Medical confidentiality and information sharing: practical guide

Introduction

Medical confidentiality constitutes one of the fundamental pillars of the relationship of trust between a patient and healthcare professionals. Yet, in a context of coordinated care and multidisciplinary teams, the question of sharing confidential information arises daily. How can we reconcile the absolute obligation of confidentiality with the need to exchange data to ensure optimal care? This practical guide clarifies the legal framework of medical confidentiality and the conditions under which information sharing is legally authorised, based on the provisions of the Public Health Code and the recommendations of the CNIL.

The legal foundation of medical confidentiality

Medical confidentiality is established by article L.1110-4 of the Public Health Code and by article 226-13 of the Criminal Code, which punishes its violation with one year's imprisonment and a fine of €15,000. This confidentiality covers all information that comes to the professional's knowledge: diagnosis, treatment, patient disclosures, but also observed or inferred elements.

It applies to all professionals working in the healthcare system: doctors, nurses, pharmacists, midwives, as well as administrative staff of healthcare establishments. The law of 26 January 2016 on modernising our healthcare system extended this obligation to professionals in the medico-social sector, creating a unified framework for protecting confidential information.

Conditions for information sharing between professionals

Information sharing between healthcare professionals is governed by article L.1110-4 of the CSP. Two distinct situations must be distinguished:

Within the same care team: sharing is presumed authorised, provided that the patient has been informed and can exercise their right of objection. The care team is defined as a group of professionals directly involved in the care of the same patient.

Between professionals not belonging to the same team: express prior consent from the patient is required, obtained by any means, including electronic means. This consent must be informed, specific and revocable at any time.

In all cases, sharing must be limited to information strictly necessary for the coordination or continuity of care, in accordance with the principle of minimisation set out in the GDPR (article 5).

Legal exceptions to confidentiality

Certain situations authorise, or even require, the lifting of medical confidentiality. The reporting of abuse of minors or vulnerable persons (article 226-14 of the Criminal Code), the mandatory declaration of notifiable diseases (article L.3113-1 CSP), or the transmission of information to the healthcare advisor of the Health Insurance Company constitute exceptions provided for by law.

However, the patient's family does not have a general right of access to medical information. Only the person of trust designated by the patient (article L.1111-6 CSP) may receive certain information, according to their expressed wishes.

Tools and best practices

The implementation of the Shared Medical Record (DMP) and the Secure Health Messaging Service (MSSanté) makes it possible to technically secure exchanges. Establishments must also adopt a health information systems security policy (PSSI-S) and appoint a Data Protection Officer (DPO), in accordance with the GDPR.

Conclusion

Medical confidentiality is not an obstacle to the quality of care but a condition of patient trust. Mastering the rules of confidential information sharing enables healthcare professionals to collaborate effectively while respecting their ethical and legal obligations. Regular training of teams and clear information to patients are essential to secure these practices.