Ethical Issues - Confidentiality
The following is a worked example of a hypothetical case study showing how ethical principles would apply to a practical problem.
Bob has attended the genito-urinary clinic at his local Trust hospital. Bob is seen by Dr Gomez who informs him that he is HIV positive. Dr Gomez counsels Bob to contact his sexual partners to inform them of his status. Bob starts a course of treatment.
For the last 18 months Bob has been in a relationship with Sue. They are expecting a baby in 2 months time. Before this relationship Bob had a series of sexual partners.
On a subsequent visit to the clinic it becomes clear to Dr Gomez that Bob has not told Sue of his HIV status. Dr Gomez is aware of the impending arrival of their baby and tells Bob that steps should be taken to assess whether Sue is HIV positive and whether the baby is at risk so that if necessary treatment may be started.
Bob adamantly refuses to tell Sue and says that if she is told without his consent then he will stop his course of treatment.
What should Dr Gomez do? Can / should he inform Sue, or Bob’s GP?
Issues to consider
The principle of respect for autonomy requires that personal information should not be disclosed without consent. However, in some cases the autonomy of another person may also be at issue (in this case Sue and previous sexual partners, as well as the baby when born). Not disclosing information may limit their ability to make decisions as to treatment and lifestyle.
Although maintaining confidence in personal information may be the starting point, a balance of the benefits and harms of disclosure / non-disclosure leads to consideration of the consequences of a course of action.
In this scenario the harms of non-disclosure can be identified as:
- The risk that Sue may be HIV positive. The consequence of not providing information to enable her to be tested is that she is harmed by not knowing her HIV status and not receiving a course of treatment.
- If Sue is HIV positive and is not aware of the risk the consequences are that she will not take steps to minimise the risk of infection to the baby eg. obtaining treatment during pregnancy, baby born by caesarean section, knowing not to breastfeed, prophylactic treatment.
- If Sue did later find out that there was a risk to her and that she was not informed she may lose trust in her doctor or the healthcare system.
- Risks to Bob’s former identifiable sexual partners who could be contacted and informed.
The harms of disclosure would include:
- If the clinician informs others without Bob’s consent then as a consequence he may lose trust in Dr Gomez, and perhaps the medical profession in general.
- He has indicated that he will end his course of treatment thus risking relapse and severe health problems including death.
- There is also a risk that he could go on to infect future sexual partners.
- Bob may be stigmatized by others who get to know and may have problems with future employment because of discrimination
Applying ethics and law - balancing competing interests and values
It is necessary to balance the potential harms of non -disclosure with the harms that might result from disclosure without consent in breach of the duty of confidentiality.
Paragraph 53 of the GMC guidance Confidentiality(2009) states that disclosure of confidential information without the patient’s consent can be justified to prevent risk of death or serious harm to a third party.
“53. Disclosure of personal information about a patient without consent may be justified in the public interest if failure to disclose may expose others to a risk of death or serious harm. You should still seek the patient’s consent to disclosure if practicable and consider any reasons given for refusal.”
If Sue were to become infected with HIV she would be harmed by contracting a serious disease which if untreated is ultimately life threatening. In addition she could transmit the virus to her child again with potentially life threatening consequences.
In its supplementary guidance on confidentiality (2009) the GMC considers specifically the issue of disclosing information about serious communicable diseases. Section 8 states
“If a patient refuses to allow you to inform someone outside the healthcare team of their infection status, you must respect their wishes unless you consider that failure to disclose the information will put other healthcare workers or other patients at risk of infection. But such situations are likely to be very rare, not least because of the use of universal precautions to protect healthcare workers and patients, particularly during exposure prone procedures”
The particular risk of becoming infected from a sexually transmitted disease (or by vertical transmission from mother to child, cannot be prevented by universal precautions taken by healthcare workers. The GMC advises in these situations, where a person with a sexually transmitted disease refuses to disclose information to their sexual partner, that a doctor may disclose information to the sexual partner “if you have reason to believe they are at risk of infection and that the patient has not informed them or has refused to do so”. This would appear to be the case in this scenario.
A useful comparison could be made with disclosure of genetic information. Genetic information may have great relevance for the health of relatives. Nevertheless, if the patient refuses to allow relatives to be informed confidence should be maintained unless the health interests’ of family members to be given such information outweighs the duty of confidentiality.
The GMC guidance considers the disclosure of genetic and other shared information (paragraphs 67-69). Essentially the advice is to encourage patients to share information that would be relevant to a family member, for example of the knowledge could be used to receive prophylaxis or other preventative treatments. However should a patient refuse to disclose the health professional must then make a judgement based on the public interest principle described above.
