Embed Size (px)
Citation preview
Information Sharing, Duty of Candour and Legal Issues at the
End of Life
Mike O’Connell
Legal Services Practitioner
12 July 2019
Topics for today
• information sharing and legal issues at the end of life
• the Duty of Candour and End of Life Care
• making sustainable disclosure decisions and sharing information responsibly and legitimately
• the right of individuals to delete data
• key legal developments
The Disclaimer
• Not a lawyer
• Head of Legal Services 24 years
• NHS Acute Trust, maternity, 3 hospital sites, community services
• Well known to Trust senior clinicians, Caldicott Guardian, Complaints Manager, clinical governance managers, local coroners, NHS Resolution Case Managers
• Not Palliative Care though….
Information sharing & legal issues at the end of life
• To share or not to share, that is the question
• with other staff
• with relatives, other agencies, others.....
Confidentiality
• The common law (duty of confidentiality)
• Data Protection Act 1998 (UK) (fair/lawful processing)
• Human Rights Act 1998 (UK) (right to privacy -Article 8 of ECHR)
• NHS Constitution (NHS to keep your confidential information safe and secure)
Caldicott principles – a reminder
• Justify the purpose(s)
• Don’t use personal confidential data unless it is absolutely necessary
• Use the minimum necessary personal confidential data
• Access to personal confidential data should be on a strict need-to-know basis
• Everyone with access to personal confidential data should be aware of their responsibilities
• Comply with the law
• The duty to share information can be as important as the duty to protect patient confidentiality
Information: To share or not to share? The Information Governance Review – March 2013
• Implied consent is applicable only within the context of direct care of individuals. Examples of the use of implied consent include doctors and nurses sharing personal confidential data during handovers without asking for the patient’s consent.
• Not necessary to challenge this long-established approach, although further effort is needed to increase patients’ understanding of how their personal confidential data is used.
Information: To share or not to share? The Information Governance Review – March 2013
• safe and appropriate sharing in the interests of the individual’s direct care should be the rule, and not the exception
• primary concern must be for the health and wellbeing of the individual to whom they are providing direct care and…..the presumption should be in favour of sharing for an individual’s direct care
• only relevant information about a patient should be shared between professionals in support of their care
GMC Confidentiality: good practice in handling patient information
• Sharing information for direct care
• Appropriate information sharing is an essential part of the provision of safe and effective care. Patients may be put at risk if those who provide their care do not have access to relevant, accurate and up-to-date information about them. Multidisciplinary and multi-agency teamwork is also placing increasing emphasis on integrated care and partnership working, and information sharing is central to this, but information must be shared within the framework provided by law and ethics. GMC January 2017
GMC Confidentiality: good practice in handling patient information
• Sharing information with those close to the patient• The people close to a patient can play a significant role in
supporting, or caring for, the patient and they may want or need information about the patient’s diagnosis, treatment or care. Early discussions about the patient’s wishes can help to avoid disclosures they might object to.
• You should establish with the patient what information they want you to share, with whom, and in what circumstances. This will be particularly important if the patient has fluctuating or diminished capacity or is likely to lose capacity, even temporarily. You should document the patient’s wishes in their records.
• If a patient lacks capacity to make the decision, it is reasonable to assume the patient would want those closest to them to be kept informed of their general condition and prognosis, unless they indicate (or have previously indicated) otherwise.
Communication!
• Especially in acute medicine setting
• Notification of entering end of life stage
• Timely advice as to nearing the end
• Or → complaints and/or claims
Duty of Candour
• Key recommendation from Francis report
• Contractual duty – NHS Standard Contract SC35
• Statutory duty – Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, regulation 20
What is candour?
• “The volunteering of all relevant information to persons who have or may have been harmed by the provision of services, whether or not information has been requested and whether or not a complaint or a report of that provision has been made”
Robert Francis QC
Statutory Duty of Candour
• A legal duty placed on CQC registered providers (NHS since 27 November 2014, all providers from April 2015)
• On the organisation not the individual
• One of the “Fundamental Standards” – to be policed and enforced by the CQC as with other regulatory standards (e.g. care and treatment, safeguarding, governance)
Statutory Duty of Candour
• General duty – ““must act in an open and transparent way…in relation to care and treatment provided to service users…”
• Specific duty applies for “notifiable safety incidents”
• Notifiable safety incident (NSI) - – an unintended or unexpected incident that “could result in or appears to have resulted in”: - death (i.e. caused by incident not natural progression of disease) - severe harm, moderate harm or prolonged psychological harm
When does it apply?
• General duty applies at all times
• Specific duty only applies when threshold of harm or potential harm is met - a notifiable safety incident or (NSI)
• The key is to ensure you are recognising those incidents where the specific duty applies and then taking action to comply with it.
• If it is a ‘near miss’ with no harm then specific duty will not apply.
Complying with specific duty• Notify the relevant person that the incident has
occurred• Provide reasonable support to the relevant person• Notification must be given in person• Provide a true account of the facts (as known at the
time)• Advise what further enquiries will be made• Include an apology• Record the notification in a written record• The notification must be followed up in writing
(covering all the above) plus the results of any further enquiries (which includes the reporting of the incident and its full investigation)
Reg 20: Duty of candour Guidance
• In making a decision about who is most appropriate to provide the notification and/or apology, the provider should consider seniority, relationship to the person using the service, and experience and expertise in the type of notifiable incident that has occurred.
Reg 20: Duty of candour Guidance
• Other than the situations outlined (e.g. over 16s lacking mental capacity, under 16s lacking mental capacity etc), information should only be disclosed to family members or carers where the person using the service has given their express or implied consent.
