CPD
Prepare for revalidation:
read this CPD article and
write a reflective account
http://revalidation.zone
CONTINUING
PROFESSIONAL
DEVELOPMENT
 Page 60
Patient confidentiality
multiple choice
questionnaire
 Page 61
Read Brenda
Chivima’s reflective
account on lung cancer
 Page 62
Guidelines on
how to write a
reflective account
Respecting patient confidentiality
NS778 Price B (2015) Respecting patient confidentiality. Nursing Standard. 29, 22, 50-57.
Date of submission: September 5 2014; date of acceptance: November 5 2014.
Abstract
Nurses face a particular challenge in respecting the confidentiality
of patients in a world where information is quickly shared and where
information about illness can be sensitive. We have a duty of care towards
patients. That duty includes maintaining privacy (protecting them from
undue intrusion), and confidentiality (by the discreet management of
information about themselves that they share with us). Legislation on
confidentiality comes from different sources and should be interpreted
in the clinical setting. This article summarises the principal requirements
set out in the legislation and directs readers to questions and tools
designed to help them explore the extent to which patient confidentiality
is respected where they work.
Author
Bob Price Healthcare education and practice development consultant
Correspondence to: [email protected]
Keywords
Confidential information, confidentiality, data protection, human rights,
information governance, informed consent, mental capacity, privacy,
patient confidentiality, patient privacy, sharing information
Review
All articles are subject to external double-blind peer review and checked
for plagiarism using automated software.
Online
For related articles visit the archive and search using the keywords above.
To write a CPD article: please email [email protected]
Guidelines on writing for publication are available at:
rcnpublishing.com/r/author-guidelines
Aims and intended learning outcomes
The aim of this article is to help readers
understand the principles of confidentiality
and associated safeguarding requirements
and to use these to evaluate how well patient
information is protected where they work.
No individual nurse is solely responsible for
the safeguarding of patient confidentiality,
and for that reason the time out activities in
this article explore what is understood and
done collectively. In the interests of brevity, it is
accepted that patients have a right to have their
information handled in a confidential manner.
The philosophy and ethics of confidentiality
will not be debated. After reading this article
and completing the time out activities you
should be able to:
Distinguish between privacy and
confidentiality, and explain how the latter
supports the former.
Outline legal requirements associated with
confidentiality and informed consent.
Use a series of questions to help you
determine whether or not to disclose
information.
Identify how changes in health informatics
and especially healthcare record systems
can increase the risk of breaches in patient
confidentiality.
Explore with colleagues the extent to which
you are prepared to protect the confidentiality
of patients.
Complete time out activity 1
Introduction
Nurses are charged with the safekeeping
and protection of the information that
patients share with them. This is what patient
confidentiality means. Yet a number of factors
make it difficult to treat patients’ information
50 january 28 :: vol 29 no 22 :: 2015
© NURSING STANDARD / RCN PUBLISHING
confidentially. Patients spend short periods
of time in hospital and are frequently in areas
where it is difficult to refer to their information
without others overhearing (Rogers 2006).
There is an increasing effort to conduct shift
handovers at the bedside (Kerr et al 2014),
and those on the other side of the curtain may
overhear conversations. Nurses have limited
time to establish who patients wish to have
access to information about their health and
care circumstances. Patients may or may not
want family members to know about their
condition. It can be difficult to ascertain who
patients see as their confidants with today’s
complex social relationships (Richards and
Barker 2013). Health care makes increasing
use of electronic record systems and much of
the healthcare information shared is managed
online (Lewis et al 2013). Health and social
care are increasingly integrated and this means
that more people may wish to access patient
information (Hudgins et al 2013).
The requirements of law and professional
standards make confidentiality a taxing matter
for nurses in a busy and resource-constrained
working environment (Table 1). The Code
(Nursing and Midwifery Council (NMC)
2008) makes it clear that nurses must ‘make the
care of people your first concern, treating them
as individuals and respecting their dignity’,
but it also requires the nurse to ‘work with
others to protect and promote the health and
wellbeing of those in your care, their families
and carers, and the wider community’.