BMA guidance (Human genetics: choice and responsibility 1998) states that a healthcare professional should consider the following factors in deciding whether to disclose:
- Severity of the disorder
- Level of predictability
- Action relatives could take
- Harms / benefits in giving or withholding information
What about the interests of the child to be born? In Re C (HIV testing)  2 FLR 1004 the court considered that it was in the best interests of a baby to undergo testing for HIV (where the mother was HIV positive and had refused interventions to prevent transmission of the virus) despite the fact that the parents refused their consent. Clinicians were of the view that if the child was infected measures could be taken to manage the condition. The court said that the child had interests that were separate from those of its parents (a foetus does not have legal rights but rights do crystallize at birth).
In the case study scenario it would be necessary to consider the likelihood of HIV risk to the baby to determine whether breach of confidentiality is justified. Sue would need to be informed in order to consent to testing / treatment.
Should Bob’s GP be informed? Paragraph 25 of GMC guidance Confidentiality (2009) states that, “Most patients understand and accept that information must be shared within the healthcare team in order to provide their care.”
However, should a patient object to information being shared with another health professional then their wish should be respected unless there is a public interest justification for disclosure. Thus, if Bob still refuses his wishes must be respected unless failure to disclose would put a health care worker or other patient at serious risk of death or serious harm. As the GMC supplementary guidance points out this is unlikely to be the case if universal precautions are followed. One situation where there may be an increased risk to a healthcare professional is if a needle stick injury has occurred. In this situation the GMC guidance advises that it may be appropriate to disclose information if this is needed for decisions about post exposure prophylaxis (Supplementary Guidance paragraph 18)
It would appear, in balancing the harm to Bob with harms to others that the harm to Bob in disclosing without his consent is outweighed by the harmful consequences of not disclosing. However health professionals working in this area may consider that more weight should be given to the loss of trust that might result from breaching confidences.
“Compelling ethical reasons exists for protecting the privacy of persons with HIV infection. An important justification for privacy resides in the principle of respect for autonomy. To respect the privacy of persons with HIV/AIDS is to respect their wishes not be observed or to have intimate information about themselves made available to others. Privacy also enhances the development of trust in the physician. One of the defining characteristics of the doctor/patient relationship involves the sharing - freely given - of private information. Failure to respect the confidentiality of patients drives patients away from HIV testing, counseling, and treatment, and discourages patients from confiding in their physicians. Healthcare facilities that treat persons with HIV argue fiercely that compelling physicians to disclose HIV infection to sexual or needle-sharing partners would mean they would lose the trust of their clients.”
Lawrence O. Gostin, JD, from the September, 1995 issue of the JIAPAC.
The main objective of this study is to highlight the importance of patient confidentiality as a legal and ethical duty of health professionals in charge of patient care. To achieve this objective, and through a field study using many hours of direct observation (a total of 33,157 h), we have tried to reveal situations in which these professionals violate a duty inherent in their relationship with patients.
How often is patients’ confidentiality breached?
To date, very few studies have directly recorded incidents related to confidentiality breaches during clinical practice in healthcare facilities, nor the frequency with which they occur. This last aspect, which we believe to be of great interest, was dealt with in a similar study by Mlinek and Pierce , who reported situations where patients’ confidentiality and privacy was breached in the emergency department of a university hospital with about 22,000 medical patient visits a year. Confidentiality breaches occurred for 26 out of 32 patients in the triage/waiting area over a 6 h observation period, whereas between 3 and 24 breaches occurred per hour in patient care areas during 18 h of observation.
Our study was conducted in a university tertiary hospital, but unlike the previous study, the observations were made in virtually all areas of the hospital; specifically 37 different CMUs. The observers recorded confidentiality breaches in all the departments, with a global FI of 0.016 breaches per hour (i.e., one confidentiality breach every 62.5 h). The median FI of confidentiality breaches (Fig. 1) was higher in the category of “other medical and surgical specialties”, where 1 breach for every 12.05 h of observation was recorded. This is probably due to the fact that although fewer total hours of observation were conducted, this category includes a larger number of CMUs. In 2012, the Emergency Department of the hospital involved in our study conducted 124,847 medical patient visits.3 Considering that our estimate was made jointly (Internal Medicine and the Emergency Department), the median of breaches was 1 per every 43.48 h of observation. Therefore, Internal Medicine and the Emergency Department, as well as General and Digestive Surgery were the departments with the lowest FI.
As can be seen, the average number of breaches we recorded was much lower than that reported by Mlinek and Pierce  (even considering our joint category). There are many additional reasons why both studies are not comparable. For example, Mlinek and Pierce  recorded a wide range of incidents that included comments and information obtained on patients through auditory and visual observation. Moreover, the observers in their study were specifically located in certain areas of the hospital chosen by the researchers themselves which are conducive to certain types of confidentiality breaches considered to be the most frequent. In contrast, our observers did not choose a particular area to “seek out” incidents either in the exams rooms or patient care areas of the Emergency Department. Another factor regarding the lower FI we report is that our observers received specific training using a checklist of the most common breaches, although this may have conditioned them to focus primarily on the breaches established by the researchers a priori.
