Moneo writes: Applying the regulations
For a while now I have been trying to come to terms with issues of divulging patient information to relevant people when necessary. Traditionally optometrists may have shared information about patients on a routine basis by means of things such as telephone calls. A common scenario may be checking patients’ NHS sight test eligibility or previous spectacle or contact lens details. Often a new patient may appear in the practice without their old spectacles or without previous contact lens details or having ‘forgotten’ when they last had their eyes tested.
At this point it would have been usual to phone the previous optician and ask for these details. Another common scenario is a patient taking their prescription elsewhere for dispensing and the dispensing outlet requiring clarification phoning the prescribing optician for that clarification. More recently has arisen the legal requirement for contact lens sellers to check and confirm details of contact lens specifications with the prescribing optician before supplying lenses to the purchaser.
The Opticians Act and the GOC fitness to practice regulations both make very specific statements on keeping patient information confidential while also making seemingly contradictory statements on the need to supply information when required to do so. Furthermore, recent legislation, namely the GDPR regulations, seem to make any desire to help the patient now impossible.
Looking first at what the Optician Act has to say about contact lens supply, the Act states that for the seller to supply contact lenses to someone the seller has to have ‘(i) the original specification; (ii) a copy of the original specification which he verifies with the person who provided it’, which on the surface seems only sensible to safeguard the purchaser. However, what does the GOC have to say about providing that information? This appears in the Fitness to Practice Rules where it states at section 14 under the heading of ‘Maintain confidentiality and respect your patients’ privacy’ that, as optometrists we should ‘14.1
Keep confidential all information about patients in compliance with the law, including information which is handwritten, digital, visual, audio or retained in your memory. 14.2 Ensure that all staff you employ or are responsible for, are aware of their obligations in relation to maintaining confidentiality. 14.3 Maintain confidentiality when communicating publicly.’ The College of Optometrists has a statement that it suggests we may want to use within our practices stating ‘We adhere to the guidelines of the College of Optometrists and the Data Protection Act and will not pass any of your personal information to a third party without your consent.’ This would, on the surface, seem to be very clear to all of us. Basically making any information available to a third party without the express permission of the patient is a breach of privacy rules.
So, on one hand we are told we need to make information available to people such as third party contact lens suppliers but on the other hand we are expressly forbidden to give that information. On top of that we now have the GDPR regulations to contend with. As optometrists and practice staff we all now undertake the role of data processors and with that role comes specific responsibilities. Most large organisations will probably have put all their staff through some form of GDPR training but I do wonder how many small practices have done the same? What are the specific rules on what we should do if a third party rings up and requests information on one of our patients? As you read this the optometrist down the road may be phoning your receptionist stating they have one of your patients with them and they just want to check when her last test was. How will your staff member react? Can you be sure they will not provide that personal information without the express permission of the patient? How will they obtain the necessary permissions? If the patient is at the other end of the phone what questions will they ask to ensure they’re talking to the correct person to obtain permission?
Traditionally most optometrists have tried to work for the benefit of their patients and not tried to be deliberately obstructive. It benefits no one to do that. However, it now seems that in the light of professional guidelines and specifically new GDPR regulations what may once have seemed a helpful stance may well now be regarded as potential serious data breaches. Such breaches may now carry significant penalties some of which could affect your employment if you are employed.
It is imperative to understand the guidance from your employer on what you should do when you receive requests for information on your patients from anyone at all. It is also vital that the GOC and the professional bodies make available unambiguous guidance on how to handle these requests. This is particularly so in the case of the GOC which currently appear to have two conflicting rules when it comes to contact lens supply which may specifically suggest us taking action and providing information to a third party that could potentially breach GDPR regulations.