The first of these requirements is explicit
regarding protecting patient confidentiality
by securing consent to information sharing,
while the second encourages the nurse to
share relevant information with others who
contribute to the care plan. Legislation
underpinning the nurse’s responses regarding
confidentiality comes from common law
(court cases which set precedents); the Human
Rights Act 1998, which in article 8 explicitly
states the ‘right to respect for his private and
family life’; the Data Protection Act 1998,
which sets principles for the handling of data,
including that of vulnerable individuals; and the
1 Identify three or
four colleagues who
might become your
confidants. Ask them
whether they are
prepared to share a
series of reflective
practice discussions
with you.
TABLE 1
Key legislation and policy directives relating to patient confidentiality
Legislation or policy directive document
Importance of legislation or policy
The Caldicott Committee: Report on the
Review of Patient Identifiable Information
(Department of Health (DH) 1997).
Information: to Share or Not to Share?
The Information Governance Review (DH 2013).
Both reports stem from the Caldicott inquiry and relate to the rights of patients
in a rapidly developing digital age. They recognise the increasing complexity of
health care and the risk that patient rights may be overlooked as healthcare
systems advance. These documents are especially important in a review of record
systems and practices.
Confidentiality: NHS Code of Practice
(DH 2003).
The NHS code of practice underpins much information governance work conducted
in healthcare organisations today. It is likely to be a key point of reference when
information management systems are reviewed as part of an audit.
The Care Record Guarantee. Our Guarantee
for NHS Records in England (DH 2011).
A Guide to Confidentiality in Health and Social
Care: Treating Confidential Information with
Respect (HSCIC 2013).
These documents represent two sides of a coin: one presented to the public
(DH 2011) and one recommended to healthcare staff (Health and Social Care
Information Centre (HSCIC) 2013). Patients and their pressure groups can scrutinise
to what extent healthcare organisations have met the precepts in these documents.
The Code: Standards of Conduct, Performance
and Ethics for Nurses and Midwives (Nursing
and Midwifery Council 2008).
The Code sets out precepts of required practice. It is left to nurses to discuss how
these are adequately met in a healthcare system of limited resources, competing
priorities and multiple claims regarding patient rights. Any review of patient
confidentiality arrangements must refer to The Code, which helps the team keep
in mind their professional as well as their employee responsibilities.
Human Rights Act 1998.
This act is not confined to healthcare needs and circumstances. It addresses
human rights in a wide variety of circumstances. It underpins DH policy on
patient confidentiality.
Data Protection Act 1998.
Increasing data relating to members of the public are stored and used for a
variety of governmental and commercial purposes. The act challenges us to think
about why records are made, how they are stored and how they are used.
Mental Capacity Act 2005.
The ability of an individual to give consent to share his or her information depends
on mental capacity. Mental capacity assessments are required where such
capacity seems in doubt and treatment and/or information sharing decisions are
to be made by others.
© NURSING STANDARD / RCN PUBLISHING
january 28 :: vol 29 no 22 :: 2015 51
CPD professional issues
Mental Capacity Act 2005, which clarifies
who is competent to give informed consent
to share information. The Department of
Health (DH) (2003) distils its expectations
within Confidentiality: NHS Code of Practice.
More recently, further guidelines have been
issued: A Guide to Confidentiality in Health
and Social Care: Treating Confidential
Information with Respect (Health and
Social Care Information Centre (HSCIC)
2013), and the original Caldicott report on
management of confidential patient information
(The Caldicott Committee. Report on the
Review of Patient-Identifiable Information)
has been updated (DH 1997, 2013).
Duty of care, privacy and confidentiality
Respecting patient confidentiality begins
with a clear understanding of terms. The first
of these is ‘duty of care’. Young (2009)
makes it clear that the nurse has a duty of
care towards the patient, but that the scope
of duty of care may be extending, in light of
shifts in the ethos of nursing. Family-centred
care, for instance, asks the nurse to see
the patient’s needs within the wider
family context. That duty is increasingly
collaborative, rather than paternalistic,
and the nurse spends more time helping
individuals to make decisions of their own.