Characteristics of the confidentiality breaches in our hospital
The checklists completed by the observers included a record of the hours and days spent observing each medical department, as well as other information such as a description of the observed breach of confidentiality, the area of the hospital where it occurred, and the type of staff; factors that were taken into account when analyzing the recorded incidents.
Our study reveals that most confidentiality breaches (or incidents regarding a disclosure of confidential information) occurred primarily in public areas such as corridors, elevators, and stairs (37.9 %). Due to the presence of people external to the hospital in these areas, confidential information should be treated with utmost care. Indeed, one of the first fieldworks on the breach of confidentiality  already pointed in that direction. In their study, Ubel and Cols  made observations in 259 elevator rides in different hospitals, reporting inappropriate comments that breached patient confidentiality in 14 % of all rides. In our study, public areas were followed closely behind by work areas (30.4 %), medical consultations, treatment rooms, and operating rooms. This widespread phenomenon varied from one department to another and also depended on the type of breach.
Regarding the categories of confidentiality breaches we established, a large number were related to the custody of clinical records (Type 1). Specifically, there were situations in which folders containing medical records were left open on the counters of nursing stations where anybody walking by could see them, or left unguarded on carts in the middle of corridors and other public areas, and were even lost in such unlikely places as locker rooms, classrooms, or patients’ rooms. As for electronic clinical records, there was a number of cases where computers were left unguarded, thus allowing anyone to access them. The improper destruction of records with patient data such as throwing out the trash in public wastepaper baskets without destroying bracelets, identifying stickers, or patient lists occurred to a lesser degree.
The disclosure of clinical or personal data to non-medical staff or third parties (Type 2) was the most frequent type of breach (54.6 %), with situations in which the clinical and even personal data of identifiable patients or patients who had just left the physician’s office were discussed either in front of another patient, by phone, or with other colleagues not involved in the clinical assistance. Conversations in which specific data was revealed about patients were also frequent in public areas, especially corridors, stairs, and elevators. Another type of observed behavior was providing care in consultations or treatment rooms with open doors or curtains, conducting medical examinations of patients in their rooms on the ward in the presence of relatives of another patient who was in the room, and the retrieval of electronic data by an acquaintance not involved in the patient’s care without the patient’s knowledge or consent.
As for situations where confidentiality was breached due to inadequate infrastructure or poor organization (Type 3), the majority occurred when informing patients’ families in hospital wards, operating rooms, or unsuitable areas such as corridors and waiting rooms due to the lack of space. The observers also reported other situations in which practitioners decided to place several patients in the same room in order to conduct certain examinations due to the shortage of material.
In relation to the degree of severity, severe breaches were the most frequent (46.7 %). This is due to the fact that most incidents were related to the disclosure of clinical or personal data (Type 2), and were considered particularly severe with regard to protecting patient privacy. Breaches which led to some kind of observable consequence were also considered severe; for example, when conversations inside an exam room were overheard because the door was left open, and obviously when there was some intentionality in the action. These last cases, in which personnel breached the patient’s confidentiality in an intentional manner—by accessing electronic records to consult the clinical data of acquaintances who were not their patients and without the patient’s consent; or the case of the physician that disclosed information about a psychiatric patient to a representative of a pharmaceutical company at the entrance to an exam room−were fortunately rare. In most cases, we assume that the reasons for such breaches of confidentiality arise from a lack of knowledge about the legal and ethical repercussions of such actions, as well as carelessness in handling information. Our opinion is in line with studies such as that of Elger  who conducted surveys with groups of physicians. They found that although health professionals are often aware of the importance of confidentiality, a significant percentage does not how to avoid breaches of confidentiality in their daily practice.
We found that breaches defined as severe (68.2 %) (Table 4), and hence those that involve the disclosure of patients’ clinical and personal data (Type 2), were more frequent, particularly in meeting or work areas (75.8 %). This is not surprising as most patient care is provided in exam rooms, treatment rooms, and operating rooms where a large amount of data is handled. In contrast, incidents related to the custody of clinical histories (Type 1) were more frequent at nursing stations (80 %) as were minor breaches (46.4 %). This may be explained by the fact that most clinical records, either in paper or electronic format, are handled in these areas of the hospital. Specifically in the case of Internal Medicine and the Emergency Department, these incidents were more frequent at nursing stations (40.4 %) (Fig. 2). This is because the majority of breaches (43.3 %) involved the disclosure of data (Type 2), while a slightly lower percentage (39.7 %) was related to the custody of clinical records (Type 1). This is likely due to the fact that information regarding the patient’s clinical course, is often recorded at nursing stations, where unguarded folders containing clinical records may be left open on counters or displayed in computers without a password, thus permitting access to anyone passing by.
