Mr. J is 35 years old. He has had unprotected sex with prostitutes on at least two occasions. Although he is asymptomatic he is worried about the possibility that he may have contracted a sexually transmitted disease and consults his physician. After conducting a careful physical examination and providing appropriate counseling, the physician orders a number of investigations. The blood test comes back with a positive result for HIV. The physician offers to meet with Mr. J and his wife to assist with the disclosure of this information, but Mr. J states that he does not want his wife to know about his condition.
Ms. K is 29 years old and has epilepsy. Her driving license was revoked when she was first diagnosed with epilepsy and she has continued to have seizures every three to four months while on treatment. Ms. K mentions in passing to her physician that she sometimes drives short distances to get groceries. When her physician challenges her about this she says her seizures are very infrequent. Finally, the physician tells her he may have to notify the authorities. Ms. K asks what more the authorities can do as they have already revoked her license. Are they going to leave a police car outside her house to make sure she doesn’t drive?
If a person gives information to another in confidence there is an obligation on the person receiving the information not to disclose it to someone else. This obligation, or duty, of confidentiality can be invoked explicitly by the provider of information stating that the information must not be shared, or it can be implicit in the nature of the relationship between the provider and receiver of information. Consequently, there is both an individual and a public expectation that information given to a health professional in the context of the clinical relationship will not be disclosed to third parties. The duty of confidentiality provides the foundation for trust in the therapeutic relationship. Professional organizations and regulatory bodies place great importance on the duty of confidentiality, and health professionals who breach confidentiality may be subject to disciplinary proceedings.
However, there is also an understanding that confidentiality cannot be absolute and that sometimes it may be permissible, or even legally required, to breach confidentiality. The increasing capability to generate and disseminate information in healthcare, together with the increasing complexity of healthcare provision, has implications for our understanding of the nature and limits of confidentiality. Development of multidisciplinary healthcare teams raises questions of how much information can be shared within the team, and who is recognized as a team member for this purpose. Access to electronic patient records for research and management purposes provides a “public interest” challenge to individual confidentiality, which expands the boundary of confidentiality beyond the context of individual patient care (Ingelfinger and Drazen, 2004; Peto et al., 2004; Powell and Buchan, 2005). Advances in genetic testing have prompted debate about whether genetic information creates different responsibilities regarding confidentiality (Hallowell et al., 2003; Plantinga et al., 2003; Parker and Lucassen, 2004).
Breach of confidentiality is generally perceived as a deliberate disclosure of information to a third party. However, inadvertent breaches of confidentiality that are easily preventable may also occur in healthcare: a conversation about an “interesting case” in the hospital elevator, patients’ names and/or diagnoses displayed in a manner visible to non-treating individuals. Healthcare workers should be aware of the risks of inadvertent breaches of confidentiality and take steps to avoid them.
There are a number of moral foundations for the importance of confidentiality in healthcare. The expectation that information disclosed to a health professional will remain confidential encourages patients to be open with their clinician. If patients thought this was not the case, they may withhold important information that is necessary for effective treatment or for protection of others. For example, some patients may not feel secure in confiding their dependence on drugs or alcohol and, therefore, not receive appropriate treatment. The benefit generated by the rule of confidentiality is usually considered to outweigh any harm or disadvantage, for example restrictions on research or management inefficiencies. Of equal, if not greater, importance than this consequentialist justification for confidentiality is the clinician’s duty to respect patient autonomy in medical decision making. Competent patients have a right to control the use of information pertaining to themselves. A clinician who shares that information with others, without the patient’s consent, does not respect the patient’s autonomy and will, therefore, have behaved in a morally questionable way – even if no harm results, indeed even if the patient is unaware of the breach of confidentiality. A further moral consideration for the importance of confidentiality in the clinician–patient relationship arises from the nature of the relationship and the duties generated by that relationship. There is an implied promise that confidences will be respected in this particular relationship and the clinician has a duty to keep this promise. Breaking such a promise is a betrayal of trust.
Although there are strong moral arguments for taking confidentiality very seriously, there are counter-arguments to support breach of confidentiality in some circumstances. While considerations of utility generally provide a strong argument for maintaining confidentiality, they could also justify breaching confidentiality if there is a risk of serious harm to either the patient or others. This line of reasoning is also used to argue for greater access to patient data for research and public health purposes, for instance, the benefit to the common good outweighs the harm to the individuals’ loss of control over their personal data.
Even the principle of autonomy is not absolute. As John Stuart Mill observed in 1859, personal freedom may legitimately be constrained when the exercise of such freedom places others at risk of harm (Mill, 1962). In the context of confidentiality, this suggests that a patient’s right to control how personal information is shared with others is constrained by an obligation not to harm others. When harm is threatened, the primacy of autonomy, and hence the duty to preserve confidentiality, no longer takes precedence, and disclosure without the patient’s authorization may be permissible or required.
