Physicians’ Handling of Patients’ Health Information: Ethics and Law of Confidentiality

Chapter 6
Physicians’ Handling of Patients’ Health Information: Ethics and Law of Confidentiality

Obiajulu Nnamuchi


To appreciate the significance of this chapter, one needs to locate its subject within the broader context of quality of health services patients and their families receive or ought to receive at the nation’s health facilities. Beneath all the abstractions and theorizations, the ultimate goal of prescriptive rules of ethics and law pertaining to confidentiality of medical information is to improve the qualitative aspect of a health system, or, at least, certain elements of it. This is critical, because, in many cases, the kind of relationship that shapes clinical experience is equally as important to the healing process as the treatment itself. Even where its scorecard on access is improving, a health system that fails to invest in the quality of its services, surely, suffers a serious deficiency. For countries that are parties to the International Covenant on Economic, Social and Cultural Rights,1 including Nigeria,2 provision of quality health services is not an act of charity; it is a legal obligation.3 An essential component of this obligation, termed ‘acceptability’ by a United Nations (UN) body,4 is that service delivery shall be respectful of medical ethics as well as the culture of the people served.5 This requirement, that service delivery must be respectful of the cultural practices and sensibilities of the people served, indicates that cultural specificity is a vital element of healthcare delivery, meaning that subjecting relevant concepts, such as confidentiality of health information, to the beliefs and practices of service beneficiaries is compatible with, and indeed required by, international law.

Physicians’ ethical code of conduct, perhaps more than any other formal arrangement in a healthcare setting, ensures that quality is maintained throughout the therapeutic chain, for instance, by requiring physicians to maintain confidentiality of information revealed to them by patients in their care. Although the Code of Medical Ethics in Nigeria recognizes this obligation, the contours of the obligation are not clearly defined.6 Moreover, the law that would govern this important aspect of clinical practice is still evolving. This chapter is a contribution to the evolutionary process, not only to the development of relevant legislation but also related ethical regime. To achieve this objective, the chapter examines existing legal and ethical frameworks in the nation, albeit rudimentary, in light of the practice in other countries, and advocates for a Nigerian-centric system – that is, a system rooted in traditional African morality and cosmology. In other words, the chapter proposes a kind of framework produced by subjecting the dominant legal and ethical traditions to the cultural sensibilities, attitudes and beliefs of the people whose health and lives would be affected by it.

The chapter consists of six sections. Following this introduction, the second section analyses the concepts of privacy and confidentiality. It discusses the peculiar features of each concept and points out relevant distinctions. The third section examines whether physicians have an obligation to warn sexual or needle-sharing partners of patients who are HIV positive of their risk of infection. Starting with the United States, the section highlights how courts in other jurisdictions, including Canada and Great Britain, would approach the question. Continuing the theme, the fourth section speculates whether courts in Nigeria would embrace the position adopted by other common law jurisdictions or develop its own distinct jurisprudence. The section provides a response to this concern by x-raying arguments on each side of the question and identifying the weaknesses. In the fifth section, the chapter maps out a skeletal framework that would guide the nation’s policymakers in crafting an indigenous jurisprudence on the subject. Positing the concept of African personhood as a foundation for African communitarian morality, the chapter argues against uncritical acceptance and application of principles, rules and precepts that were developed in a socio-cultural environment that is alien to the orientation and shared experiences of the people whose conduct the frameworks seek to regulate. Along the same trajectory, the chapter holds in its sixth and concluding section that even though it is legitimate for guidance to be sought in the practice of more established systems, the design and sculpture of a system that would guide clinical relationships in Nigeria must be anchored to the socio-cultural and cosmological realities of its people. That is, except in those rare instances where disclosure to third parties would likely have significant deleterious impact on patients, confidentiality rules should be tailored to meet the communitarian orientation and expectation of family members and relatives of patients.

Delineating Related Concepts: Privacy and Confidentiality

One of the most enduring pillars of medical practice is the obligation to protect patients’ confidentiality and privacy. This is an ethical as well as a legal duty incumbent upon practitioners of medicine for the benefit of patients. The obligation dates back at least several millennia and, over the years, has come to represent a crucial element of clinical practice. Confidentiality and privacy are interrelated concepts. Their common origin (or rationale for existence) derives from the need to protect human dignity and autonomy. For information to warrant confidential protection, it must meet a certain threshold. The information must be of a private nature, relating to something personal about the patient, and not freely available in the public realm. But despite this close kinship, privacy and confidentiality are not synonymous; each of them retains distinct characteristics.