However, this shift in professional thinking
does pose some problems. There is greater
emphasis on the rights of an individual in
legislation and a default assumption that,
unless that individual gives permission for
information to be shared, others should not
be made party to it. Duty of care provides
the nurse with a challenge. In law, patients
have primary rights on information about
their health circumstances, and the nurse’s
duty of care is to them over and above that
to others such as family or carers. While it is
hoped that others may be able to collaborate
in care, this cannot override the right of
the individual patient to determine what
is disclosed about him or her. There are
always exceptions to this rule where the
nurse must disclose information, for example
information associated with children or
vulnerable adults at risk of harm. However,
in the main, the patient retains the right to
determine who is told what information
and to what degree. For example, the nurse
might wish to engage siblings of a teenager
diagnosed with cancer in patient support,
but since this relies on shared information
52 january 28 :: vol 29 no 22 :: 2015
that the teenager controls, the nature of
support will always be defined by patient
confidentiality rights.
Duty of care helps the nurse to understand
his or her information management
responsibilities (Young 2009). There may be a
hierarchy of care recipients, who have differing
information needs. Patients need to control
information to sustain personal dignity, carers
need information to arrange support, and other
healthcare professionals need information to
co-ordinate treatment. The patient is at the top
of the hierarchy.
Two terms are important but sometimes
confused. The first of these is privacy. Patients
have a right to privacy and to limit the level of
intrusion by the nurse into their lives. Nurses
should ask only those questions that will help
them understand the patient’s problem or
need and that assist them to plan care with the
patient. Privacy involves protecting patient
integrity. Patients are free to limit what they
will disclose (Agris 2014). The root of the word
integrity is integra, which is associated with
social worth, and was associated with heraldic
regalia in medieval times. Individuals represent
themselves through disclosed information as
they once did using coats of arms (Price 2009).
They expect their representation to be honoured.
The term confidentiality refers to
information about the patient. Once the
patient has shared personal information, he or
she entrusts it to the nurse for safekeeping.
This information represents the individual
and, because patients are not constantly
monitoring how it is used, information shared
with nurses could leave patients exposed.
In theory, the information could be exploited
for personal, financial, commercial or other
gain. For Bernoth et al (2014), the right to
confidentiality is an extension of the right
of privacy. When information is shared, it is
no less important and it still represents the
patient. Even after their death, there remains
a responsibility to respect and protect the
information about the patient (Lowth 2013).
Nurses should avoid intruding into patient
privacy as far as possible and honour the
patient’s trust when information has been
shared with them.
Another term, information governance,
refers to the safe and secure management
of sensitive patient information, and its
transparent use as framed by legislation and
codes of conduct (HSCIC 2014). Information
governance refers to the ways in which
healthcare agencies marshal their policies, staff
© NURSING STANDARD / RCN PUBLISHING
training and safeguarding systems so that the
information shared by patients is protected.
Complete time out activity 2
Consent and confidentiality
Confidential patient information includes
information relating to illness, injury, disability,
treatment and care and progress associated
with these. It also includes background and
demographic information about patients,
where they live, their age, gender, lifestyle,
religious beliefs, sexual orientation and
cultural practices that might have been deemed
relevant to a healthcare problem. The DH
(2003) sets out a confidentiality model with
responsibility to protect information and the
patient, to inform patients about what you
would like to do with their information, and to
provide them with choice, because patients
should have a deciding say in what is disclosed.
Security of patient records and consultation
with patients on what may be disclosed are
interrelated. Healthcare organisations are
charged with reviewing both aspects as part of
quality assurance.
