibilities. More recently, a review of information governance by Dame Fiona Caldicott was commissioned by the government in to look at the need to balance the protection and sharing of patient information in order to improve patient care in a modern world.

Inadvertent breaches are potentially commonplace on wards if medical notes are left visible or patient consultations and preoperative assessments are conducted in an open environment. The increased use of computerized documentation results in faster and wider distribution of information with an increased risk of unauthorized access. Unintentional breaches of patient information may occur when e-mailing colleagues.

Data encryption e-mail services must be used by both the sender and recipient if patient details are communicated in this manner to prevent unauthorized interception of messages. Confidential patient information maintained on personal computers must also be encrypted since password protection can be easily bypassed. Confidential patient documents, including theatre lists, should be discarded by paper shredding, while electronic data shredding should be used when disposing of computer hardware.

Photography and video forming part of patient records must be subject to strict control using only hospital trust equipment, obtaining consent for the recording and minimizing identification where possible. Images of internal organs, pathology slides, or radiographic images can be taken under the proviso of implicit consent for the investigation or treatment.

In a recent survey of trainees of all specialities, anaesthetists were among the least aware of guidelines to protect confidential information. This could have resulted in referral to the GMC. Be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed. Have appropriate technical and organizational measures taken to prevent unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Not be transferred to a country or territory outside of the European Economic Area unless that country or territory has adequate protection for the rights and freedoms of the data subjects in relation to processing of personal data.

Not only does the duty to protect patient confidentiality extend to the Internet, but libel laws can also apply to inappropriate comments made on these websites. When using social networking sites to discuss clinical events, users must be particularly mindful to not disclose any identifying information such as the date and location of the event and also patient-specific details.

The circumstances permitting deliberate disclosures will now be discussed further. The three general principles underlying disclosures are those with patient consent, those regarding a statutory obligation, and those for which the public interest outweighs the preservation of confidence.

This is the most common reason for revealing confidential details. If the patient expressly consents to disclosure, a doctor is relieved from the duty of confidence. Consent may be explicit or implied. Explicit consent requires active agreement but may be written or oral.

It is the preferred form as there is no doubt as to what has been agreed and is usually required for sharing more sensitive data.

The patient must have the necessary capacity to consent, that is, understand, retain, and balance the information, and also communicate their decision. This can be challenging in the critical care setting when patients are often sedated or suffering disease processes affecting their conscious level. Disclosures made with the patient's consent are in theory not breaches providing the consent is fully informed and freely given.

Patients should ideally disclose information voluntarily or be informed of the disclosure beforehand, and where practicable consent obtained. Other disclosures may be justified on the presumption of implied consent , when obtaining consent is undesirable or not possible, for example, a sedated patient on intensive care unit ICU. This may extend to Independent Mental Capacity Advocates, Lasting Powers of Attorney, or deputies appointed by the courts for decision-making on matters of healthcare.

Any decision made on behalf of an individual lacking capacity to disclose should be done so proportionately and in their best interests. Frequently, disclosures of personal information take place between members of a healthcare team. Most patients accept that information needs to be shared within the healthcare team to provide optimal patient care or learning opportunities. Alternatively, it could be argued that non-disclosure may result in negligence on behalf of the doctor for omitting important facts relevant to care.

Disclosures should always be limited to reveal only the relevant and appropriate information. Student doctors and nurses have access to patient records as part of their training. They are not subject to discipline by GMC but by their undergraduate medical or nursing school. It is expected that they maintain professional standards with regard to patient confidentiality.

The public is not likely to be aware of the degree to which their information is transferred. Medical research requires express consent to be sought. Audit is often undertaken under the presumption of implied consent and is therefore acceptable if data are sufficiently anonymized. Educational publications require signed consent except in exceptional circumstances when a subject cannot be traced. Ideally, it is important for doctors to maintain professional integrity by making efforts to gain express consent where applicable.

Children may wish to withhold sensitive information from their parents. The mature minor's right to confidentiality is permitted when it is deemed in their best interests Gillick v Norfolk and Wisbech Area HA [] AC There does remain a duty on the doctor to persuade the child to inform their parent or to allow the doctor to do so.

If the doctor suspects the child is at risk, they are required to report their concerns to the relevant authorities. This applies to anaesthetists who may only be caring for the child during a short visit for surgery.

