Can I Share Information About Patients or Staff with Other Providers or Bodies During the Pandemic?
The Secretary of State is able to make special orders about the collection and dissemination of confidential information
The SoS has done just that in relation to the processing and sharing of patient information for COVID-19 purposes
The order requires health organisations to process and share information between themselves and other bodies for the following purposes;
Understanding, monitoring, controlling COVID-19
Identifying and understanding information about patients or potential patients with or at risk of Covid-19, information about incidents of patient exposure to Covid-19 and the management of patients with or at risk of Covid-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from Covid-19;
Understanding information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of Covid-19 and the availability and capacity of those services or that care;
Monitoring and managing the response to Covid-19 by health and social care bodies and the Government including providing information to the public about Covid-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services;
Action to be taken will require the processing and sharing of confidential patient information amongst health organisations and other bodies engaged in disease surveillance for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure.
In terms of what collection and sharing might be covered, the NHSE flow chart around management of cases provides some examples.
You can see that it requires monitoring of cases and reporting to PHE and 111 in certain scenarios.
These are obviously scenarios where the sharing has been legitimised by the above order and you can proceed without concern for the duty of confidentiality or seeking consent.
There may be other ways in which your practice can monitor cases, notify third parties that may be at risk, prevent further spread such as making pharmacies or staff members aware if a patient is infected and so on.
As long as any of your intended actions align with the purposes above, you must process and share the information as part of the wider effort around the outbreak.
Additionally, do keep a record of any data collection and disclosures you make related to the COVID-19 outbreak and notify your DPO of particular disclosure schemes or projects where possible.
What If The Person I Am Sharing With Does Not Have NHS Mail?
There may be times when you are sharing information with providers or bodies that do not have NHS Mail such as volunteer or community organisations. You may prefer to exchange information through video or telephone for example if this is reasonable to achieve. If email is the most practical route, then you could use the NHS Encryption route described at Appendix E in the attached protocol .
If there is an urgency that means the NHS Encryption route is not appropriate, then you should take the additional security steps;
1. Double check the email address and seek to gain an individual address rather than a general one such as info@XXX.co.uk.
2. Ask the person to reply to confirm receipt and to confirm that they have downloaded any attachment into their server and not left within their email storage.
If in any doubt, click here to contact your DPO .