Though not always so regarded, privacy is now widely recognized as a fundamental human right. The expectation that certain things we do ought not be the concern of others – in short, ‘nobody’s business’ – is innate to humanity. Entitlement to a ‘private space’ is a universally shared value, observed even in primitive societies. The necessity for clothes, whether approached from Christian or secular morality, was informed by concern for privacy of certain body parts. Designed to protect individuals in the conduct of their personal affairs, privacy is seen as a core element of human autonomy, the essence of human freedom. Indeed, as Justice Douglas asked nearly 40 years ago, ‘[i]f a man’s privacy can be invaded at will, who can say he is free?’7 The term ‘privacy’ originates from the Latin privatus, meaning ‘cut off from others; apart from the state … peculiar to one’s self … not public; retired from observation; secret …’8 Of particular interest to this study is the second leg of the definition – ‘apart from the state’, which invokes the ancient roots of formal concern for privacy. The building blocks of this concern date back at least four centuries. Sir Edward Coke’s famous enunciation in Semayne’s Case set the tone: ‘[t]he house of everyone is to him as his castle and fortress, as well for his defence against injury and violence as for his repose’.9 But it was the subsequent case of Entick v Carrington that firmly established privacy as a protected interest under common law. As Lord Camden explained:

The great end, for which men entered into society, was to secure their property. That right is preserved, sacred and incommunicable in all instances, where it has not been taken away or abridged by some public law for the good of the whole … By the laws of England, every invasion of private property, be it ever so minute, is a trespass. No man can set his foot upon my ground without my license, but he is liable to an action, though the damage be nothing ….10

Two years earlier, in a parliamentary speech, William Pitt, Earl of Chatham declared:

The poorest man may in his cottage bid defiance to all the forces of the Crown. It may be frail – its roof may shake – the wind may blow through it – the storm may enter – the rain may enter – but the King of England cannot enter – all his force dares not cross the threshold of the ruined tenement!11

Though traces of interests related to privacy can be found in common law,12 the idea of privacy as a distinct basic right was first propounded by Samuel Warren and Louis Brandeis (later United States Supreme Justice) in a seminal article published over a century ago.13 Warren and Brandeis defined privacy as a ‘right to be let alone’.14 That is, the right to be free from interference in the pursuit of one’s freely chosen goals. Of the inviolable nature of this right, the United States Supreme Court recently reiterated ‘that a man’s house is his castle’ against which everyone, even the poorest man, is entitled to prevent anyone, including agents of the state, from encroachment.15 Historically, privacy was invoked under common law to shield individuals from unlawful interference with their property by the Crown, although the claim was often not respected by the Crown or its agents. In fact, one of the broadest constitutional safeguards against invasion of privacy was inspired by the encroachment upon this right by King George III.16 This broad provision, the Fourth Amendment to the United States Constitution, stipulates:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.17

Until the middle of the twentieth century, the ambit of the Fourth Amendment was limited to proprietary interests.18 It was the landmark case of Katz v United States that expanded the reach of this important constitutional provision to protect not only property but also people.19 Over the years, as the United States Supreme Court continually developed, nurtured and refined the jurisprudence of this right, two types of privacy-related protections have emerged, namely, decisional privacy and informational privacy.20 Beginning with Griswold v Connecticut (in which the Supreme Court of the United States held, for the first time, that the Constitution protected a right to privacy – in this case, marital privacy regarding use of contraceptives),21 the ambit of privacy rights in the United States has sprouted to other areas, including, for instance, the right to abortion.22 Other instances of decisional privacy include freedom to choose or refuse medical treatment,23 the right to die,24 the right to possess obscene material25 and, more recently, the right to consensual homosexual relationship.26 Today privacy rights are protected constitutionally or statutorily in all democratic nations as well as by regional and international human rights instruments.27

Informational privacy, on the other hand, protects the right of individuals to determine the kind of information collected about them and, once collected, the use to which the information is employed. Informational privacy has been described as a restraint on government’s ability to ‘discover and/or disclose personal information’.28 Restraint on executive power to collect and disseminate private information about citizens is critical to privacy protection and is a common feature of modern constitutions. The Nigerian Constitution is quite explicit: ‘The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected’.29 The broad tone of this provision clearly evidences that private information, including patients’ health information, is constitutionally protected in Nigeria.