A brief study of this model reveals that it
is difficult to carry out health care if each
and every disclosure of information has to
be mandated by the patient. The DH (2003)
allows information to be shared with other
healthcare staff without patient consent when
the patient has been informed in advance of
the ‘use and disclosure of their information
associated with their healthcare’, and when
‘the choices they have and the implications
of choosing to limit [what] information may
be used or shared’ have been discussed with
them. Nevertheless, the DH (2003) reminds
the nurse that opportunities should be seized
to check that the patient is content with
this arrangement, especially if healthcare
circumstances change. For example,
if a patient’s condition suddenly deteriorates,
he or she may revise what information can
be shared. It is important at the start of a
care programme, for example on admission
to hospital, to explain how the care team
wishes to share information with relevant
healthcare professionals. Consent to treatment
– a necessary invasion of privacy – is different
from consent for information to be shared
– a matter of confidentiality. The default
permission granted to a care team to use such
information is circumscribed. It may not
extend to sharing information with social
care agencies, although the Caldicott report
© NURSING STANDARD / RCN PUBLISHING
recommends the redefinition of healthcare
teams to include social workers so that
information can be shared with them more
easily (DH 2013). Separate permission needs to
be sought to share information with family and
friends, or those who may be informal carers.
More abstract information (information
that does not name individual patients)
can be disclosed without securing permission
(DH 2003). For example, information
about the incidence of healthcare-associated
infection may be obtained, collated and
shared for purposes of clinical audit.
Anonymised information may be used for
research purposes. It is important to make
a distinction: researchers can use existing
clinical information that is available in the
system, typically different forms of statistics;
however, if they wish to gather additional
information, for example using interview
transcripts, and disclose that to others, perhaps
through publication, then separate patient
permission is required.
Complete time out activity 3
An individually secured consent is required
for significant shifts in care, for example the
involvement of new care agencies. To illustrate,
a patient might experience physical and mental
health problems at the same time, and two
teams of carers should combine to better
co-ordinate the care package. Because the
mental health team might operate on a different
site and may not have immediate access to the
care record, some information will have to be
forwarded electronically. The Data Protection
Act 1998 is important in this context.
It reminds us that, in recording, managing
and sharing records about individuals,
information should:
Be handled fairly and lawfully.
Be used only in a manner compatible with
the purpose for which it was obtained.
Be adequate and relevant but not excessive.
Be kept for no longer than is necessary.
Include appropriate measures to prevent the
leak of such information, its accidental loss
or destruction.
Not be transferred overseas or to other
healthcare organisations or agencies
unless you are satisfied that adequate data
protection measures are in place.
Releasing information to an insurance claims
company without the patient’s permission,
for example, would be a breach of the condition
to use data only in a manner compatible
with the purpose for which they were
2 Discuss with your
confidants whether
there is any confusion
locally about who
requires your duty of
care. Does everyone
agree how wide that
duty of care extends?
Does this influence what
information is routinely
shared with others?
3 Discuss with
your colleagues the
arrangements that are
in place at the start of
a care relationship to
agree with the patient
which information will
be routinely shared with
the care team. Is this
agreement recorded in
some way?
january 28 :: vol 29 no 22 :: 2015 53
CPD professional issues
4 Identify whether
there are patients in
your clinical area who
might find it difficult
to demonstrate
capacity to make
their own decisions.
What measures do
you use to ensure
information about these
patients is not used
without due care for
their dignity? Can you
cite examples of cases
where it was necessary
to share information
without their consent?
obtained. However, there are caveats to this
in law, and courts may require the healthcare
organisation to release medical information,
for instance information material to judging
the extent of an injury received. Appropriate
measures to prevent the leak of information
might include encrypting information recorded
on a laptop computer and promptly reporting
any loss of the equipment.
Where it is believed that the data protection
rights of individuals have been infringed,
concerns may be raised with the Information
Commissioner’s Office. The conditions of the
Data Protection Act 1998 are not breached
where information is shared in the prevention,
detection and investigation of a crime or
where national security is at risk. For example,
it is reasonable to share information with the
police if you fear a patient might attack others
as a result of his or her mental state. Caution
should be exercised in association with police
enquiries, and the police might need to secure
a court order to access detailed medical
information. The cause for concern supporting
the police enquiry should be clearly established.
