A colleague admitted to hospital. A former patient whose outcome you're wondering about. A relative arriving in A&E. A high-profile case you’ve read about online. That information can be only moments away. But in today's digital health service, every click leaves a trace.
As employers become increasingly able to monitor who accesses patient records, nursing staff across the UK are being reminded by the RCN that a moment of curiosity, concern or poor judgement can carry serious professional consequences.
This issue has returned to the spotlight following a new NHS England (NHSE) campaign warning staff that accessing patient records without a legitimate reason could lead to disciplinary action, dismissal, referral to a professional regulator or even criminal prosecution in the most serious cases.NHSE Chief Executive Sir Jim Mackey described unauthorised access to records as a "disgraceful breach of patients' trust" and said there was "no place in the NHS" for staff who misuse patient information.
Emma Dmitriev, RCN Senior Legal Officer, tells us more.
Who can access a record – and when?
Access should usually be linked to a legitimate work purpose, such as providing direct care or supporting a clinical service.
Record access must also comply with UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Having technical access to a record does not automatically provide a lawful basis to view personal data. Staff should only access records where there's a legitimate professional reason connected to their role.
We’re hearing reports of nursing staff succumbing to morbid curiosity, as they can technically open a patient's record. However, everyone must check their moral compass and the NMC code. In short, if it feels wrong, it probably is wrong and it could lead to potentially serious consequences.
- Read next: NMC self-referral: what you need to know
For registered nurses and midwives across the UK, and nursing associates in England, confidentiality is a regulatory requirement under the NMC Code, which requires registrants to respect people's right to privacy, dignity and maintain public trust.
However, confidentiality is not solely an NMC issue. Expectations around the proper handling of patient information extend across the health care workforce, including nursing support workers and health care assistants.
NHS employers across all four UK nations have policies governing access to records, and breaches can lead to disciplinary action regardless of professional registration.
Why do people get into difficulty?
Many staff who find themselves facing investigation didn't set out to misuse patient information.
Nursing staff may know patients as friends, neighbours, relatives or colleagues. They may feel concerned about someone's wellbeing, wonder what happened after a patient was transferred, or feel drawn to learn more about a case that has generated widespread discussion in the media.
However understandable these feelings may be, they don't provide a legitimate reason to access confidential records. Under GDPR, personal data must be processed lawfully, fairly and for specified purposes.
When considering whether to access a patient's record, it can be helpful to think beyond policies, audit trails and professional codes. Nursing is built on trust, and trust depends on patients believing the information they share will be treated with respect.
Behind every news story is a person whose privacy and dignity deserve protection
In high-profile cases especially, it can be easy to forget that behind every news story is a person and a family whose privacy and dignity deserve protection. A helpful test is to ask yourself: "Would I feel comfortable if this were my own record, or that of someone I love?" If accessing information feels intrusive, unkind or inconsistent with the values of compassion and respect, it’s a sign that you shouldn't proceed.
Some of the defences we’ve heard for looking at high-profile deceased patients’ records seem to be about learning. However, this can be perceived as disingenuous, as there is a wealth of anonymised learning material available.
Excuses like this are indicative of the shame people can feel in retrospect, knowing that they have violated another person’s privacy and dignity out of curiosity. Many of the nursing staff referred to us for fitness-to-practise concerns experience shame, and the best way to deal with the matter is to be open and admit wrongdoing.
What could happen to me if I was found to be accessing patient records unnecessarily?
Nursing staff should all be familiar with the principles of ethics. The NMC code is a high level, principles-based note on ethics and not a comprehensive prescription on the right or wrong thing to do. It’s a framework for the moral compass expected as a minimum from professionals.
That said, as outlined by the Information Commissioner’s Office in the NHSE announcement, misuse of personal data is a criminal offence that can carry custodial sanction. Any criminal offence set down by parliament is the strongest measure of societal condemnation.
Patient health information is classified as special category data under GDPR and attracts enhanced legal protections. Organisations have a duty to monitor and protect access to this information, and inappropriate access can result in employment, regulatory and criminal consequences.
If concerns arise, employers may want to investigate, and the outcome of an investigation could be anything from an informal management action to restrictions on system access, formal disciplinary proceedings to dismissal.
For registered nurses, midwives and nursing associates (in England), inappropriate access to records invites regulatory concerns. Cases could be referred to the NMC and considered as part of its fitness-to-practise processes.
What could this mean for your registration?
The NMC Code is clear that nursing professionals must respect privacy and confidentiality and maintain patient dignity. You must ensure information is shared and accessed only where necessary.
While each case will be considered individually, accessing records without a legitimate professional reason could instigate regulatory intervention.
The NMC Code requires registrants to:
- respect people's right to privacy and confidentiality
- access and share information only where there is a lawful and legitimate reason
- maintain clear professional boundaries
- act as a role model of professional behaviour.
What about nursing support workers not regulated by the NMC?
Although nursing support workers, health care assistants and other nursing support staff may not be regulated by the NMC, the expectation to protect patient confidentiality is no less important.
Employers may still investigate inappropriate access to records, and staff could face disciplinary action, including dismissal in serious cases. Breaches may also affect future employment opportunities and undermine patient trust.
Confidentiality is everyone's responsibility. The same basic principle applies to all professionals; patient information should only be accessed when there's a legitimate reason connected to your role.
How can inappropriate access be exposed?
Electronic patient record systems create digital footprints when accessed. Organisations may be able to see:
- who accessed a record (which account)
- when access occurred
- what information was viewed
- patterns of repeated or unusual access.
NHSE’s new guidance states some modern systems can even generate alerts that identify suspicious activity in near real time.Organisations are also being encouraged to conduct regular audits and strengthen monitoring processes.
Although the guidance has been issued in England, nursing staff across the UK should be aware that the same core expectations around confidentiality, legitimate access and accountability apply throughout the health service.
As a result, nursing staff should assume any access to a patient record may be reviewable.
What should I ask myself before opening a record?
Here are some simple questions you can consider before accessing patient information.
- Do I need this information to do my job?
- Am I involved in this patient's care or another legitimate work process?
- Would I be comfortable explaining this access to the patient, their family, my colleagues or the regulator?
- Would this patient reasonably expect me to be looking at their record?
- Does it feel legitimate or do I feel just tempted to look? Curiosity is human but if you feel you shouldn’t be doing it, trust yourself.
If the answer to any of these questions is unclear, pause and seek advice. In today's digital systems, every access leaves a trace.
Good housekeeping
When it comes to accessing records and patient information, there are a few things you can do to protect yourself.
- Never share passwords.
- Log out or lock screens.
- Report concerns about system misuse.
- Seek advice from your manager if unsure.