There are two dimensions of the right to privacy – positive and negative.30 A positive right to privacy denotes a right to ‘control access to and/or distribution of personal information, property, and or knowledge of personal behaviors’.31 Each individual is entitled to a ‘zone of privacy’ upon which no one may intrude in absence of his or her permission.32 Eating habits, sexual preferences or choice of dressing are considered private matters that may not be interfered with except for a justifiable cause.33 Everyone has a right to restrict access to, and distribution of, his personal information, health or otherwise. In its negative incarnation, on the other hand, the right to privacy refers to the freedom from interference in one’s freely made and lawful choices, decisions or actions. A negative right to privacy is the more familiar understanding of the concept. Tersely put, ‘it is the right of the individual … to be free from unwarranted … intrusion’,34 whether by the government, private individuals or any other entity. In clinical practice, privacy is assured to patients by providing consultation and treatment in appropriately secluded areas (behind closed doors or pulled curtains), away from the prying eyes and ears of anyone not involved in providing care.


Nature of confidentiality

Confidentiality is encapsulated within the broader concept of privacy. To warrant confidentiality protection, the information, transaction or conduct in respect of which the claim is made must be of a private nature. In other words, only private matters merit confidentiality protection. As Lord Goff (of Chieveley) proclaimed in Attorney-General v Guardian Newspapers (No.2):

[A] duty of confidence arises when confidential information comes to the knowledge of a person (the confidant) in circumstances where he has notice, or is held to have agreed, that the information is confidential, with the effect that it would be just in all the circumstances that he should be precluded from disclosing the information to others.35

That is to say, actual knowledge of the confidential nature of the information is not essential. Constructive knowledge would suffice. What then is the difference between privacy and confidentiality? The distinction between the two concepts lies in the nature of the breach, the action or conduct which breaches the obligations imposed on the duty bearer. Confidentiality is breached upon failure on the part of the recipient of sensitive information (physician or hospital) to protect it or when there is a deliberate disclosure of the information without the consent of the originator of the information.36 Violation of privacy, on the other hand, occurs when an unauthorized person gains entrance to a record room or access to the data bank of a health facility.37

Medical confidentiality is an ethical as well as a legal concept which requires that information communicated by a patient to his physician (or any other health professional) in the course of treatment shall not be disclosed to a third party without the consent and authorization of the patient, except where disclosure is required by law or professional ethics. The obligation to respect patients’ confidences has ancient origin. It is believed to have been formalized by Hippocrates, who is widely regarded as the father of medicine. The Hippocratic Oath, attributed to Hippocrates or one of his students, expressed the obligation in these terms:

I SWEAR by Apollo the physician, and Aesculapius, and Health and All-heal, and all the gods and goddesses, that … [w]hatever, in connection with my professional practice or not, in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret.38

This oath, described as ‘the most admired work in Western European medical ethics’, survives till this day and is administered, in modified forms, throughout the world.39 The modern form of the oath is contained in the Declaration of Geneva, which was first adopted in September 1948 by the 2nd General Assembly of the World Medical Association, but has undergone several revisions, the last in 2006.40 It is this version of the oath that is being sworn to in most countries, including Nigeria. The oath to which graduating medical and dental students in Nigeria subscribe, as contained in the Medical and Dental Council of Nigeria (MDCN) Code of Medical Ethics, is a restatement of the Declaration of Geneva:

I SOLEMNLY PLEDGE to consecrate my life to the service of humanity … I WILL PRACTISE my profession with conscience and dignity; THE HEALTH OF MY PATIENT WILL BE my first consideration; I WILL RESPECT the secrets which are confided in me, even after the patient has died.41

Aside from recognizing the duty to maintain patients’ confidences, the Code of Medical Ethics in Nigeria lays down three useful guidelines for physicians asked to disclose medical information. In complying with the request, physicians are to observe the following rules:

