The purpose of the protocol is to set out the obligations for all working at Little Harwood Health Centre concerning the confidentiality of information held about patients and Little Harwood Health Centre.
This protocol is relevant to all employers and anyone who works at the Practice, including non-clinical staff. Individuals on training placements and visitors/observers on the premises must also adhere to this.
This protocol will be reviewed yearly to ensure that it remains effective and relevant.
Importance of confidentiality
Confidentiality is a fundamental part of health care and crucial to the trust between doctors and patients. Patients entrust their practice with sensitive information relating to their health and other matters in order to receive the treatment and services they require. They should be able to expect that this information will remain confidential unless there is a compelling reason why it should not. All staff in the NHS have legal, ethical and contractual obligations of confidentiality and must ensure they act appropriately to protect patient information against improper disclosure.
Some patients may lack the capacity to give or withhold their consent their consent to disclosure of confidential information but this does not diminish the duty of confidence. The duty of confidentiality applies to all patients regardless of race, gender, social class, age, religion, sexual orientation, appearance, disability or medical condition.
Information that can identify individual patients must not be used or disclosed for purposes other than healthcare unless the patient (or appointed representative) has given explicit consent, except where the law requires disclosure or there is an overriding public interest to disclose. All patient identifiable health information must be treated as confidential information, regardless of the format in which it is held. Information which is effectively anonymised can be use with fewer constraints.
The confidentiality of other sensitive information held about the practice and staff must also be respected.
Obligations for all staff
The staff Contract of Employment explains that during the course of employment the staff member will have access to see or hear information of a confidential nature verbal, written or electronic. All information concerning patients and staff is strictly confidential and must not be divulged to a third party except with the permission of the patient themselves, or their doctor if it is in the interest of their health. Failure to observe confidentiality constitutes gross misconduct and may lead to immediate dismissal and/or civil proceedings to restrain the employee from disclosing the information or from making personal use of it without authority. The practice also has responsibilities under the Data Protection Act 1998 and will advise employees of their obligations as necessary.
Guidelines are set out below:
All staff must:
1) always endeavour to maintain patient confidentiality;
2) not discuss confidential information with colleagues without patient consent (unless it is part of the provision of care);
3) not discuss confidential information in a location or manner that allows it to be overheard;
4) handle patient information received from another provider sensitively and confidentially;
5) not allow confidential information to be visible in public places;
6) store and dispose of confidential information in accordance with the Data Protection Act 1998 and the Department of Health’s Records Management
Code of Practice (part 2);
7) not access confidential information about a patient unless it is necessary as part of their work;
8) not remove confidential information from the premises unless it is necessary to do so to provide treatment to a patient, the appropriate technical safeguards are in place and there is agreement from the information governance lead or
9) contact the information governance lead or Caldicott Guardian if there are barriers to maintaining confidentiality;
10) report any loss, inappropriate storage or incorrect disclosure of confidential information to the information governance lead or Caldicott Guardian;
11) if applicable, document, copy, store and transfer information in the ways agreed with other providers,
- i.e. scan documents to patient’s file,
- keep original copies stored securely in reception/general office,
- transfer patient notes via the GP2GP system,
- transfer/receive patient notes via the NHS England system by the secure delivery service and sealed bag,
- documentation faxed to hospital/other departments must only be sent to a ‘secure’ fax,
- documentation to Solicitors should be sent via Recorded Delivery so that the delivery is logged with a receiving signature,
- discard any document with patient details included through the SECURE SHREDDING BINS which are emptied monthly and shredded on site.
It is expected that members of staff will comply with the law and guidance/codes of conduct laid down by their respective regulatory and professional bodies.
When a decision is taken to disclose information about a patient to a third party due to safeguarding concerns/public interest, the patient should always be told and asked for consent before the disclosure unless it would be unsafe or not practical to do so.
In the circumstances that consent can not be sought, then there must be clear reasons and necessity for sharing the information.
Disclosures of confidential information about patients to a third party must be made to the appropriate person or organisation and in accordance with the principles of the Data Protection Act l998, the NHS Confidentiality Code of Practice (see below) and the GMC’s Good Medical Practice.
Obligations for employers
The employers at the practice must:
1) ensure that confidential information can be stored securely on the premises and that there are processes in place to guarantee confidentiality;
2) make sure that all individuals to whom this protocol is relevant have read, understood and signed this protocol;
3) review and update this protocol on a regular basis.
This protocol is subject to the provisions set out in the legislation and guidance listed below;
Data Protection Act 1998; The Information Commissioners’ Office guide to data protection can be viewed at;
http://www.ico.gov.uk/for organisations/data protection/the guide.aspx
The Department’s Code of Practice for Records Management (Part 2)
http;//www.dh.gov.uk/prod consum dh/groups/dh digitalassets/documents/digitalasset/dh 093024.pdf
Human Rights Act 1998
The Common Law Duty of Confidence
Access to Health Records Act 1990
Confidentiality; NHS Code of Practice 2003
NHS Care Record Guarantee 2009 www.nigb.nhs.uk/guarantee/2009-nhs-crg.pdf