There is no provision in this legislation for
sharing patients’ personal information with
the media even if media representatives
cite freedom of information requirements
(Information Commissioner’s Office 2014).
The best course of action where journalists ask
for information is always to refer them to the
press officer for your organisation. You should
avoid any discussion of patient circumstances
socially that could provide the media or others
with avenues into patient confidentiality.
It is vital for instance that you do not discuss
patients and their circumstances on social
media such as Facebook.
The question arises of whether the patient is
able to provide informed consent to the sharing
of his or her information. Informed consent
means that the patient is able to judge what
is proposed for the use of their information,
and what the possible consequences of that
might be. For example, to release information
for use in association with a clinical drug trial
might mean additional questions are later asked
about sequelae of treatment. The commitment
made might be more open-ended than the
patient realised. Some patients with reduced
reasoning ability, poor memory or learning
disabilities might find it difficult to understand
what sort of information use request
is being made.
The Mental Capacity Act 2005 requires
the nurse to presume the patient has capacity
54 january 28 :: vol 29 no 22 :: 2015
to make informed decisions and only act on
his or her behalf when evidence emerges that
this might not be complete, for example when
the patient cannot remember what was said
and therefore finds it difficult to understand
the significance of the request being made.
The act states that individuals have the right
of support to make their own decisions and a
right to make eccentric or unwise decisions.
The nurse should proceed with the best
interests of the patient in mind, and the least
restrictive change (that which allows the
patient future choices) should usually be
preferred, all other medical considerations
notwithstanding. For example, an older
patient who is experiencing the early stages
of dementia should be presumed to be able to
make decisions about information disclosure,
unless there is accumulating evidence that his
or her ability to reason is rapidly deteriorating.
Providing further explanation of proposals for
information sharing on a day when the patient
has a better understanding of the situation
enables him or her to retain control and even
to veto a proposed plan.
Complete time out activity 4
A patient’s capacity to give informed consent to
information sharing is sometimes temporarily
reduced. An example of this is a head injury or
a drug overdose, when the patient’s ability to
comprehend what is asked of him or her may
be diminished. In these instances, the nurse
may share the most minimal information to
protect and support the patient until such time
as his or her capacity to review information
requests is restored. For example, the nurse
may share the background circumstances
from an accident report with those analysing
a substance or drug taken, including how long
ago the drug was ingested, inhaled or injected.
This constitutes practice in the patient’s best
interests since it equips another colleague to
complete the diagnostic work and formulate a
treatment plan.
Particular care needs to be taken with
informed consent to information sharing for
children (Leino-Kilpi et al 2001). Children
have different levels of decision-making
capacity dependent on their age. Permission
to share information relating to the young
child is usually granted by the parent or
other legal guardian, but there are exceptions
to this principle. For example, if a parent
is suspected of inflicting harm on a child,
for example Munchausen syndrome by proxy,
and information control is part of that abusive
© NURSING STANDARD / RCN PUBLISHING
behaviour, the nurse might have to manage
this. It is best to consult colleagues before
releasing information to a third party such as
the police. Other controversial decision-making
issues arise with teenagers, for instance
determining whether to share information
about sexual activity, disease or contraception.
Teenagers are often sensitive about matters
such as keeping their use of contraceptives
secret from a parent whom they believe
might disapprove.
Key questions
The DH (2013) sets out a series of questions
that should be used to help determine
whether a patient’s confidential information
should be shared with others. These are
paraphrased in Box 1.
Healthcare information that might
materially benefit the patient or others in
similar circumstances may provide a mandate
for disclosing information, for instance by
contributing information to clinical audit.
Sometimes important trends, traits and
needs of patients are identified only through
an understanding of larger quantities of
data. If information is disclosed to support
a broader medical purpose, the patient’s
identity needs to be protected by the use
of a changed name.
Consulting patients on what they would
like you to do in relation to the proposed
disclosure of information can be difficult in
a busy clinical setting, but it is important.
