Confidentiality is a fundamental principle at the heart of the doctor-patient relationship. It ensures that personal health information shared during medical consultations is kept private and secure, fostering trust and open communication between patients and their medical practitioners. In the medical field, confidentiality is not only a professional and ethical obligation but also a legal one, with serious implications for both patients and practitioners if breached. Patients have the right to expect no disclosure of their information to third parties without the patients’ consent.
According to the Malaysian Medical Council (MMC) (2019) “Good Medical Practice Guidelines” [3.2.6]:
“a good standard of professional practice dictates that the doctor must exert all in his power to preserve patient privacy and confidentiality”.
The MMC Code of Professional Conduct 2019 states that the practitioner must ensure that the information is effectively protected against improper disclosure when it is transmitted, received, stored, or disposed of.
Further, under the Personal Data Protection Act 2010, patients are entitled to expect that their personal information will not be disclosed without their explicit consent.
Grounds for Disclosure
The duty of confidentiality is not absolute and the law recognises several exceptions to the general rule of protecting confidentiality. The MMC Guidelines (2011) on “Confidentiality” (“MMC Confidentiality Guidelines”) states that a medical practitioner may disclose a patient’s person information if :-
(a) it is required by law;
(b) the patient consents – either implicitly for the sake of their own care or expressly for other purposes; or
(c) it is justified in the interests of justice.
Sharing information with a patient’s spouse, relatives or others
The MMC Confidentiality Guidelines emphasises that medical practitioners should discuss with patients what information can be shared, with whom, and under what circumstances, particularly if the patient has fluctuating or diminished capacity. Early discussions can prevent objections to disclosures and misunderstandings. If a patient lacks capacity, practitioners should share relevant information based on prior guidance, assuming patients would want close relatives informed unless stated otherwise.
When family members or others express concerns, practitioners may listen but must clarify that they cannot guarantee withholding the conversation from the patient. Listening to others can be beneficial in patient care, but practitioners must consider if the patient would view this as a breach of trust, especially if the patient has asked them not to involve specific individuals.
Example of Breach of Confidentiality
The MMC publicly lists disciplinary actions taken against medical practitioners on their official portal each year, serving as a reminder of the importance of upholding professional standards. One notable example of a breach of confidentiality in the doctor-patient relationship is the case of Dr A (their name having been redacted to preserve anonymity). Dr A was charged as he had neglected or disregarded his professional responsibility in the standard of medical care to the patient:
(i) by disclosing medical information of the patient to her husband and her family without first obtaining the patient’s consent, he had thereby failed to comply with Section 21 of the MMC’s Guidelines on Confidentiality and Section 2.2.2 of the Code of Professional conduct;
(ii) by issuing a referral letter dated 28.06.2018 in respect of the patient without making it clear in the said letter that he did not examine the patient, thereby he had abused his professional privileges and skills in contravention of Section 2.1.4 of the MMC’s Code of Professional Conduct; and
(iii) by failing to examine the patient prior to making a diagnosis of her condition as having Bipolar Disorder, he had neglected or disregarded his professional responsibility to carry out a conscientious assessment of the history, symptoms and signs of the patient’s condition, thereby contravened Section 1.1(a) of the MMC’s Code of Professional Conduct.
The MMC’s Disciplinary Board, during its inquiry found Dr A guilty and ordered that he be reprimanded under Section 30(1)(a) of the Medical Act 1971.
Duties of confidentiality concerning a deceased patient
The MMC Confidentiality Guidelines outline the obligations of medical practitioners regarding the confidentiality of patient information concerning a deceased patient. Practitioners are required to maintain the confidentiality of personal information after a patient dies. Disclosure may occur based on circumstances, including respecting the patient's wishes for confidentiality.
When considering requests for information from third parties, practitioners should assess:
(a) whether the person requesting the information has the requisite standing or authorisation;
(b) whether the disclosure of information may cause distress to, or be of benefit to, the patient’s partner or family;
(c) whether disclosure of information about the patient will in effect disclose information about the patient’s family or other people;
(d) whether the information is already public knowledge or can be anonymised; and
(e) the purpose of the disclosure.
In cases of conflict, such as insurance claims, practitioners cannot disclose information without consent from the patient's executor or next of kin, who must be fully informed about the consequences of disclosure.
Certain circumstances allow for the disclosure of information about deceased patients, such as:
(a) to help a coroner or other similar officer in an inquest or fatal accident inquiry;
(b) when disclosure is required by law or is justified in the public interest, such as for education or research;
(c) for National Confidential Inquiries or for clinical audit;
(d) on death certificates, which the practitioner shall complete honestly and fully;
(e) for public health surveillance, in which case the information should be anonymised or coded, unless that would defeat the purpose; and
(f) when a parent asks for information about the circumstances and causes of a child’s death.
Electronic Medical Records
Electronic medical records significantly improve the management of patient information. As custodians of these records, medical practitioners have a duty to uphold the integrity, confidentiality, and accessibility of medical records.
Practitioners must establish an information governance policy that includes protocols and procedures to ensure patient information is documented, maintained, and disclosed in accordance with the Principles of Confidentiality outlined in the MMC Confidentiality Guidelines. This is particularly important during the transition from paper-based records to electronic formats.
The MMC Confidentiality Guidelines lists (though non-exhaustive) the measures that should be taken to ensure confidentiality, including but not limited to:
(a) physical security measures to prevent unauthorised access;
(b) access and authorisation processes to ensure only legitimate users have access to the medical record and that each user has the appropriate level of access to the medical records;
(c) the maintenance of audit logs to support the authenticity of additions to the medical records;
(d) read-only formats for external documents;
(e) regular back-up of the medical records, preferably daily for in-patients;
(f) contingency plans for disaster recovery and denial of service attacks; and
(g) enhanced security e.g. additional encryption or authentication processes, when networks are more exposed.
Confidentiality and Social Media
The Ministry of Health implemented the “Guidelines for the Use of Social Media among Healthcare Providers” on 31st March 2016 (“MOH Guidelines”). Under provision 1.4 of the MOH Guidelines, it aims to “provide practical and ethical advice on different issues that healthcare providers in the Ministry of Health may encounter when using social media for consultation to minimise the risk of ethical and legal complications”.
Provision 4.1 mandates that any patient-identifiable information must be excluded from communications shared via social media, including images or videos, ensuring sensitive details such as names, identification numbers, and addresses are not disclosed, for example, in ECG tracings or radiology results.
Provision 5.1 emphasises the responsibility of the hospital director and department heads to ensure that all healthcare providers are aware of these guidelines. The MOH Guidelines should be read alongside the MMC Confidentiality Guidelines, which address issues relating to the disclosure of information through social networks.
Conclusion
Confidentiality is a fundamental aspect of the doctor-patient relationship, essential for fostering trust and facilitating open communication. Medical practitioners are legally bound to protect patient information, ensuring it is disclosed only with consent or under specific circumstances. The MMC Guidelines further emphasise the importance of maintaining patient privacy throughout their care, including after death, with careful consideration of requests for information from third parties. As the healthcare landscape evolves with the adoption of electronic medical records and the use of social media, practitioners and healthcare facilities must implement robust information governance policies to safeguard patient data. Upholding confidentiality not only enhances the quality of care but also reinforces the fundamental ethical principles of autonomy and trust that are vital in healthcare.
25 October 2024