References

Attorney General v Guardian Newspapers. 1988;

Cornelius v DeTaranto. 2001;

Department of Health. Confidentiality: NHS code of practice. 2003. https://tinyurl.com/nhs2tpx (accessed 6 March 2019)

NHS workers disciplined ‘for accessing Ed Sheeran's health records’. 2018. https://tinyurl.com/ybd4pqy3 (accessed 6 March 2019)

European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC. OJ L 119. 2016. https://tinyurl.com/ycjzot67 (accessed 6 March 2019)

Margaret, Duchess of Argyll v Duke of Argyll. 1965;

Middlesbrough Evening Gazette. Struck off. Middlesbrough Evening Gazette. 2006. https://tinyurl.com/y3dotuxe (accessed 6 March 2019)

NHS England. The care record guarantee. 2011. https://tinyurl.com/y8aptp3f (accessed 6 March 2019)

NHS England. Confidentiality policy. 2018. https://tinyurl.com/y4t7pp4j (accessed 6 March 2019)

Northern Echo. Nurses broke rules to peek at football legend's medical records. 2006. https://tinyurl.com/y2xelnlw (accessed 6 March 2019)

Nursing and Midwifery Council. Conduct and competence committee substantive order review. 2015. https://tinyurl.com/pf2wmuj (accessed 6 March 2019)

Nursing and Midwifery Council. The code: professional standards of practice and behaviour for nurses, midwives and nursing associates. 2018. https://tinyurl.com/gozgmtm (accessed 6 March 2019)

Prince Albert v Strange. 1849;

Nurse sacked after ‘inappropriately’ accessing patients' hospital records obtained. 2016. https://tinyurl.com/y9v6sctx (accessed 6 March 2019)

Stephens v Avery. 1988;

Digital Healthcare

Electronic records, confidentiality and data security: the nurse's responsibility

14 March 2019
Regulars
02 March 2019
Volume 28 · Issue 5

Abstract

Richard Griffith, Senior Lecturer in Health Law at Swansea University, considers the need for data security and a nurse's duty of confidentiality in relation to electronic records

The increased use of electronic patient records in the NHS means that up-to-date information about patients is readily available to a range of health professionals who are treating and caring for those patients.

The increased use of electronic records means that nurses are now able to access a large archive of patient information that was previously contained in manually created paper files only accessible to those in the clinical team caring directly for that person. This ease of access can be misused and information in electronic records accessed inappropriately by nurses. The accessibility of electronic records has resulted in health workers' curious—and sometimes malicious—reading of the notes of people who are not in their care. An NHS worker was recently sacked and another reprimanded after they inappropriately accessed the electronic records of the singer Ed Sheeran (Embury-Dennis, 2018).

Respect people's right to privacy and confidentiality

Registered nurses have a professional duty to maintain a patient's confidence and to maintain data security by collecting, treating and storing all data appropriately (Nursing and Midwifery Council (NMC), 2018: standards 5 and 10). Maintaining the confidentiality of a patient's electronic health information is a fundamental element of professional behaviour for nurses.

The nature of the relationship between a nurse and their patients relies on the candid sharing of information to ensure proper assessment and care that is largely based on a personal history of the person's health problem. Sensitive health information is passed on in confidence with the expectation that their privacy will be respected by ensuring the confidentiality of the information they give.

Scope of the duty of confidence

To ensure the highest standard of conduct and professional behaviour in relation to the protection of electronic health information a duty of confidence is imposed on all staff in the NHS (Department of Health (DH), 2003).

Nurses are subject to three legal obligations that come together to reassure patients that the confidentiality of their health information will be respected:

The contractual duty of confidence

All contracts of employment in the NHS must contain a clause imposing a duty of confidence on all staff that stresses that disciplinary action will result if that duty is breached (NHS England, 2018). Similarly, all contracts with outside agencies and arrangements with volunteers and others, such as student nurses, who undertake work or placements within the NHS must also include a clause imposing a duty of confidence.

NHS England's Confidentiality Policy (2018) and Care Record Guarantee (NHS England, 2011) place a duty on nurses to protect and safeguard a person's identifiable information by complying with the law and the NHS code of practice on confidentiality (Department of Health, 2003).

When a former England and Newcastle United manager was admitted to Newcastle General Hospital to have surgery his records were accessed by staff who were not involved in his clinical care but were curious to find out about their footballing hero. Officials at the trust became suspicious when security reports showed that there had been inappropriate access to the trust's patient records system (Northern Echo, 2006).