If disclosure might affect the reputation of the
patient in some significant way, consultation
is vital. The context is not that the patient can
necessarily block disclosure, but rather that
he or she has the right to know what you are
doing with the information.
The last question in Box 1, ‘Is the patient’s
explicit consent required for the disclosure
to be lawful?’, refers to changes in treatment,
care and associated assessments and updates
beyond that sanctioned as routine disclosure.
It refers to you sharing information with
any external body, for example with local
government or housing associations that may
assess a medical condition as part of a case
made for housing.
Complete time out activity 5
Confidentiality and the digital age
The Caldicott inquiry (DH 1997) highlighted
the risks associated with an increasingly digital
© NURSING STANDARD / RCN PUBLISHING
method of storing and sharing identifiable
patient information. Multiple risks exist.
First, record making could be inaccurate and
such inaccuracies could quickly be replicated,
increasing the risk of harm to patients. Second,
there is a risk of individuals accessing records
in which they have no legitimate interest.
Third, it is recognised there may be inadequate
arrangements in place for the auditing of who
accessed patient information and for what
purpose. These are matters of concern to
patients who want a transparent and secure
arrangement for their data.
Subsequently, healthcare organisations
have put in place systems for checking who is
accessing confidential information and how
it is being used. McLeod (2013), for example,
details how an automated system has replaced
manual spot checks at the Lanarkshire
Health Board in Scotland. The confidential
management of patient information is not
simply an administrator’s task. Beach and
Oates (2014) explain that nurses have a
responsibility for both accurate record making
and secure record keeping. Nurses may carry
and store information on mobile electronic
devices such as laptop computers.
The HSCIC (2013) guide on the confidential
management of information highlights the
need to record the minimum information
necessary commensurate with safe, effective
and quality-assured care, and to safeguard who
has access to patient information. Prior to this
publication, The Care Record Guarantee:
Our Guarantee for NHS Care Records in
England (DH 2011) set out what patients
might reasonably expect. Patients can expect
safe keeping of records but that some records
will be shared as required by law and to deliver
coherent care. Patients might set limits on the
information shared but are warned this might
make it more difficult to treat them effectively.
5 Review the case
study in Box 2 with your
confidants. Use the DH
(2013) questions in Box 1
to ascertain whether
there are disclosure
issues to consider.
Reflect on whether
you are asking relevant
disclosure-of-information
questions in the care of
patients. Some ways in
which you might raise
awareness of the need to
ask relevant disclosure
of information questions
are suggested in Box 3.
BOX 1
Questions to determine whether a patient’s confidential information
may be shared
1. Start with the basis of the request for information. If this is not on the basis
of health care, the furthering of treatment and care, on what grounds
do others have a right to have the information?
2. If the disclosure of information is associated with health care, will this
materially benefit the patient or others in similar circumstances?
3. Does the disclosure support a broader medical purpose, perhaps related
to research or the training of healthcare professionals?
4. Have you taken opportunities to consult with the patient on what he or she
would like you to do regarding the proposed disclosure of information?
5. Is the patient’s explicit consent required for the disclosure to be lawful?
Adapted from Department of Health (2013)
january 28 :: vol 29 no 22 :: 2015 55
CPD professional issues
6 Ask colleagues
what they think might
constitute a breach of
information governance
rules relating to patient
records and why
avoiding breaches is
so important. To what
extent do colleagues
understand the possible
consequences of a
breach in confidentiality?
It reminds patients they share a responsibility
to help correct inaccurate records made about
them. Patients as well as nurses have a role in
the maintenance of accurate medical records.
The Caldicott review (DH 2013)
recommended a strengthening of the patient’s
right to redress where confidentiality has been
breached. A transparent explanation of why
and how breaches occurred, potential fines of
up to £500,000 for breach of confidentiality
and making information governance
checks an integral part of Care Quality
Commission healthcare service reviews
were also recommended.
