Confidentiality is an essential part of the bond of trust that exists between doctor and patient. But there are countless risks to be aware of when it comes to maintaining confidentiality, particularly with the increasing use of technology in the practice.
Here are three key areas where practices are at risk of breaching patient confidentiality, along with some general advice from the MDU about how to protect confidentiality.
1. Sending emails
Sending confidential information via email is convenient, but it’s also risky because it is easy to accidentally send information to the wrong person or to share it with more people than intended.
In one case, the Information Commissioner fined an NHS organisation £70,000 after a consultant’s letter was emailed to the wrong patient who had a similar name to the patient who should have received the email.
Another common pitfall when using email is sending an email to a group of patients using the ‘to’ or ‘CC’ section, instead of blind copying the recipients. This breaches confidentiality because all the recipients can see each other’s email addresses, it reveals who is on the mailing list and depending on the content of the email it can also reveal the service being offered to that patient. For example, if the email is regarding a particular vaccination.
It’s important to take extra care when sending emails to prevent these easy mistakes from happening. Take your time, avoid using ‘auto select’ functions where it could be easy to click the wrong address and always review the email before pressing send.
2. Data storage
Practices are responsible under the Data Protection Act to ensure that patient information is held securely and protected from unauthorised or unlawful processing.
You might wish to take advice from IT specialists on ensuring security of patients’ digital records. In reality no system will ever be 100% secure, but if there does happen to be an unauthorised disclosure of information you will need to be able to justify the steps you have taken to prevent the confidentiality breach.
Some things you can ask yourself are:
- Is your IT system adequately protected from unauthorised access e.g. is it protected with the use of strong passwords and is the data encrypted?
- Is your software medico-legally compliant e.g. does it allow you to produce hard copies of records?
- Does your system provide a full audit trail?
- Do you regularly back up your electronic records and check that your back-up is working correctly and you are able to retrieve/restore records if necessary?
- Do you hold a back-up of your electronic files in secure off-site premises?
3. The reception area
There are many small and simple changes that practices can make which can help to reduce the risk of confidential patient information being inadvertently shared in the reception and waiting area.
All computers at reception should be orientated facing away from the counter so patients and other visitors attending the practice are not able see any information on the screen. You could also consider purchasing privacy filters for the computer screens, which prevent others being able to view the screen from the side.
All staff should also be aware of the potential for their conversations to be overheard by those in the waiting room. Whether it’s while speaking to patients or to each other, staff should always be mindful of being discrete and not discussing confidential or identifying information within earshot of others.
Confidentiality tips from the MDU:
- Fully acquaint yourself and your colleagues with up-to-date legal requirements, along with GMC and NHS guidance on confidentiality.
- Nominate a person to be responsible for practices and procedures for handling confidential data.
- Train all staff to keep information confidential and reinforce the message regularly. Write a confidentiality clause into contracts of employment.
- Keep discussion about the clinical management of patients private and out of earshot of the public.
- Ensure patients cannot read another patient's details on computer screens.
- Check the identity of telephone callers asking for information about a patient, if necessary by calling them back via directory enquiries.
- Take professional advice before connecting your computer to a network and keep a record of the advice.
- Ensure electronic means of communication such as fax and email are secure before sending information.
- Consider use of anonymised patient data when this might satisfy a request for information.
Dr Ward is a medico-legal adviser at the MDU