the importance of confidentiality
The relationship between dentist and patient is based on the understanding that any information about the patient will be treated in the utmost confidence and will not be divulged to a third party without the patient’s consent. Patients have a right to privacy. It is vital that they have the confidence to give us full information about their health in order to ensure that treatment carried out is appropriate and safe. The intensely personal nature of health information means that many patients may be reluctant to give full information to their dentist unless they are sure that the information will not be passed on. If confidentiality is breached, a dentist, hygienist, therapist, technician or nurse may face investigation by the General Dental Council (GDC) and possible erasure from the Dentists’ or DCPs’ register. They may also face legal action by the patient for damages and, for dentists, prosecution for breach of the 1998 Data Protection Act/General Data Protection Regulation, etc.
General Dental Council
All staff must follow the GDC’s rules for maintaining patient confidentiality as set out in: “Standards for the Dental Team”. If confidentiality is breached, each registered dental professional involved is responsible to the GDC for their individual conduct.
what is “personal information”?
In a dental context, this includes:
- the patient’s name, address, bank account or credit card details, telephone number, email address or any means of personal identification such as photographs
- the fact that the person is or ever has been a patient of the practice or that they attended, failed to attend or cancelled an appointment
- information about the patient’s physical, mental or oral health or condition
- details of historic, planned or ongoing treatment
- information about family members
- details of personal circumstances supplied by the patient to others
- the amount paid for treatment, the amount owing or the fact that the patient owes the practice money
principles of confidentiality
The practice has adopted the following three principles of confidentiality:
- Personal information about a patient is confidential in respect of that patient and to those providing the patient with health care;
- It should only be disclosed to those who would be unable to provide effective care and treatment without that information (the “need to know” concept); and
- Such information should not be disclosed to third parties without the consent of the patient except in certain specific circumstances described in this policy.
disclosure to third parties
There are certain restricted circumstances in which we may decide to disclose information to a third party or may be required to disclose by law. Responsibility for disclosure rests with the patient’s dentist, though the Practice Director may make a decision to disclose where appropriate (in particular where an insurer requests information to verify an insurance claim). A brief summary of the circumstances is given below:
- When disclosure is in the public interest: There are certain circumstances where the wider public interest outweighs the rights of the patient to confidentiality. This might include cases where disclosure would prevent a serious future risk to the public or assist in the prevention or prosecution of serious crime.
- When disclosure can be made: (i) with the express consent of the patient, (ii) where this is necessary to enable someone else to provide health care to the patient and the patient has consented to this sharing of information, (iii) where it is required by statute, (iv) pursuant to a court order, (v) in order for the dentist to pursue a bona-fide legal claim against a patient (eg disclosure to a solicitor, court or debt collecting agency), (vi) in order for the dentist to take advice from his/her insurers/defence organisation/legal representatives in the event that the patient makes a complaint and/or commences/threatens to commence legal process against the dentist.
- Disclosure necessary to provide health care and for the functioning of the NHS: in practical terms, this type of disclosure includes transmission of claims/information to payment authorities; in more limited circumstances, disclosure to local healthcare commissioning bodies (these first two are extremely unlikely to apply to our practice since we no longer provide services to the NHS and have not done so since 2004); or referral of the patient to another dentist or health care provider such as a hospital.
data protection privacy notice
The practice’s Data Protection Privacy Notice details how we comply with the Data Protection Act 1998 and the General Data Protection Regulation (EU 2016/679). It is a condition of engagement that all practice staff comply with this policy.
access to records
Patients have the right of access to their health records, whether held on paper or on a computer. Full details of procedures are provided in the practice’s Data Protection Privacy Notice. Care should be taken to ensure that the individual seeking access is the patient in question and, if necessary, staff must seek confirmation of identity from that individual.
These principles give rise to a number of rules that everyone in the practice must observe:
Records must be kept secure and in a place where it is not possible for for other patients or individuals to read them.
Information about patients must not be discussed with anyone outside the practice, including relatives or friends.
A school must not be given information about whether a child attended for an appointment on a particular day.
Demonstrations of the practice computer system must be carried out using fictitious data and not actual patient information (specific fictitious individuals have been created on the system for staff training purposes and a complete “demo data” set is available at login for appointment book demostrations, if required – consult the Practice Director, Neil Phillips, for information).
When talking to a patient on the telephone or in a public area, care should be taken to ensure that sensitive information is not overheard by other people.
Do not give information about a patient’s appointments to their employer.
Messages about a patient’s care must not be left with third parties, though our Data Protection Privacy Statement does permit the use of an answering service or answering machine unless the patient gives instructions to the contrary (where care requirements must be discussed, all that can be left is a message to call the practice).
The practice operates an appointment reminder system that involves calling patients, plus sending them text messages and emails. Patients are advised about this when they first join the practice and told that they may opt-out of this system (refer to welcome letter/email templates). If they do not, they are advised that we will take the supply of email addresses and telephone numbers by them to mean that they consent to us sending email and SMS reminders and, in the event that we are unable to speak to them personally, leaving messages on answering machines and answering services associated with the telephone numbers they supply. These messages are confined simply to reminding the patient that they have an appointment and do not extend to information about their clinical care.
All patient recalls and personal information must be sent in a sealed envelope.
Where information is to be shared with a third party, such as where a referral is made to a specialist outside the practice, information should be sent either by post in a sealed envelope to a postal address that has been verified (for example, by telephone call to a Consultant’s medical secretary) or by email to an email address that has been similarly verified as valid.
No information may be disclosed to officials such as police officers, tax officials, etc, without the express permission of the Practice Director.
Patients must not be allowed to see information contained on day sheets or computerised appointment books, since these inevitably contain information about other people.
Discussions about patients should not take place in public areas of the practice.
Discussions with patients about their care should take place in the surgeries or other areas where they will not be overheard.
Where a child is competent to make decisions about their treatment and wishes to do so, we will also observe confidentiality in relation to them – ie we will not share information with the child’s parents without the child’s consent.
If in any doubt about whether information is confidential or whether the person requesting it is genuinely entitled to receive it, DO NOT DISCLOSE ANYTHING but politely decline and refer the matter to the dentist or the the Practice Director.
If, after an investigation, a member of staff is found to have breached patient confidentiality or this policy, he or she will be liable to summary dismissal.
Employees are reminded that all personal data processed at the practice must by law remain confidential after your employment has terminated (for whatever reason). It is an offence under section 55(1) of the Data Protection Act 1998, knowingly or recklessly, without the consent of the data controller (hygeia dental care/Dr Joanne Giddy), to obtain or disclose personal data. If the practice suspects that you have committed such an offence, it will contact the Information Commisssioner’s Office and you may be prosecuted by the Commissioner or by or with the consent of the Director of Public Prosecutions.
Any queries about confidentiality should be addressed to the Practice Director, Mr Phillips.
Web version 5: 23.5.2018 (reviewed 11.11.2018)
Previous web version: 31.12.2010 (reviewed 25.1.2012); 10.2.2012; 15.3.2012 (reviewed 12.3.2013; 19.6.2014; 5.6.2015); 3.8.2016 (reviewed 1.9.2017)