1. Purpose
Confidentiality matters in all of healthcare, but in sexual health it is the foundation of the service: people will only come forward to be tested and treated if they trust that their attendance and their diagnosis stay private. This policy sets out the heightened confidentiality the Service applies to sexual health, how it protects identity and records, and the narrow situations where information may be shared.
The Service must verify this policy against current BASHH and GMC confidentiality guidance and data protection law before adoption.
2. Sources to verify before adoption
- British Association for Sexual Health and HIV (BASHH), standards and guidance: https://www.bashh.org/
- GMC, Confidentiality: good practice in handling patient information: https://www.gmc-uk.org/professional-standards/professional-standards-for-doctors/confidentiality
- Data Protection Act 2018 and the UK GDPR (health and sexual-life data are special category): https://www.legislation.gov.uk/ukpga/2018/12/contents
- Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, Regulation 12 (safe care and treatment): https://www.legislation.gov.uk/uksi/2014/2936/regulation/12
3. Scope
This policy applies to:
- all information about a person's attendance, testing, diagnosis and treatment in sexual health
- the records, the premises and the conversations of the Service
- everyone who works in or for the Service, clinical and non-clinical
4. Heightened confidentiality
The Service treats sexual health information with particular care:
- the fact that a person has attended, and what they were seen for, is not disclosed to anyone, including their GP, without the person's consent, except in the narrow situations in this policy
- the person is asked, not assumed, whether information may be shared with their GP or others, and that choice is recorded and respected
- staff do not discuss a patient where they can be overheard, and do not look at records they have no need to see
5. Protecting identity and records
- records are stored securely with access limited to those who need it for the person's care, and access is auditable
- the Service is careful with names in waiting and reception areas, with messages, and with any contact it makes, so that attendance is not revealed to family, partners or others
- the Service confirms how the person wishes to be contacted, and uses only that method
- the loss or exposure of sexual health information is treated as a serious data breach and reported at once
6. When information may be shared
Information may be shared without consent only in the narrow situations the law and professional guidance allow, and only to the extent needed. These include:
- a safeguarding concern about a child or an adult at risk (see the under-18s and safeguarding policy)
- a serious risk to the patient or another identifiable person, weighed in the public interest
- a legal requirement, such as a notifiable infection or a court order
Where the Service shares information in one of these situations, it records what was shared, with whom and why, and tells the patient unless doing so would increase a risk.
7. Partners and third parties
The Service does not reveal one patient's information to a partner. Partner notification is done in a way that protects the index patient's identity (see the partner notification policy). Where two people attend together, each is offered the chance to be seen alone, and neither is told the other's results without consent.
8. Young people
A young person's confidentiality is respected on the same basis as an adult's, subject to the safeguarding duties and the assessment of competence in the under-18s and safeguarding policy. A young person is told what confidentiality they can expect and the limits of it.
9. Training
Everyone in the Service is trained in confidentiality, including the heightened expectation in sexual health and the narrow disclosure exceptions, at induction and on a refresher cadence. The Service records completion and the next refresher date.
10. Audit cadence
The Service checks, on a stated cadence, that:
- attendance and diagnosis are not disclosed (including to GPs) without recorded consent
- records are stored securely with auditable, need-to-know access
- contact and reception practice protects patients' identity
- any disclosure without consent fits an allowed exception and is recorded
- confidentiality breaches are reported and learned from
The Registered Manager and the clinical lead review the results and record the improvement actions that follow.