(a) Seek the patient’s consent, whenever possible, regardless of the physician’s opinion as to whether the identity of the patient could be revealed from the disclosure;

(b) Anonymize the data except where the patient’s identity is needed; and

(c) Keep disclosures to the minimum required to achieve the purpose.42

The general rule, endorsed by the Code of Medical Ethics in Nigeria, is that in making disclosure, the consent of the patient, as far as possible, shall be obtained in writing.43 Having the patient evidence his consent in writing has obvious legal advantages in terms of subsequent denial by the patient or his family that the disclosure was authorized. This poses no problem in countries where a significant number of people can read and write. But in societies with a high population of illiterates, obtaining consent in the form of the signature of the patient might not always be possible. In such cases, where the patient is unable to read and understand the consent form, the health facility is required to appoint someone to read and explain the content to him. As for signature, a thumbprint (usually an imprint of the right thumb) or any other mark, such as ‘x’, that the patient intends to represent his signature would suffice.

Confidentiality obligation arises in various forms and contexts. The most common is where the parties enter into a contract and the terms require them to keep information exchanged between them secret. Such contracts can be explicit or implied. In clinical practice, the duty to maintain confidentiality of patient information is not explicit; instead, it is implied by the nature of the relationship (fiduciary) between patients and physicians. In consideration for payment made by the patient, the physician implicitly covenants to render services with due diligence and reasonable care, including safeguarding confidential information, failing which an action for breach of contract may lie against him. But ‘the obligation to respect confidence is not limited to cases where the parties are in contractual relationship’.44 Confidentiality obligation can be imposed by law – statutorily or constitutionally45 – or arise through other means.

Among these ‘other means’ – sources of the duty to maintain patients’ confidences – is tort law. The physician–patient relationship imposes upon the physician the duty to take reasonable care in performance of the services for which he was hired. This duty, as the cases examined subsequently will demonstrate, is consistent with ordinary negligence rules so that in weighing whether an action for unlawful disclosure of confidential information could successfully be maintained against an erring physician, the following questions are paramount: (a) Did the physician fail to exercise reasonable care in not keeping the information private? (b) Was it reasonably foreseeable that disclosure would harm the patient? (c) Did harm or loss befall the patient as a result of the disclosure? An affirmative response to these questions makes it likely that the physician would be found liable.

A duty of confidentiality is also created by professional ethics. The ethical codes of virtually all professional organizations whose members provide care to patients specify protection of confidence as one of the ethical obligations of members. The Hippocratic Oath, cited previously, is a typical example. Another example is the Code of Professional Conduct for Nurses and Midwives in Nigeria which mandates them to ‘[k]eep information and records of the client confidential except in consultation with other members of the health team to come up with suitable intervention strategies or in compliance with a court ruling or for protecting the consumer and the public from danger’.46 Therapeutic relationship is based on trust. The patient believes that his or her welfare is the driving force of the interaction and, therefore, the physician would not do anything, such as release without authorization his or her personal information, which would damage the relationship. For physicians, their first ethical obligation is primum non nocere (first do no harm) – a moral injunction against conduct that may detrimentally impact patients. The distinction between obligations arising from professional ethics and those deriving from contracts, legislation or tort is that, unlike the latter, professional obligations are not legally enforceable. The only remedy available upon breach of professional ethics is disciplinary proceedings against the offending individual.

Even in the absence of a contract, physicians owe patients an obligation to keep their medical information secret under the equitable duty of confidence. Although the origin of this doctrine is antiquated, its application remains strong.47 The modern foundation of the doctrine was laid out in Saltman Engineering Co. Ltd. v Campbell Engineering Ltd. where, in upholding an action for breach of confidence despite lack of contract between the parties, Green MR declared:

The information, to be confidential, must, I apprehend, apart from contract, have the necessary quality of confidence about it, namely, it must not be something which is public property and public knowledge.48