This allowed us to determine if the breach of confidentiality was an isolated or repeated incident, which in turn, had an effect on the degree of severity of the breach. Once all the templates were collected, the recorded breaches of confidentiality were classified into three categories according to their description as follows:. Confidentiality breaches related to the custody of clinical histories and records admission forms, clinical and nursing report sheets, laboratory tests and other complementary examinations, and any other type of record containing patient data , as well as computer access to such records.

In addition, we ranked the severity of the breaches described above from low to high severity as follows:. Minor confidentiality breaches are defined as those in which sensitive patient data is not properly safeguarded or handled excluding the following categories , but which do not result in observable consequences.

This includes the custody of clinical histories and records or breaches due to inadequate hospital infrastructure. Severe confidentiality breaches are defined as the disclosure of sensitive data, as well as incidents that result in some kind of observable consequence. Such breaches are considered to be particularly severe as these data are of a highly private nature. In order to reduce the number of areas where the observations were recorded, we grouped the areas into categories based on their similarity as follows:.

Meeting areas offices, classrooms, etc. The observers were required to record the staff member who committed the breach of confidentiality. Once all the data were collected, it was found that two or more staff were often responsible for the confidentiality breach.

The personnel were classified as follows:. Given that the observers were assigned different rotation periods during the academic year, the total hours of observation varied across medical departments Table 1.

Thus, a new quantitative variable broken down by medical department was used: the Frequency Index FI. The FI indicates the number of confidentiality breaches recorded per hour of observation. To calculate the FI, the number of breaches committed in each department was averaged against the total hours of observation. For the FI quantitative variable, the comparison of means in the different medical departments was performed using the Kruskal-Wallis and Mann-Whitney U tests post-hoc.

Observations were conducted over a total of days and 33, h in the medical departments of the hospital during the study period. A total of checklists with the observations recorded during the rotation periods were collected. Five of the confidentiality breaches reported by the observers were excluded from the study because some of the situations involved incidents not directly related to confidentiality.

Specifically, these were cases where informed consent protocols were not properly followed or situations in which patient privacy was not violated because their clinical or personal data were discussed in the context of a clinical session to decide the most appropriate therapeutic approach to be taken. Finally, questionnaires with valid observations were collected, of which As regards distribution across medical departments, the largest number of checklists Pediatrics followed close behind with The general characteristics of all the recorded confidentiality breaches, including their type and severity, where they were observed, and the personnel involved, are shown in Table 2.

This type of breach accounted for With regard to the personnel involved in the confidentiality breach, staff were responsible for of the observed breaches. This is due to the fact that many of the incidents involved more than one person.

Most of those responsible for the observed breaches were physicians, specifically As shown in Fig. Therefore the calculations were performed on rather than the initial observations, and a total of observed breaches were considered instead of Across departments, physicians committed breaches of confidentiality most frequently, especially in Internal Medicine and the Emergency Department Breaches were committed less frequently by the other groups; specifically, Similarly, a statistically significant association was found between certain categories of personnel involved in the observed breach and type of breach Table 3.

Breaches were observed more frequently in public areas corresponding to General and Digestive Surgery Regarding the personnel involved in the breaches Fig. The most frequent breaches were of a severe nature in all of the medical departments, particularly in other medical and surgical specialties Severe breaches were observed more frequently in meeting and specific work areas The main objective of this study is to highlight the importance of patient confidentiality as a legal and ethical duty of health professionals in charge of patient care.

To achieve this objective, and through a field study using many hours of direct observation a total of 33, h , we have tried to reveal situations in which these professionals violate a duty inherent in their relationship with patients. To date, very few studies have directly recorded incidents related to confidentiality breaches during clinical practice in healthcare facilities, nor the frequency with which they occur.

Our study was conducted in a university tertiary hospital, but unlike the previous study, the observations were made in virtually all areas of the hospital; specifically 37 different CMUs. The observers recorded confidentiality breaches in all the departments, with a global FI of 0. The median FI of confidentiality breaches Fig. This is probably due to the fact that although fewer total hours of observation were conducted, this category includes a larger number of CMUs. In , the Emergency Department of the hospital involved in our study conducted , medical patient visits.

Footnote 3 Considering that our estimate was made jointly Internal Medicine and the Emergency Department , the median of breaches was 1 per every As can be seen, the average number of breaches we recorded was much lower than that reported by Mlinek and Pierce [ 11 ] even considering our joint category.

There are many additional reasons why both studies are not comparable. For example, Mlinek and Pierce [ 11 ] recorded a wide range of incidents that included comments and information obtained on patients through auditory and visual observation. Moreover, the observers in their study were specifically located in certain areas of the hospital chosen by the researchers themselves which are conducive to certain types of confidentiality breaches considered to be the most frequent.