Reg 20: Duty of candour Guidance
• Providers should make all reasonable efforts to ensure that staff operating at all levels within the organisation operate within a culture of openness and transparency, understand their individual responsibilities in relation to the duty of candour, and are supported to be open and honest with patients and apologise when things go wrong.
Right of individuals to delete data
• The GDPR introduces a right for individuals to have personal data erased.
• The right to erasure is also known as ‘the right to be forgotten’.
• Individuals can make a request for erasure verbally or in writing.
• You have one month to respond to a request.• The right is not absolute and only applies in certain
circumstances.• This right is not the only way in which the GDPR places
an obligation on you to consider whether to delete personal data.
When does the right to erasure apply?• the personal data is no longer necessary for the purpose
which you originally collected or processed it for;• you are relying on consent as your lawful basis for holding
the data, and the individual withdraws their consent;• you are relying on legitimate interests as your basis for
processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
• you are processing the personal data for direct marketing purposes and the individual objects to that processing;
• you have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
• you have to do it to comply with a legal obligation; or• you have processed the personal data to offer information
society services to a child.
When does the right to erasure not apply?- if processing is necessary:
• to exercise the right of freedom of expression and information;
• to comply with a legal obligation;
• for the performance of a task carried out in the public interest or in the exercise of official authority;
• for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
• for the establishment, exercise or defence of legal claims.
2 circumstances where the right to erasure will not apply to special category data:
• if the processing is necessary for public health purposes in the public interest (e.g. protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
• if the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional).
Special category data
• race;• ethnic origin;• politics;• religion;• trade union membership;• genetics;• biometrics (where used for ID purposes);• health;• sex life; or• sexual orientation.
Legal developments
ICO Prosecution (March 2019)• Birmingham Magistrates’ Court fined NHS staff member for
breaching data protection laws.• Faye Caughey worked as an administrator at Heart of England
NHS Foundation Trust when she unlawfully accessed the personal records of 14 individuals between February 2017 and August 2017.
• While she was authorised to access records of adults from 2 systems: HEFT’s iCare and CareFirst from Solihull Borough Council, an internal investigation found she viewed the personal data of 7 family members on iCare and 7 children known to her on CareFirst. Caughey had no business case to look at those records and, as a result, breached data protection laws.
• Fined £1,000, with a £50 victim surcharge, and a contribution of £590 towards prosecution costs.
• Mike Shaw, who leads the ICO’s criminal investigation team, says the ICO will take action against those who abuse their position of trust and break data protection laws.
National Data Guardian
• Health and Social Care (National Data Guardian) Act 2018
• Legislation passed December 2018
• The NDG will be able to issue official guidance about the processing of health and adult social care data. Public bodies, such as hospitals, GPs, care homes…., will have to take note of guidance that is relevant to them.
• Dame Fiona Caldicott 11 March 2019 — Press release
Access to health records (BMA December 2018)
• Updated to reflect the General Data Protection Regulation and Data Protection Act 2018
• defining a health recordadvice on record-keepingsubject access requestsrequests for access on behalf of othersrequests by the policerequests by insurersrequests for access to the records of deceased patientsrecords retention
• This guidance sets out a range of circumstances in which health professionals may receive, and respond to, requests for access to health records. It reflects the common enquiries received by the BMA.
Access to health records (BMA December 2018)
• Subject access request
• It is not necessary for patients to give reasons as to why they wish to access their records.
• 28-day time-limit
• There is nothing in the GDPR or DPA that prevents health professionals from informally showing patients (or proxies) their records as long as no other provisions of the GDPR or DPA are breached.
• A common enquiry to the BMA is whether a patient’s original medical records can be sent to a solicitor.
Access to health records (BMA December 2018)
• Individuals are entitled to receive all the personal data a controller holds about them
• It is reasonable, however, for a health professional to discuss with a patient whether they require all the information held or whether limited or tailored content would satisfy the request.
• Initial access must be provided free of charge (including postage costs) unless the request is ‘manifestly unfounded’ or ‘excessive’ – in which case a ‘reasonable’ fee can be charged.
• “As next of kin they have no rights of access to medical records.”
Access to Health Records Act (1990)
• Under the terms of the act, you will only be able to access the deceased's health records if you're either:
• a personal representative (the executor or administrator of the deceased person's estate), or
• someone who has a claim resulting from the death (this could be a relative or another person).
• Only information directly relevant to a claim will be disclosed.
• This only applies to written records made on or after 1st November 1991.
Are relatives entitled to information about the deceased’s last illness? (1)
• While there is no legal entitlement other than the limited circumstances covered under the Access to Health Records legislation, health professionals have always had discretion to disclose information to a deceased person’s relatives or others when there is a clear justification. A common example is when the family requests details of the terminal illness because of an anxiety that the patient might have been misdiagnosed or there might have been negligence.
Are relatives entitled to information about the deceased’s last illness? (2)
• Disclosure in such cases is likely to be what the deceased person would have wanted and may also be in the interests of justice. Refusal to disclose in the absence of some evidence that this was the deceased patient’s known wish exacerbates suspicion and can result in unnecessary litigation. In other cases, the balance of benefit to be gained by the disclosure to the family, for example of a hereditary or infectious condition, may outweigh the obligation of confidentiality to the deceased.
What have we covered today?
• information sharing and legal issues at the end of life
• the Duty of Candour and End of Life Care
• GDPR - the right of individuals to delete data
• key legal developments
Further reading• GMC: “Confidentiality: good practice in handling
patient information (2017)” April 2017 https://www.gmc-uk.org/guidance/ethical_guidance/confidentiality.asp
• Duty of Candour http://www.cqc.org.uk/guidance-providers/regulations-enforcement/regulation-20-duty-candour#guidance
• BMA Access to health records https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/access-to-health-records
• ICO https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
Questions?