While guidelines for best practice in
information governance change rapidly, certain
principles recur:
The making of records is as important as
the keeping of records. Information must be
accurate and it should be transparent. It is,
for example, good practice to share with
patients copies of ‘discharge from hospital’
BOX 2
Case study relating to information disclosure
Emily is admitted to your ward after sustaining a head injury in a road
accident. After being knocked out she has regained consciousness. She is
groggy but able to answer questions. You notice there are some needlepuncture marks in her arm and what looks like old bruising around
the orbit of her left eye. To understand more of her background, you try to
gather more information from a visiting male friend. But he tries to trade this
off against securing information about her. He wants to know how she has
accounted for the car crash. The man seems aggressive and on edge, and you
become concerned about his relationship with Emily.
The police come to interview Emily about the accident, which involved
a cyclist. They stop by the office to ask what you know about the woman’s
condition and her background. Since the visit of the male friend, Emily has
seemed reluctant to talk about the accident or her injuries. It is difficult to
develop a rapport with this woman, who insists that she is a private person.
Her medical records are on the electronic database. Perhaps they might
suggest something of how she came to have the accident and has become
increasingly irritable in the past 48 hours.
BOX 3
Ways to raise awareness of confidentiality requirements
1. Review case studies from practice and those where the correct disclosure of
information was difficult to judge. This helps nurses to realise they are not
alone in deciding how best to proceed.
2. Create a role-play situation where nurses act out the experiences and
dilemmas that can accompany information disclosure. Good roles to include
are the patient, a close relative, the nurse and a doctor who comes to brief
the patient on next treatment plans. The close relative is present when the
doctor visits. Role play helps nurses to explore the emotional dimension of
information disclosure and to develop empathy for the needs of others.
3. Examine sample patient records to determine what information recorded is
unnecessary and what is missing. Is there information recorded that might
attract curiosity? How focused is the information recorded and could this be
justified as necessary to a patient who requested to see the records?
56 january 28 :: vol 29 no 22 :: 2015
letters so that they too can check what
has been conveyed to the GP. Accuracy of
information is increased where patients can
check what has been recorded.
Access to confidential patient information
should be limited to healthcare staff
with a legitimate right to review records.
This means setting up smart cards and access
codes that help identify which nurses have
accessed a record and the use of passwords
to limit the risk that others will gain access to
patient information. Where healthcare staff
abuse their access rights, accessing patient
information with no clear clinical reason,
breaches should be investigated quickly
and, where appropriate, nurses should
be disciplined. This may include referral
to the NMC as well as dismissal from a
post because the nurse has breached the
employment contract.
It is important for patients to have greater
control of their information. Patient requests
for a copy of records must be met promptly
and at minimal or no cost to the applicant.
Auditing of information access and use is
important if the healthcare organisation is
to discharge its duties effectively. Nurses
should be briefed on this and warned that
breaches in information governance rules
will be treated as a disciplinary matter,
including the accessing of their family
members’ medical records.
Complete time out activity 6
In the author’s experience, nurses sometimes
underestimate the possible consequences of
a breach in patient confidentiality associated
with accessing and sharing information.
They may fail to appreciate not only the distress
caused to a patient but also the fact that it
might result in legal proceedings against their
employers. Discovering whether nurses have
both rehearsed what constitutes a breach of
confidentiality in relation to patients’ records
and what might ensue if a breach is confirmed
is important review work.
Conclusion
Respecting patient confidentiality starts
with a clear understanding of terms and
responsibilities. It is important that nurses
understand to whom they have a duty of care
and what exactly is meant by terms such as
privacy and confidentiality. Where terms
are confused, there is a significant risk that
the importance of information governance
© NURSING STANDARD / RCN PUBLISHING
is underestimated. Confusion about
terms can lead to nurses misconstruing
their responsibilities.
Nurses need to appreciate what information
on what aspects of care will be shared with a
variety of healthcare professionals, provided
that the patient has not set limits on this at the
start of the care programme. It is not enough
to assume consent to treatment also means
consent to sharing information. The nurse
should ascertain at the outset what the patient
understands and requires in relation to the
sharing of confidential information. The nurse
should also understand that some disclosure
of information requires further permission
from the patient, typically when there is a
change in care arrangements or new agencies
become involved.
