Mishandling of proprietary information
There is a strong tradition and moral responsibility in the medical profession to respect confidentiality. Keeping medical information confidential helps generate the trust of patients in medical practitioners. People are encouraged to confide in doctors about sensitive issues relating to their illness for medical care.
Scenario 1 | Disclosing medical information of celebrities
Dr L, an obstetrician of a renowned private hospital, is in charge of the fertility centre there. Clientele includes celebrities and famous actresses. One day, Dr L received a telephone call from her best friend Louise who was a columnist for a local tabloid. She told Dr L that she was writing a feature article on infertility and wanted to know the success rate of her clinic. She even made enquiries about a few celebrities rumoured to be infertile and their prognosis. She assured Dr L that she would not disclose the source of information. Should Dr L offer help to Louise?
Dr L should not disclose the information to Louise as it is improper to disclose private information of her patients to a third party without their consent.
If offering or acceptance of advantages is involved between Dr L and Louise, they would violate Section 9 of the POBO. Despite in this scenario Dr L had not accepted any advantage from Louise, she might violate the provisions of the Personal Data (Privacy) Ordinance which do not allow data users to use the personal data in contravention of the purpose of collection without the consent of data subjects.
Dr L may also breach the Code of Professional Conduct of the MCHK (Oct 2022) which specifies that all medical records should be kept secure and that there are adequate procedures to prevent improper disclosure. By doing so, Dr L may face disciplinary action to be taken by the MCHK.
Scenario 2 | Lax security in maintaining medical records
Dr M is a partner of a women’s specialist clinic. Computerised medical records are maintained to enhance efficiency in the storage and retrieval of patients' information. Every employee has access to the records and they all used the same password to facilitate quick access.
Mandy, an insurance agent, was a patient of Dr M’s clinic. One day, Mandy approached the clinic assistant and sought assistance in obtaining the contact information of the patients as she wanted to promote a new medical protection plan for women to these potential policyholders. Mandy agreed to offer the clinic assistant $5,000 as a reward. Subsequently, the clinic assistant printed a copy of the contact information of the clinic’s patients retrieved from the computer system of the clinic and passed it to Mandy. The clinic assistant accepted the money from Mandy in return. Was Dr M liable for the clinic assistant’s act?
Dr M should report the matter to the Independent Commission Against Corruption for the suspected offences of Section 9 of the Prevention of Bribery Ordinance (POBO) committed by the clinic assistant and Mandy.
In addition, the clinic assistant’s act also contravened the offence of accessing the computer with criminal or dishonest intent, contrary to Section 161 of the Crimes Ordinance.
Although Dr M was not liable for the criminal offences committed by her staff, Dr M and her partners might have liabilities under the Personal Data (Privacy) Ordinance as they failed to adopt appropriate security measures to protect patients' personal data.
The Code of Professional Conduct of the MCHK (Oct 2022) also requires doctors to take every step to strengthen the control system to protect patients' information from misuse.
Doctors have a fiduciary duty to preserve patients' confidentiality. The only exception is that they are obliged to expose information that would endanger public health. If you are in doubt of whether you should disclose your patients' information to a third party, you may ask yourselves the following questions to structure your decision making process:
- Is the potential harm to other parties serious e.g. contracting infectious diseases by the patient?
- Will the breach of confidentiality prevent harm to other people?
- Will the disclosure minimise the harm to the patient?
- Is there any alternative for warning or protecting those at risk?