Confidentiality – Disclosure to Third Parties: Medical Indemnity Guidance
Article

Confidentiality – Disclosure to Third Parties: Medical Indemnity Guidance

11 June 2026 9 min read

Doctors have a legal and ethical duty to keep all information relating to patients secure. However, whilst the duty of confidentiality is an important principle, it is not without exceptions. Breaches of confidentiality, whether inadvertent or deliberate, are one of the most common triggers for GMC investigations and medicolegal claims, making this an essential area for anyone holding medical indemnity insurance.Exceptions to the duty may arise where disclosure is required by statute, is ordered by a judge or presiding officer of a court of law or under a doctor’s ethical or co111ractual obligations. If a doctor decides to disclose information without consent, they should be prepared to jus1ify their decision.

The General Medical Council (GMC) sets ou1in Confidentiality: good practice in handling patient information the principles of confidentiality and respect for patients’ privacy that doctors are expected to understand and follow.

The GMC confirms that doctors may disclose patient information, where:

  • the patient has capacity and consents to the disclosure for the sake of their care or clinical audit
  • it is required by statute, such as in relation to certain communicable diseases
  • it is required by a court order
  • it is justified in the public interest.

Disclosure with consent

Most disclosures of confidential information require a patient’s consent, including:

  • Sharing information with other members of the healthcare team.
    • The doctor should explain to the patient the reason for1he disclosure. If a patient objects to the transfer of information, but it is deemed necessary, the doctor should explain that they cannot arrange referral or treatment by another healthcare provider without disclosing the information.
  • Discussing the patient’s diagnosis or care with family members and carers.
  • Using case studies or images for research, education, training and clinical audit.
    • If a doctor provides patient information pursuant to any of these activities, the information must be anonymised or coded before it is disclosed outside the healthcare team. If that is not possible, a doctor must make sure a patient is told about the disclosure in advance and given the opportunity to object A doctor must respect a patient’s wishes in respect of the disclosure.
  • Writi11g reports for insurers or the patient’s employer.
  • Disclosing medical records to solicitors.
    • Solicitors may contact a clinician for disclosure of medical records. A release of records must only be with the consent of the patient. If the patient is the solicitor’s client, the doctor should treat the disclosure as a subject access reguest (SAR). They must be satisfied that the solicitor has provided evidence of the patient’s consent to the disclosure and be satisfied that the patient understands the scope of the request. If the clinician is concerned that the consent may not be valid, they must address this with1he solicitor or directly with the pa1ient, if appropriate. If in any doubt, PMP clients should contact the PMP medicological helpline for advice.
  • Release of information to the media or online.

If the patient does not consent 10 the disclosure of information,1he doctor should respect that decision, excep1 where failure to make the disclosure

would put the patient or others at risk of serious harm.

If you are ever unsure whether a particular disclosure is appropriate, contacting your medical indemnity insurance provider before acting is strongly advisable. PMP’s medicolegal helpline is available 24/7 for exactly these situations.

Disclosure without consent

In certain limited circumstances, a doctor will be required to disclose patient information by law or in the public Interest (to protect the patient, other identifiable people or the wider community). A doctor should inform the patient in advance of such an intended disclosure unless this would cause the patient serious harm or undermine the purpose of the disclosure.

A doctor must disclose patient information where required by law: for example, if the disclosure is pursuant to a court order or infectious disease notification, or if a doctor holds a reasonable belief that a crime involving a sexual assault or other violence has been committed against a child or other vulnerable person.

The disclosure should be limited to the minimum information and least number of people necessary.

If a patien1 lacks the capacity to give consent and is unlikely to regain capacity, the doctor should consider making a disclosure only if it is in the best interests of the patient. If disclosing without consent, the discussion with the patient and the reasons for the decision should be carefully documented and retained.

Disclosing information after a patient has died

Doctors should be aware that pa1ien1 information remains confidential even after death.

If it is unclear whether a patient consented to the disclosure of information after their death, consider:

  • how the disclosure might benefit or cause distress to the family or carers
  • the effect of disclosure on the reputation of the deceased
  • the purpose of the disclosure.

A doctor’s discretion may be limited if disclosure of a patient’s record is required by law, such as:

  • to help a coroner, procurator fiscal or another similar officer with an inquest or fatal accident inquiry
  • on death certificates
  • when a personal representative of the patient, such as an executor or administrator of the estate, makes an application for access to the health record, under the Access to Health Records Act 1990 or Access to Health Records (Northern Ireland) Order 1993,_unless an exemption applies. (The exemption would be if the patient clearly stated in life that they would not wish such a disclosure to be made.)
  • when disclosure is necessary to meet the statutory duty of candour.

Generally, doctors may face difficult decisions regarding:

  • access requests from patients and third parties
  • record disclosure of a deceased patient.

Each case should be considered on an individual basis, and doctors should always act in the patient’s best interests.The GMC states in Confidentiality; good practice in handling patient information, para 136:

“In other circumstances, whether and what personal information may be disclosed after a patient’s death will depend on the facts of the case. If the patient has asked for far information to remain confidential, you should usually abide by their wishes. If you are unaware of any instructions from the patient

vhen you are considering requests for information, you should take into account:

  1. Whether disclosing information is likely to cause distress to, or be of benefit to, the patient’s partner or family
  2. Whether the disclosure will also disclose information about the patient’s family or anyone else
  3. Whether the information is already public knowledge or can be anonymised or de-identified
  4. The purpose of the disclosure”

The police

In most cases, information should only be disclosed with the patient’s consent.

However, there are limited exceptions justified in the public interest when information can be provided ,without the patient’s consent, eg:

  • When the police have obtained a valid court order compelling a clinician to disclose information.
  • Clinicians are obliged to inform the police whenever a patient presents with a gunshot or knife wound. This information is required to assist the police in collating statistical information. The patient’s name and address should not be disclosed at “this initial reporting. Knife injuries tha1are accidental or self-inflicted do not need to be reported. The GMC provides guidance on when10 report incidents involving guns or knives

in Restorring gunshot and knife wounds.

  • It is important to remember that in the event of treating a patient following a knife crime, just because the police arrive and ask for some identifiable information, i1 does not mean that the clinician must provide this. If the clinician thinks that disclosure may be required, they should first consider what exceptions there are to the duty of confidentiality. Such as:
    • Consent – Could the doctor ask the patient for consent to disclose? They need to consider if, by doing so, they would put themselves or others in the department at risk.
  • Law – do the police have a court order or warrant? If not, there is no legal duty to disclose.
  • Public Interest – the doctor may disclose without the patient’s consent if they believe that disclosure is justified in the public interest, ie, if the disclosure is likely to assist in the preven1ion, detection or prosecution of a serious crime or if failing to disclose may put someone other than the patient at risk of serious harm or death.

If you are involved in a patient safety incident, receive a complaint, or become aware of a claim or potential claim, you must complete a claims notification form as soon as possible so our claims team can review the matter promptly. 

If you require advice or guidance relating to the situation, please contact the PMP medicolegal helpline. Our experienced team is available 24 hours a day, seven days a week to provide immediate support and assistance. 

Reviewed and updated March 2026

Originally published September 2021

This document does not constitute legal or medical advice and should not be construed as rules or es1ablishing a standard of care. We recommend that you seek independent legal and/or professional advice in relation to your legal or medical obligations or righ1s. Premium Medical Protection Limited is the owner of this material and its contents are protected by copyrigh1 law© 2022. All such rights are reserved.

For more information regarding the hyperlinks referenced in this document, click here

Get a quote Apply now