The principle of confidentiality is also underpinned by law. In the UK, the courts have stated that there is a public interest in maintaining medical confidentiality against which any breach of confidentiality in the public interest must be weighed (W v. Edgell, 1990). In some countries, there is statutory legislation requiring physicians to respect patient confidentiality. A legislative survey of confidentiality laws in the USA found that 37 US states impose a duty on physicians to maintain confidentiality of medical records, and 42 states protected information received during a clinical consultation from disclosure in court proceedings with some exceptions (Gostin, et al., 1996). Several countries have legislation to protect written and electronic information held as part of a medical record, for example the UK Data Protection Act (1998), State legislation in the USA (Gostin et al., 1996), and the Federal Privacy Act in Australia (1988).
Legal requirements to disclose certain kinds of information are defined in statutory legislation in many countries. These requirements commonly relate to information about specified diseases, suspicion of child abuse, and some criminal proceedings. Some US state legislation permits disclosure of health information for epidemiological and research purposes (Gostin et al., 1996). The UK Data Protection Act (1998) allows disclosure of anonymized information for certain types of research. In addition to statutes, the common law recognizes that breach of confidentiality is lawful in some circumstances, mainly when there is a risk of serious harm to others if confidentiality is maintained. In the case of W v. Edgell (1990) in the UK, the Court of Appeal held that the breach of confidence in this case regarding a prisoner in a secure hospital was justified in the public interest, in order to protect the public from dangerous criminal acts. However, the Court said the risk must be “real, immediate and serious” to justify such a breach. A key US case was that of Tarassoff v. Regents of the University of California (1976). This involved a psychologist who had reason to believe that his patient would kill a woman (Ms. Tarassoff). At the psychologist’s request, the campus police arrested the patient, but he was later released. Ms. Tarassoff was not informed and was later killed by the patient. The California Supreme Court established a duty to protect that may or may not include a warning to the potential victim or to the police. Both the Tarassoff and Edgell judgments rested on the risk of serious harm to others if confidentiality was not breached. This raises the question of what level of risk and harm are necessary to justify a breach of confidence, or underpin a duty to warn. Recent advances in genetic diagnosis have led to a debate on the nature of the duty of physicians to inform family members of the risk of hereditary disease, and the US courts have already considered cases brought against physicians in this area with conflicting results (Offit et al., 2004).
The Hippocratic Oath explicitly demands confidentiality in physicians’ dealings with patients (Edelstein, 1943): “What I may see or hear in the course of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameless to be spoken about.” The Hippocratic Oath, and subsequent codes of ethics, such as the International Code of Ethics of the World Medical Association (1949), admit no exceptions to the duty of confidentiality. However, more recent professional guidance does accept that breaches of confidentiality may be justified, or even required, in some circumstances. Professional codes of ethics (American Medical Association, 1995; Australian Medical Association, 2004; Canadian Medical Association, 2004; General Medical Council, 2004) specify that confidentiality can be breached if required by law, or in circumstances where there is a significant risk of serious harm to others.
Most professional guidance emphasizes the importance of seeking consent from the patient to disclose information if possible, or that the patient is informed that disclosure will occur if the patient refuses to give consent and the risk of harm is thought to justify disclosure. Guidance on informing family members of genetic risk is less clear, unless it falls into the category of representing a significant risk of serious harm. The American Medical Association (2006) advises that the duty of the physician is to inform the patient of the need to discuss implications of test results with family members, and to offer to facilitate this discussion.
Sharing information within the healthcare team or with others involved in the patient’s care is usually seen as acceptable if the information is necessary for effective patient care. Implied consent for this type of disclosure is assumed. However, if information is to be shared with other organizations outside healthcare, for example social services, then patient’s consent may be required. In some instances, a professional body may advise that disclosure of information in the public interest is necessary even if not specifically required by legislation.
An increasing number of empirical studies have looked at the attitudes of patients and healthcare professionals to issues of confidentiality. Sankar et al. (2003) conducted a literature review of studies of patients’ perceptions of confidentiality and concluded that many patients are unaware of, or misunderstand, the legal and ethical duty of confidentiality, and a significant minority of patients distrust clinicians to protect confidential information to the extent that they will delay or forgo medical care because of this concern. Patients have different views about what information should be kept confidential (Jenkins et al., 2005). Implicit consent to sharing of medical information between healthcare professionals cannot always be assumed. Schers et al. (2003) found that patients did not always accept that on-call general practitioners should have full access to their medical records. Carman and Britten (1995) found that patients viewed access by hospital staff to their records as less of a concern than access by staff within their general practice clinic. Young people may be more concerned about their confidentiality being preserved than older adults, and concern over confidentiality in relation to sexual health services for teenage girls may impede uptake of such services (Reddy et al., 2002; Carlisle et al., 2006). Studies of health professionals also show confusion in this area. Marshall and Solomon (2003) found that 54% of providers of mental health services were confused over what type of information is confidential, and that conservative approaches to confidentiality were thought to be a barrier to collaborative care of patients with mental illness.