Nurses are not permitted to look up patient records unless there is a direct medical need and disciplinary action was taken against members of staff at the hospital.

The professional duty of confidence

The NMC Code (2018) imposes a duty on nurses to guard against breaches of confidentiality by protecting information from improper access and disclosure at all times. Nurses must not voluntarily disclose information gained in a professional capacity to a third party without good cause. Nurses must not access patient information without good cause.

A specialist community public health nurse who had an affair with an ex-patient told him of an abortion his partner had undergone 19 years earlier. When asked where she had got the information, she revealed that it had come from the woman's electronic health record. The nurse admitted breaching confidentiality and was found guilty of professional misconduct by the NMC who removed her name from the professional register (Middlesbrough Evening Gazette, 2006).

The NMC considers inappropriately accessing and reading a patient record as a breach of its standard on confidentiality, even where the information is not disclosed to a third party. The standard's requirement to respect a person's right to privacy in all aspects of their care requires that nurses must only access information for the patients in their care (NMC, 2018: standard 5).

A nurse who out of curiosity accessed the electronic records of a celebrity patient and five other people, including staff members who had later undergone treatment, was found to have breached confidentiality even though there was no suggestion the data accessed was disclosed to a third party. The nurse had no clinical involvement with any of the patients and so was in breach of his professional duty of confidence. He was subject to two periods of suspension from the register and then struck off for not meeting the requirements of a conditions of practice order (NMC, 2015).

Confidence and the law

The law relating to confidence arises out of a general duty on everyone to keep confidential information secret (Prince Albert v Strange (1849)). That is, there is a public interest in keeping confidential information secret.

In order to establish a breach of confidence at law three elements must be satisfied (Attorney General v Guardian Newspapers [1988]):

  • The information must have the necessary quality of confidence (Stephens v Avery [1988]).
  • The information has been imparted in circumstances giving rise to an obligation of confidence
  • The information has been divulged to a third person without the permission and to the detriment of the person originally communicating the information (Margaret, Duchess of Argyll v Duke of Argyll [1965]).

Courts consider inappropriate access or disclosure of health information as detrimental to the patient and find that a breach of confidence has occurred.

The common law duty of confidence underpins the requirements of the General Data Protection Regulation 2016 (GDPR) (European Union, 2016), which implements European Union law on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Regulation 2016/679 EU).

While the GDPR placed enhanced duties on the NHS and its staff, including nurses, in relation to the collecting and processing of patient information, the nurse's professional confidentiality requirements remain unchanged. Nurses are still bound by the current NHS and NMC duties of confidence when accessing and sharing patient information.

To then meet the requirements of the GDPR nurses must ensure that have a lawful basis for accessing and processing patient information. In most cases that lawful basis will only be met if information is accessed for the purpose of direct care or official administrative purposes. The GDPR paragraphs 9(2)(h) and 6(1)(e) say that it is lawful to access and process information:

  • ‘For medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems … in line with the professional duty of [confidence]’ (9(2)(h))
  • ‘For the performance of a task carried out in the public interest or in the exercise of official authority …’ (6(1)(e)).

Accessing, reading or disclosing patient information without lawful reason can result in enforcement action and penalty against the NHS trust or health board for a breach of the GDPR and prosecution of the nurse.

A nurse was dismissed from her job, struck off by the NMC and fined in a prosecution brought by the information commissioner after she was found to have inappropriately accessed the electronic records of over 3000 patients over a 2-year period (Smith, 2016). No changes or amendments were made to the records and the information was not disclosed to any other person. Nevertheless, the nurse was found in breach of the NMC Code (2018), the NHS duty of confidence (NHS England, 2018) and the then Data Protection Act 1998 as a result of accessing the records without legal or clinical reasons to do so.

Conclusion

Nurses must access information only for the patients in their care. Otherwise, they will be in breach of their duty of confidence and held to account for inappropriate access to records, even where they have not then disclosed that information to a third party. Nurses must respect the privacy of patients and resist the temptation to access the electronic records of those not in their care.

KEY POINTS

  • Maintaining the confidentiality of a patient's health information is a fundamental element of professional behaviour
  • Nurses are subject to three legal obligations of confidence
  • The Nursing and Midwifery Council Code (2018), General Data Protection Regulation 2016 (EU, 2016) and the individual nurse's NHS contract all consider inappropriate access of a person's health record as a breach of confidence