The practice is committed to complying with the requirements of the legislation governing patient confidentiality including: Access to Health Records 1990, Caldicott Guidelines 1997 – see the Data Quality Policy (M233-DPQ), Confidentiality Code of Practice 1998, Data Protection Act 2018, GDPR and the current GDC Standards.
For the purpose of this policy, confidential information is defined as all the information that is learnt in a professional role including personal details, medical history, what treatment a patient is having and how much it costs. The definition of personal details includes, but is not limited by, such details as name, age, address, personal circumstances, race, health, sex and sexual orientation, etc. Note that even the fact that a patient attends the practice is confidential. Confidential information may be supplied or stored on any medium including images, videos, health records, and computer records or may be transmitted verbally.
All staff members must be aware of their responsibilities for safeguarding patient confidentiality and keeping information secure and must have received appropriate training on the legislation requirements and the current GDC Standards to ensure that:
Before releasing information without the patient’s permission, an effort is always made to either convince the patient to release the information himself or herself or give the practice permission to do so, with the details of the discussion fully documented in the patient record. If obtaining consent from a patient is not practical or appropriate or if the patient will not give their permission, the team member will obtain advice from their professional indemnity organisation before releasing it.
A patient’s information will only be released without their prior permission in the following exceptional circumstances:
The practice treats breaches of confidentiality very seriously. No team member shall knowingly misuse any confidential information or allow others to do so. Failure to comply with this policy may result in disciplinary action.
This policy should be read in conjunction with the Social Media Policy (M 233-SMD), Data Quality Policy (M233-DPT), Information Protection and Security Policy (M 233-DPT) and the Information Governance Procedures (M 217C).