Physicians’ attitudes to confidentiality vary depending on the country in which they practice. French general practitioners are more likely to be paternalistic in their attitude to patient confidentiality than those in Denmark (Mabeck, 1985). In the Netherlands, 35% of general practitioners would only disclose information to another physician (Lako et al., 1990). A study of family doctors in Spain found that 95% would disclose information to a patient’s family, and 35% would do so without seeking the patient’s permission (Perez-Carceles et al., 2005). Health professionals may inadvertently breach confidentiality through carelessness or because of physical limitations of privacy in an institutional setting. Several studies have found that hospital lifts are a common setting for breaches of patient confidentiality (Ubel et al., 1995; Vigod et al., 2003) and in one study of privacy in an emergency department, 36% of patients heard conversations from another room or the corridor (Olsen and Sabin, 2003).
Clinicians must respect their patients’ confidences. Private information, particularly if identifiable, should only be disclosed to a third party with the consent of the patient. If the patient lacks competence then, depending on jurisdiction, either the consent of the patient’s representative is required or disclosure should be discussed with the patient’s representatives and only occur if it is in the patient’s best interests. Clinicians should be aware of the legal requirements for disclosure of patient information in their own countries, and whenever possible discuss such disclosures with patients beforehand.
When there is a significant risk of serious harm to another person or persons if information is not shared, and there is no statutory requirement to disclose, the duty to protect or warn may override the duty of confidentiality. In considering a breach of confidentiality in such cases it is important to balance the harm likely to arise if the information is not disclosed with the harm resulting from a breach of confidentiality. In determining the proportionality of these harms, the clinician must exercise his or her judgement. If in doubt, it would be prudent to seek advice from a professional organization or medical defense union. Prior to disclosing information, the clinician should seek to persuade the patient to consent to the disclosure, and if disclosure is made without consent, the patient should be informed that this will occur.
When disclosing information, it is necessary to consider to whom the information should be given and how much should be disclosed. Any breach of confidentiality should be limited to that necessary to prevent foreseeable harm. In situations where patient information is shared without explicit consent (e.g. with other health professionals, or use of data for research or disease registers), it is good practice to inform patients that this may occur, for example by explaining this in patient literature or notices in the clinic.
Mr. J’s physician should advise him that his wife needs to be made aware of his condition, and that if necessary his wife will be informed without his consent. It is important to explain the reasons why his confidence may be breached in this situation, and to make every effort to maintain a therapeutic relationship with him, as he will require ongoing treatment and support for his condition. Spending some time discussing his concerns about disclosure and offering support to deal with these concerns may bring about a change of mind on his part. In jurisdictions where notification of HIV status to a public health authority is legally required, this may provide further persuasion for Mr. J to consent to the sharing of information. The risk of serious harm to Mr. J’s wife would be the justification for a breach of confidentiality. Clinicians need to be aware of the local legal and professional standards concerning how they should inform partners in a way that protects them from liability. Therefore, if the conclusion is that Mr. J’s wife should be informed without his consent, discussion with a professional or defense organization, or the institutional legal advisor, would be sensible.
Ms. K’s physician needs to consider the harm that may occur to her and others if she continues to drive and has a seizure while at the wheel. Apart from Ms. K, there is no clearly identifiable person who is in danger, unlike the case of Mr. J. The risk of her having a seizure while driving is low, given that she drives only for short journeys two or three times a week and has fairly infrequent seizures. However, the potential harm that could occur is very serious, including the possibility of death for several people. Ms. K’s physician should counsel her regarding the risks to other people and to herself (including the financial risk as she will not be insured in the event of an accident). This may prove effective in persuading her to face up to her illness and the need to alter her lifestyle as a consequence. If she continues to drive, the physician must decide if the potential harm is sufficiently great to breach her confidence. Professional and legal guidance may vary on this issue in different countries or US States. In the UK, the General Medical Council (2004) provides clear direction that if the physician cannot persuade the patient to stop driving, or is given evidence that a patient is continuing to drive contrary to advice, relevant medical information should be disclosed immediately, in confidence, to the Medical Advisor of the Driver and Vehicle Licensing Authority (General Medical Council, 2004).
An earlier version of this chapter has appeared: Kleinman, I., Baylis, F., Rodgers, S., and Singer, P. A. (1997). Confidentiality, CMAJ 156: 521–4.