Another factor regarding the lower FI we report is that our observers received specific training using a checklist of the most common breaches, although this may have conditioned them to focus primarily on the breaches established by the researchers a priori. The checklists completed by the observers included a record of the hours and days spent observing each medical department, as well as other information such as a description of the observed breach of confidentiality, the area of the hospital where it occurred, and the type of staff; factors that were taken into account when analyzing the recorded incidents.

Our study reveals that most confidentiality breaches or incidents regarding a disclosure of confidential information occurred primarily in public areas such as corridors, elevators, and stairs Due to the presence of people external to the hospital in these areas, confidential information should be treated with utmost care.

Indeed, one of the first fieldworks on the breach of confidentiality [ 10 ] already pointed in that direction. In our study, public areas were followed closely behind by work areas This widespread phenomenon varied from one department to another and also depended on the type of breach.

Regarding the categories of confidentiality breaches we established, a large number were related to the custody of clinical records Type 1. As for electronic clinical records, there was a number of cases where computers were left unguarded, thus allowing anyone to access them. The improper destruction of records with patient data such as throwing out the trash in public wastepaper baskets without destroying bracelets, identifying stickers, or patient lists occurred to a lesser degree.

The disclosure of clinical or personal data to non-medical staff or third parties Type 2 was the most frequent type of breach Conversations in which specific data was revealed about patients were also frequent in public areas, especially corridors, stairs, and elevators.

The observers also reported other situations in which practitioners decided to place several patients in the same room in order to conduct certain examinations due to the shortage of material. In relation to the degree of severity, severe breaches were the most frequent This is due to the fact that most incidents were related to the disclosure of clinical or personal data Type 2 , and were considered particularly severe with regard to protecting patient privacy.

Breaches which led to some kind of observable consequence were also considered severe; for example, when conversations inside an exam room were overheard because the door was left open, and obviously when there was some intentionality in the action.

In most cases, we assume that the reasons for such breaches of confidentiality arise from a lack of knowledge about the legal and ethical repercussions of such actions, as well as carelessness in handling information. Our opinion is in line with studies such as that of Elger [ 12 ] who conducted surveys with groups of physicians. They found that although health professionals are often aware of the importance of confidentiality, a significant percentage does not how to avoid breaches of confidentiality in their daily practice.

We found that breaches defined as severe It is considered a breach of confidentiality when a lawyer reveals the information he received during professional conversations. It is prohibited by federal law. To obtain legal advice from their lawyer, the clients must divulge accurate and confidential information. They will do so if they trust their secret won't be revealed.

This principle is known as attorney-client privilege, and it guarantees that even if the clients confess their guilt, their confessions won't be disclosed or used against them.

Lawyers are not allowed to speak to the media or the police or testify in court concerning these confessions. In most jurisdictions, the protection of attorney-client privilege won't apply if any of the following are true:. It constitutes a breach of confidentiality if doctors, physicians, psychologists, and psychiatrists expose anything they were informed of by the patient during the treatment process, even after the deaths of their patient. Criminal charges arise only in extreme cases that resulted in significant financial, emotional, or physical loss to the victim.

For example, theft of intellectual property or using confidential information for financial gain could warrant criminal punishment. In the event of criminal violations, state or federal government officials prosecute the individual responsible for the breach.

If an employee is responsible for workplace confidentiality violations, you may be wondering what recourse you may have. Many companies use confidentiality agreements when hiring new employees. A confidentiality agreement typically includes an explicit clause stating that an employee who breaches the confidentiality agreement will be terminated. Employment contracts also often authorize termination for the unauthorized disclosure of confidential information.

Thus, termination may be a viable option. Sometimes, however, termination of the employee may not be sufficient to repair the damage that resulted from their breach. In certain cases, employees who commit confidentiality breaches and harm their employer may be responsible for any loss of revenue that results from the breach. If you have questions about whether your business may have a legal claim against an employee for a breach of confidentiality, contact an experienced employment law attorney today.

In all business industries, protecting the private information of your clients, your employees, and your company is paramount. A failure to do so can result in severe reputational and monetary consequences, employment terminations, and even lawsuits. Dealing with workplace confidentiality violations can be overwhelming. But there are ways you may be able to mitigate the effects and take action to recover. At BrewerLong, we have the experience and sophistication necessary to get you through any business-related legal needs that come your way.