It is easy to be complacent about patient
information. However, asking key questions
serves to limit the risk that poor decisions
are made. Risks are further reduced when
the exposure to risk associated with using
electronic care records is managed. Patients
should have access to their records and
should be encouraged to check what has been
recorded. Staff should be made aware of the
penalties that might apply if they abuse access
to confidential information.
The more the care team understands how
privileged information is stored, disclosed and
used, the less likely the team is to abuse patient
confidentiality. This is a professional matter
that affects the reputation of the healthcare
organisation as a whole NS
Complete time out activity 7
7 Now that you have
completed the article,
you might like to write
a reflective account.
Guidelines to help you
are on page 62.
References
Agris J (2014) Extending the
minimum necessary standard to
uses and disclosures for treatment.
Journal of Law, Medicine and Ethics.
42, 2, 263-267.
Beach J, Oates J (2014) Maintaining
best practice in record-keeping and
documentation. Nursing Standard.
28, 36, 45-50.
Bernoth M, Dietsch E, Burmeister O,
Schwartz M (2014) Information
management in aged care: cases
of confidentiality and elder
abuse. Journal of Business Ethics.
122, 3, 453-460.
Department of Health (1997)
The Caldicott Committee. Report on
the Review of Patient-Identifiable
Information. The Stationery
Office, London.
Department of Health
(2003) Confidentiality: NHS
Code of Practice. The Stationery
Office, London.
Department of Health (2011)
The Care Record Guarantee. Our
Guarantee for NHS Care Records in
England. Version 5. The Stationery
Office, London.
Department of Health (2013)
Information: To Share or Not to Share?
The Information Governance Review.
The Stationery Office, London.
Health and Social Care Information
Centre (2013) A Guide to
Confidentiality in Health and
Social Care: Treating Confidential
Information with Respect.
HSCIC, Leeds.
Health and Social Care Information
Centre (2014) Information Governance.
http://systems.hscic.gov.uk/infogov
(Last accessed: January 16 2015.)
Hudgins C, Rose S, Fifield PY,
Arnault S (2013) Navigating the
legal and ethical foundations of
informed consent and confidentiality
in integrated primary care. Families,
Systems and Health. 31, 1, 9-19.
Information Commissioner’s
Office (2014) What is the Freedom
of Information Act? tinyurl.
© NURSING STANDARD / RCN PUBLISHING
com/nb4uwau (Last accessed:
January 16 2015.)
Kerr D, Lu S, McKinlay L
(2014) Towards patient-centred
care: perspectives of nurses and
midwives regarding shift-to-shift
bedside handover. International
Journal of Nursing Practice.
20, 3, 250-257.
Leino-Kilpi H, Välimäki M, Dassen T
et al (2001) Privacy: a review of the
literature. International
Journal of Nursing Studies.
38, 6, 663-671.
Lewis M, Baxter R, Pouder R
(2013) The development and
deployment of electronic personal
health records: a strategic
positioning perspective. Journal
of Health Organization and
Management. 27, 5, 577-600.
Lowth M (2013) Confidentiality in
the modern NHS: part 2. Practice
Nurse. 43, 11, 49-52.
McLeod A (2013) How can
health boards ensure digital
patient records remain
confidential? The Guardian.
December 6 2013.
Nursing and Midwifery Council
(2008) The Code: Standards
of Conduct Performance and
Ethics for Nurses and Midwives.
NMC, London.
Price B (2009) Supporting
patients’ dignity in the
community. Primary Health
Care. 19, 3, 40-45.
Richards C, Barker M (2013)
Sexuality and Gender for
Mental Health Professionals:
A Practical Guide.
Sage, London.
Rogers W (2006) Pressures
on confidentiality. The Lancet.
367, 9510, 553-554.
Young A (2009) Review:
the legal duty of care
for nurses and other
health professionals.
Journal of Clinical Nursing.
18, 22, 3071-3078.
january 28 :: vol 29 no 22 :: 2015 57