While it is preferable that general practices do not have staff members as patients, sometimes this may be unavoidable. Dr Rachel Birch, medicolegal adviser at the Medical Protection Society (MPS) looks at the risks involved and your obligations to protect personal information
At MPS we sometimes get calls from our members asking about practice staff who are registered as patients of the practice and how to keep any personal information that is held on their records confidential from other team members with access to patient records.
Authorised access only
As a practice, you have a duty of confidentiality to all your patients, whether staff members or not, and should ensure that personal information held is effectively protected at all times against improper use or disclosure.
So, authorised healthcare professionals should be able to access the clinical information contained within a patient’s medical record. Other members of staff, such as the administrative team, may need access to information such as name, address, telephone number and date of birth, but not the full medical record.
There may be different degrees of access required, depending on the specific role of the staff member. You should discuss with your computer system provider how you can introduce such access controls if you do not have these in place already.
The GMC advises doctors that they must not access a patient’s personal information unless they have a legitimate reason to view it. Thus, even if clinicians have access to a patient’s medical record, they should only go into the record if there is a clinical need.
It is essential that everyone with access to personal, confidential data is aware of their responsibilities. You should ensure that all practice staff have had recent training on data protection. It is also important that all staff sign a confidentiality document stating that they will not disclose any confidential information either during or after employment at the practice.
Laying the law
As a general rule, it is preferable for practices not to have staff members as patients. However, in more rural areas, this may be unavoidable. You should explain to staff members who are patients that you will do all that is reasonably practicable to maintain their confidentiality but that there may remain a risk that another member of staff might see some of their details.
Some practices may wish to take the additional step of password protecting staff members’ medical records. However, it is then important to ensure that clinicians can access the records if they need to, such as in an emergency situation.
A final consideration is that, in some situations, there may be a potential conflict of interest if a GP acts both as a staff member’s doctor and employer. Whilst this may not present a problem for the treatment of an ear infection, it could become relevant if the staff member were experiencing stress at work and having lengthy periods of absence from the practice. In order to maintain strict confidentiality, it is important that the treating doctor does not discuss the content of clinical consultations with the other partners; the treating doctor should also exclude her/himself from any decision-making about the staff member as an employer.
If you have any concerns about staff members being patients you should contact your medical defensive organisation for further advice and support.