This is another issue for public consultation. The previous guidelines were published in 2009, and, as the GMC says, there have been developments since then.
The consultation ends on February 10th – and there are two shorter versions – for doctors and for patients and the public – if 36 questions are too many!
Here is my take on the draft guidelines: all opinions are my own.
GMC Consultation on draft updated guidance on confidentiality
1. Headline issue: Confidentiality guidance from the GMC for all doctors on confidentiality: update on 2009 guidance.
a. Topic: Confidentiality (part of Duties of a Doctor) guidance for all doctors and data sharing
b. Implications for primary care:
• this applies especially to GPs who are Data Controllers and where the responsibility for data sharing will lie with the individual doctor rather than the organisation.
• The draft guidance is considering the sharing of patient identifiable data under three headings, and there is no clear definition of what is contained in each e.g. Hampshire Care Record:-
1. direct care purposes: contribute to an individual patient’s diagnosis, care and treatment
2. indirect care purposes: contribute to the overall delivery of health and social care but which fall outside the scope of direct care (for example health service management, research, education and training)
3. non-care purposes: not connected to the delivery of health or social care but which serve wider purposes (for example, public protection, the administration of justice, financial audit or insurance or benefit claim
• direct care appears to be applied to individual patient referrals: indirect care to health service administration etc. It is not clear where population based sharing of individual patient records e.g. the Hampshire, Oxford or Leeds shared care records, or records shared in potential integrated care records fit in this picture: i.e. where the records of patients who are not in receipt of care from any organisation outside their practice – if that – and have not given either implied consent (not having been referred & having no reason to suspect their records are being shared) or explicit consent (not having been asked).
• the lack of definition on the three areas makes discussions of implied and explicit consent and when they apply unclear.
• Not clear who is to be held responsible for ensuring that patients have easily available information – or that this information has been conveyed to the patients, especially where the doctor is not the data controller. (Fair processing issue)
• Not clear where responsibility lies for ensuring the reliability of recipient organisations.
• the legal section appears inadequate and confused – especially regarding the effects of the HSCA 2012 and its requirements for obeying Directions issued under it.
• Clarity on the laws and regulations requiring reporting/sharing without patient consent and the areas where information sharing is legally prohibited, with or without patient consent (e.g. Human Fertility & Embryology) would be welcome
c. Implications for health informatics. Not clear
d. Any information or clinical governance issues.
• There is very little concrete advice on IG, how any IG considerations should be applied by doctors in a position to share or authorise the sharing of patient information, and where the responsibility lies for ensuring that the recipient of the data maintains the patient’s confidentiality.
• Lack of clarity about “prophylactic sharing” i.e. making records available to others not involved in the direct care of an individual for a specific purpose e.g. population based shared/integrated records where it will not be known in advance what information is or might be relevant.
• Advice that statement that the patient has consented may be accepted without question
• Combining numerous “non-care purposes” with very different legal and ethical issues under one heading will cause confusion: “public protection, the administration of justice, financial audit or insurance or benefit claim” have different legal requirements and need to be considered separately, with the legal requirements for each identified.
• There is inadequate clarification of the change in circumstances and legal issues leading to the need for the GMC to review its advice on Confidentiality.
e. Why does PHCSG need to discuss/have a view on this topic.
• This is a public consultation on the Duties of a Doctor with regard to Confidentiality, and is specifically intended to update the Guidance issued in 2009 in view of legal and other developments since then.
• The doctors most likely to have to take individual decisions – or be held to account over breaches – are likely to be in primary care, mainly in general practice.
• It would be unfortunate if guidance given by the GMC differed from that given by other regulators – e.g. CQC and Monitor – or other bodies involved in the issuing of guidelines on confidentiality and/or data sharing e.g. the National Data Guardian (not mentioned), CAG advice to HSCIC and HSCIC (s271 HSCA 2012).
2. Background for issue
a. Official pronouncements/documents/links (with description of relevant content)
• http://www.gmc-uk.org/Confidentiality___long_questionnaire_FINAL_distributed.pdf_63644671.pdf There are 36 questions: short versions for Doctors/HCPs and public also available.
• https://gmc.e-consultation.net/econsult/uploaddocs/Consult655/Confidentiality_draft_guidance101115.pdf the draft guidance. Unfortunately changes from the 2009 guidance are not highlighted.
• Consultation runs from 25th November to 10th February
• To enter the consultation, it is necessary to register for GMC consultations. *this is not the same as a registered doctor’s registration for the GMC website*. real identity is not required but an email address is.