However, it was the case of Coco v A.N. Clark (Engineers) Ltd. which fully expounded the doctrine.49 There, Megarry J (as he then was) developed an influential tripartite framework of analysis of the essential elements necessary to sustain a cause of action for breach of confidence, where there was no contract between the parties.50 First, the information alleged to have been wrongly disclosed must ‘have the necessary quality of confidence about it’.51 Second, the information must have been imparted in circumstances importing an obligation of confidence.52 And, third, there must be an unauthorized use of that information to the detriment of the party whose private information was wrongly disclosed.53 In the context of therapeutic relationship, the information must be of such a nature that it is clear between the parties that confidentiality was intended. Information that is available to the public, for instance, would not qualify – as would be the case where the patient makes clear to the physician that the information should not be considered privileged or the physician explicitly informs the patient, prior to receipt of the information, that he would not treat the information as having been divulged to him in confidence. Outside these situations, the default position remains, as Baroness Hale articulated in Campbell v MGN Ltd:54

It has always been accepted that information about a person’s health and treatment for ill-health is both private and confidential. This stems not only from the confidentiality of the doctor–patient relationship, but from the nature of the information itself.55

Cases might arise in which although the physician has improperly disclosed patient information, for instance, to an unauthorized individual or institution, the action would not give rise to a legal action. As a matter of law, so long as no detriment is suffered by the patient as a result of the disclosure, an action for breach of confidence would not be successful. But ethics treats such disclosure differently. Ethics is rooted in morality, with the result that what constitutes harm as a matter of ethics is different from a legal harm. One could be harmed by the action of another, even though the action complained about is inadequate to sustain a legal action. De minimis non curat lex (the law does not concern itself with trifles) is a legal, not an ethical, principle. Therefore, even if considered trifling in the legal domain, in the sense that it does not rise to the level of what could appropriately be considered a legal wrong, information about a patient should not be disclosed where such disclosure holds no benefit for the patient.

The obligation to maintain patients’ confidences is perpetual. The Code of Medical Ethics in Nigeria prohibits physicians as well as their employees from accepting employment which would involve the use of patient confidences for the benefit of physicians or their employees or that would disadvantage the patient unless the patient’s consent was obtained – and this rule remains the same regardless of whether the information is available from other sources.56 Even if doctors move to a different facility or their employment is terminated, doctors are still barred from disclosing information confided in them by patients.57 Death of the patient does not extinguish the obligation,58 except where consent was previously given or release granted by representatives of the deceased. There might be cases where physicians find themselves in situations where the duty to maintain confidences constitutes an obstacle to fully discharging their duties to former or new patients. An instance would be where a patient, diagnosed with a deadly transmissible disease such as HIV, refuses to voluntarily notify his spouse, who is also the physician’s patient. In such cases, the proper course of action is resignation from the position.59 Aside from consent, the only other circumstance that would trigger the demise of confidentiality obligation is when the originator of the information (patient) publicizes it.


Medical confidentiality can be justified on a number of grounds. The first justification is based on the principle of autonomy. The word ‘autonomy’ is a derivative of Greek autos (self) and nomos (rule, governance or law) and was used originally in reference to self-rule or self-governance of Greek city-states.60 Relatedly, in moral philosophy, individual autonomy means the capacity of every individual to decide how to live his or her life without interference from any other person or entity. Autonomy encompasses diverse concepts such as ‘self-governance, liberty rights, privacy, individual choice, freedom of the will, causing one’s own behaviour, and being one’s own person’.61 The moral principle of autonomy (or respect thereof) requires that so long as individuals act intentionally, rationally and competently, respect must be accorded their choice of actions or decisions, including decisions to keep certain information about them private. Claim of autonomy speaks to human dignity – what may or may not be done to an individual. Would certain kinds of information adversely impact a person’s dignity if shared with an unauthorized third party? Surely, the response must be affirmative; and, as an example, one may cite private medical information in possession of one’s physician. The correlative obligation on others to respect the exercise of the right to autonomy imposes some restraint, in the context of medical information, on physicians and other health professionals in their dealings with information gathered as a result of clinical relationships.

