When should you disclose medical records? Our healthcare team provide a workflow to follow when considering whether to disclose medical records to the police.
Key considerations when making a decision regarding whether to disclose patient records to the police:
Do police have a court order or witness summons requiring disclosure?
The common law duty of confidentiality owed to patients should be respected where possible, but this duty is not absolute.
As per paragraph 17 of the General Medical Council’s guidance ‘Confidentiality: Good practice in handling patient information’ (updated May 2018) disclosure must be made where it is required by statute, or ordered to do so by a judge or presiding officer of a court.
The guidance notes that only information relevant to the request should be disclosed and wherever practicable, patients should be told about such disclosures, unless that would undermine the purpose.
The risk of an action for breach of confidence is significantly reduced where disclosure is made in compliance with a Court Order or pursuant to a witness summons requiring production of the documents. However, as stated by Munby J in A Health Authority v X and Ors (No.1) 2001 WL 513038 at paragraph 9:
[…] Dr X’s ultimate obligation is to comply with whatever order the court may make. But prior to that point being reached his duty, like that of any other professional or other person who owes a duty of confidentiality to his patient or client, is to assert that confidentiality in answer to any claim by a third party for disclosure and to put before the court every argument that can properly be put against disclosure. All the more so when, as in the present case, he knows, because he has asked, that his patient or client is refusing to consent to disclosure.
It is therefore important to note paragraph 91 of the GMC guidance which advises that objection should be made to the Judge or the presiding officer if attempts are made to compel disclosure of what appears to be irrelevant information.
Therefore even when an order is obtained or summons is issued it is necessary to consider whether there remain concerns regarding disclosure.
Does the Data Protection Act or GDPR require disclosure to the police?
For clarity, there is no provision in the DPA or GDPR which compels healthcare professionals or organisations to disclose patient records to the Police.
It is important to note that in the absence of an Order or summons, the disclosure will be voluntary. Such disclosures may only be made with the patient’s consent or if there is an overriding public interest.
The regime does not apply to the personal data of a deceased patient, albeit of course the duty of confidentiality which is owed continues after death. For completeness, the opinions expressed by healthcare professionals in a deceased patient’s medical records are the personal data of the clinicians who expressed those opinions.
What does reliance on the DPA or GDPR mean in practice
Typically references to DPA Schedule 2 para 2 or para 5 will be included in the request (perhaps with the addition of an Article 6 GDPR basis for lawful processing).
These provisions relate to disclosures made for the purposes of prevention and detection of crime or in connection with legal proceedings. They are ‘exemptions’ in so far as they exempt the body processing the data for these defined purposes from having to comply with various provisions of the GDPR which broadly relate to rights of data subjects, i.e. to be informed.
In summary, the provisions are permissive and so do not create obligations. They are only available in defined circumstances, thus it cannot be assumed that they can be relied upon in all cases of voluntary disclosure.
Has valid patient consent been provided for disclosure?
Consideration as to whether the consent is valid will be necessary, and whether there are any concerns in relation to the patient’s capacity.
Where a consent form is signed by someone other than the capacitous adult who is the subject of the request, further consideration will be required as to whether the signatory has legal authority to provide that consent.
It may seem an obvious point, however it is important to check that the consent obtained covers the disclosure requested. For example, the consent may be limited to treatment provided between two dates in a particular hospital or by a particular professional whereas the request may be for ‘all health records’.
When can disclosure be justified in the public interest?
As above, in the absence of an Order, summons or valid consent the records may be disclosed where there is an overriding public interest. Paragraphs 63 – 70 of the GMC guidance set out the relevant considerations.
Paragraph 64 notes “if it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm”.
The guidance goes on to note that such a situation might arise if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious crime, especially crimes against the person. Paragraph 67 addresses the issue of consent in this context.
The British Medical Association’s Guidance ‘Access to Health Records’ confirms that theft, minor fraud or damage to property where loss or damage is less substantial, would generally not justify the breach of confidence necessary to justify disclosure in the public interest.
Paragraph 68 of the GMC Guidance sets out a range of factors which must be considered when deciding whether to disclose patient information, such as the potential harm which may be caused to others if the information is not disclosed.
There is also an obligation to consider whether assistance can be provided without breaching the patient’s privacy and if not, to consider what the minimum intrusion might be. In practice this could be an offer to provide a brief statement answering specific questions as opposed to disclosing full medical records.
What do organisational policies say about police access to medical records?
Most organisations are likely to have a policy which covers the approach to be adopted in response, and there may be particular forms that the Police should be asked to complete when requesting records.
Following the organisation’s policy and seeking advice from the relevant personnel, for example the Caldicott Guardian, before embarking on a response is also likely to reduce risk of action for breach of confidence.
How should decisions on disclosure be recorded?
This may be addressed in the organisation’s policy, however we would expect that this would be recorded in the records of the patient and indeed any decision to be forwarded to the organisation’s information governance team.
An index of the copy documents sent should be retained on file. Where redacted versions are sent it would be advisable to keep copies for future reference.
Please note that the relevant considerations in relation to a request for information where the organisation or an employee of the organisation may be implicated will of course be different. In such situations relevant defence organisations should be contacted and or legal advice should be sought as appropriate.
Should you require any assistance with responding to requests, as regards development of policy or in respect of staff training please do not hesitate to contact us.
For guidance on the disclosure of medical records, contact our specialists in GDPR in health and social care. For wider advice on healthcare law, contact our healthcare solicitors.