|Home | About | Journals | Submit | Contact Us | Français|
An anxious Mrs Jones calls the GP to obtain the results of her 16-year-old daughter's blood test. For reasons of confidentiality, the GP declines to offer any information about his patient. Disgusted by the GP's refusal, Mrs Jones asks her other teenage daughter to phone the surgery and impersonate her sister. She successfully extracts the information. Can anything be done to prevent such violations of confidentiality?
Patients commonly use the telephone to obtain test results and other medical information from their GPs.1–3 This allows patients and their families to be informed quickly and without leaving their home. However, the practical advantages of telephone calls are offset by risks to patient confidentiality.4 As the boxed case demonstrates, non-authorised persons can take advantage of the medium to access confidential information. Unlike face-to-face conversations, callers cannot identify each other visually and have difficulty identifying the true acoustic properties of their interlocutor's voice.5 Yet, a recent study on telephone consultations in general practice revealed that GPs regularly identify callers by simply asking for their name or recognising their voice.3 It is not known how often doctors unintentionally violate confidentiality by relying on these flawed methods. The recent NHS Confidentiality Code of Practice, which states that staff should ‘check that any callers, by telephone or in person, are who they say they are’ is laudable in principle but lacking in practical advice.6 So how can GPs and medical receptionists realistically check that callers are who they say they are?
In light of the importance of respecting patient confidentiality among doctors, patients, and bioethicists, it may be desirable to consider ways to eliminate or, at least, reduce such violations. The General Medical Council's (GMC's) guidelines specify that doctors ‘must make sure that it [patients' personal information] is effectively protected against improper disclosure at all times’.7 Without a promise of confidentiality, patients may be more reluctant to disclose information to their doctor, with adverse effects on their medical care and on public trust in the medical profession.8
In view of the difficulties of identifying speakers over the telephone, one radical solution would be to abolish all telephone consultations in general practice. This would instantly eliminate the confidentiality problem. However, it would create a range of other problems, such as increasing the time pressures on already busy GPs and complicating the lives of countless patients, some of whom may live some distance away from their GP practice.
Another option is to leave things unchanged, accepting that some violations will inevitably occur, but satisfied that, by and large, the system works. The vast majority of callers are indeed who they say they are and any detective work to establish identity will reduce the efficiency of the system to unacceptable levels. The burdens of improving the system would outweigh the advantages.
The ideal solution would surely be to set up a system that will minimise the confidentiality problem while allowing GPs to use the telephone in a time-effective manner. We believe this can be achieved by introducing a simple password system. The system will require callers who ask for confidential information to disclose a pre-arranged password. The password, provided to all persons authorised by the patient, will signal to the GP that the caller is legitimately entitled to the information. Such a system would no doubt have prevented the ethical violation in the case above. Neither the mother nor the patient's sister would have been able to access the information without a password.
Patients who plan to use the telephone to access medical information would be offered the possibility of tighter security by providing a password that would be used to ascertain their authorised status. Although some might decline the offer, others (such as the teenage patient in the case example) may embrace it. Patients who opt for a password would be told only to share it with people whom they authorise to access their confidential information. This password would then be noted on the patient's notes. When responding to an inquisitive caller, receptionists would consult the relevant notes on their computer and request the password. If correct, they would transfer the call to the GP who could consult with the caller safe in the knowledge that the patient's confidentiality has been respected.
The strongest objection to the proposal concerns the time burden on the practice staff. Asking patients to choose a password, processing the password on the database and verifying the password with each caller who requests information is time-consuming and would prevent staff from engaging in more important tasks. Even if the system does eliminate breaches of confidentiality over the phone, should confidentiality be protected at the cost of efficiency?
The GMC guidelines state that doctors should take ‘reasonable steps’ to ensure that consultations with patients are confidential.7 In normal circumstances, doctors are not obliged to search the consultation room for CIA-style bugging devices even though there is a very remote chance that such a device is concealed somewhere in the room. Such stringent adherence to the principle of respect for confidentiality would undoubtedly violate other ethical principles (including the principle of beneficence, as there would be no time left for a consultation) and endanger the success of the medical encounter.
It is far from clear, however, that a password system would transcend the bounds of reasonableness and lead to a loss of efficiency. Currently, GPs or receptionists may spend several minutes establishing the identity of callers. If uncertain, they might require the patient to book an appointment. Alternatively, they might spend time calling back the suspected patient, with no guarantee that the speaker will indeed be the patient. In the case example, for instance, calling back would not have helped. The new system would obviate the need for detective work and enable staff to share information immediately. Providing information over the phone may also reduce the number of GP appointments and, consequently, the waiting time for other patients.3 The service would be more ‘user friendly’ for patients and practice staff alike. Furthermore, we suggest that the password system be merely offered to patients, not imposed. It is probable that only certain groups of patients, such as teenagers, celebrities, and those suffering from sexually transmitted diseases, will accept the offer.
The password system will not be foolproof. For example, an unauthorised person may call the surgery without a password and impersonate a hospital doctor, asking for confidential information about the ‘patient’. If sufficiently convincing, that person may persuade the doctor to convey information over the telephone. Nonetheless, such wily stratagems will be extremely uncommon and even less likely to be successful.
Although the telephone is undeniably a useful tool in general practice, its use must be regulated by adequate safety measures. The proposal of a password system is a plausible solution to minimise the problem of confidentiality over the telephone at meagre cost to doctors and patients. Indeed, it may even improve the efficiency of the system, while respecting patient confidentiality. Pilot studies conducted in general practices would be most informative to assess the value of the proposed system.
Many thanks to Professor Raanan Gillon and Dr Ming Chen for their suggestions on earlier drafts. The idea arose from a BUPA Foundation funded study on patients' trust in the use of medical records
The authors have stated that there are none.