In relation to factors intrinsic to emergency departments, another study by Olsen and Sabin  reported that 36 % of patients and family members overheard conversations and that 1.6 % heard inappropriate comments, although they did not find significant differences between patients placed in walled vs. curtained rooms. In a subsequent study, Olsen and Cols  reported that after elimination of rooms separated only by curtains, the percentage of patients who overheard conversations between medical staff dropped to 14 %.
In Gynecology and Obstetrics (48.5 %), Pediatrics (46.4 %), and other medical and surgical specialties (37.8 %), a larger number of confidentiality breaches were observed in meeting and work areas (Fig. 2). This is consistent with the fact that the most common breaches in these areas were the disclosure of clinical or personal data to personnel not involved in the patient’s care or third parties (Type 2) as most medical care and personal contact with patients occurs in exam rooms, treatment rooms, and operating rooms. Physicians have often been reported to converse with colleagues about an identifiable patient in front of another patient in exam rooms or on the phone. In the surgical departments of our hospital (Fig. 2), such as General and Digestive Surgery (39.3 %) and Maxillofacial and Plastic Surgery (51.3 %), breaches of confidentiality were primarily observed in the public areas of the hospital. This may be due in part to the fact that, as our observers noted, it is common practice to inform family members in areas such as corridors and waiting rooms following surgery.
Another factor analyzed in our study were those responsible for breaches of confidentiality. Like Ubel and Cols  and Mlinek and Pierce , we found that such incidents were committed by all healthcare personnel, including, in our case, medical students. Hendelman and Byszewski  also demonstrated that medical students were involved in 19−51 % of all reported incidents.
In our study, physicians were observed to be responsible for the largest number of breaches (51.4 %), although we believe that this might be due to some bias as the observers were medical students who were doing their clinical internships primarily under the direction of physicians and to a lesser degree with medical residents. This is an important point because although medical care is currently provided by teams, and all members of the team have the obligation to maintain confidentiality, it is physicians who are primarily responsible for ensuring that this duty is met, not only with respect to patients’ clinical data, but also other types of information inherent to the doctor-patient relationship.
As regards the characteristics of the breaches (Table 3) in general, and especially in the case of physicians (54.2 %) and nurses (56.2 %), the most frequent had to do with the disclosure of clinical or personal data to non-medical staff or third parties (Type 2), and were therefore of a severe nature. In contrast, orderlies were responsible for most of the minor breaches (52.6 %) (Table 4) related to the custody of clinical histories (68.4 %) (Type 1, see Table 3). Regarding the personnel involved in breaches and breach severity, the collection of data was performed anonymously and the identity of the observed subjects was unknown, therefore we could only determine the number of repeated minor and severe breaches and the type of personnel involved in them, but not specifically how many different subjects were really responsible of the breaches. The main objective of our study is to examine real situations collecting general and sociodemographic data (medical departments, area, type of personnel involved…) in order to propose necessary measures to prevent such incidents, but devoid of any punitive intention.
As to the area where the breaches occurred (Fig. 3), breaches committed by nursing staff were observed primarily at nursing stations (36.2 %). This is not surprising as this is the area where they carry out much of their work. On the other hand, auxiliary (38.7 %) and administrative staff (57.1 %) were observed to commit most breaches in meeting and work areas as they perform their tasks primarily in offices. As regards the rest of the hospital staff, especially physicians (36.5 %) and orderlies (68.4 %), breaches were committed most frequently in public areas. In the case of physicians, this could be explained by careless behavior, and because they are primarily responsible for informing patients and their families, which, as mentioned above, is often done in public areas such as corridors and waiting rooms. With regard to orderlies, breaches are mainly committed in public areas as one of their principle tasks is to transfer clinical records. As the observers repeatedly noted, “medical records were found lying about unguarded in hospital corridors”.
Limitations of the study
Among the limitations of our study, we should first note that the observers selected for the fieldwork were medical students. This could have had an effect on the recorded observations since their knowledge and expertise on the subject was, to some extent, limited. However, we attempted to overcome this limitation by providing personalized training to each of the observers.
In addition, although the observers signed a confidentiality agreement to avoid suspicion of being observed and the subsequent bias of changing their behavior, we cannot completely rule out the possibility of a Hawthorne effect as a confounding factor.
Moreover, the type of breaches recorded by the observers were subjectively classified a posteriori into specific categories based on the content of the comments. In cases deemed to be unclear, consensus was reached among the researchers regarding the category in which to include the breach.
On the other hand, the study was carried out in a Spanish university tertiary hospital, and though we do believe that the problem is very similar in other hospitals, it cannot be directly generalized.
Finally, it should be noted that other medical and surgical specialties was not a homogeneous category as it was comprised of different CMUs that were grouped together for the purpose of statistical comparison.