The second justificatory ground for confidentiality of medical information rests upon a consequentialist argument.62 Uncertainty as to whether sensitive information confided in physicians would be divulged to others could operate as a disincentive against seeking care. Individuals might be concerned about embarrassment or stigmatization that could result if certain information about them becomes public. Depending on the nature of the information, some might be concerned about possible criminal sanction (arrest and prosecution) or being shunned by friends, family members or even colleagues. Individuals entertaining these fears would likely not be forthright as to their medical condition, making diagnosis and treatment unnecessarily difficult.63 Others might not seek care at all, jeopardizing their health and that of the entire population in cases of communicable diseases. On this point, the European Court of Human Rights was quite emphatic:

It is crucial not only to respect the sense of privacy of a patient but also to preserve his or her confidence in the medical profession and in the health services in general. Without such protection, those in need of medical assistance may be deterred from revealing such information of a personal and intimate nature as may be necessary in order to receive appropriate treatment and, even, from seeking such assistance, thereby endangering their own health and, in the case of transmissible diseases, that of the community.64

In essence, the Court is suggesting that the basis for the confidentiality rule is to shield society from the detrimental consequences that would be triggered by individuals’ refusal to seek treatment for diseases, including communicable types like HIV/AIDS, on account of fear of their status subsequently becoming known by others.

Fidelity-based argument provides the third justification for the confidentiality rule. The relationship between physicians and patients is built on fidelity, the idea that certain promises are implicit in the relationship and must be kept. In return for full and truthful disclosure of illness and other information that might have a bearing on the illness, the patient expects that the information would be secure in the physician’s custody, that the physician would faithfully guard against the possibility of the information falling into the wrong hands or wrong ears. The Hippocratic Oath and contemporary versions pledge to the whole world that when illness strikes, they can count on physicians to use their best effort in attending to their conditions and that sensitive information obtained in the course of treatment will be kept secret.

Exceptions to confidentiality

Despite its importance to a productive and satisfying patient–physician relationship, the rule prescribing confidentiality of medical information does not impose an absolute obligation. Instead, the rule imposes a prima facie obligation – that is, an obligation that may be overruled by a superior one.65 In the specific context of confidentiality, the elucidation of Lord Goff (of Chieveley) in Attorney-General v Guardian Newspapers (No.2) is particularly poignant:

[A]lthough the basis of the law’s protection of confidence is that there is a public interest that confidences should be preserved and protected by the law, nevertheless that public interest may be outweighed by some other countervailing public interest which favours disclosure. This limitation may apply … to all types of confidential information. It is this limiting principle which may require a court to carry out a balancing operation, weighing the public interest in maintaining confidence against a countervailing public interest favouring disclosure.66

A more concrete restatement of the non-absolute nature of confidentiality obligation is provided by the European Convention on Human Rights.67 In addition to recognizing the right to privacy,68 the treaty requires:

There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.69

Although the ambit of the treaty is certainly broader than the specificities of medical confidentiality, the provision does identify key circumstances where it would be ethically and legally permissible to breach confidentiality. The Nigerian National Health Act (passed by both legislative Houses and awaiting the President’s signature) forbids disclosure of medical information save in the following circumstances, namely, the patient consents in writing, the disclosure was made pursuant to a court order or legal requirement, or to prevent a serious threat to public health.70 In addition, the Code of Medical Ethics in Nigeria permits breach of confidentiality to protect the patient or the community from danger, where statutory notification of diseases is required and to prevent the commission of a crime.71 These and other circumstances not explicitly identified above, but which have gained widespread acceptance, constitute exceptions to the rule, and to which we now turn.72

1. Consent. In a claim for breach of confidentiality, evidence that the patient consented to the disclosure of her medical information would completely absolve the physician of any wrongdoing. Consent, as an exception, echoes the common law doctrine volenti non fit injuria (no injury can result to one who consents), a doctrine that shields a person accused of wrongdoing from liability on the basis that the person claimed to have been wronged did in fact consent to the ‘wrong’. Consent may be direct (as where the patient personally authorizes disclosure) or indirect (through the patient’s surrogates). The best form of consent, as previously indicated, is that which is expressed in a written document, although verbal consent will suffice where the former is not feasible.

2. Emergency cases. A second exception to the confidentiality rule arises in the context of emergency medical treatment, typically when an individual is brought to the emergency room of a hospital in an unconscious state. Because the requirement that consent to disclosure be given in a written form and in a fully informed state cannot be satisfied when the patient is unconscious, it is permissible to obtain the patient’s records from any source so long as the information would aid in treatment. Let us assume, for illustrative purposes, that Miss X, a victim of an automobile accident, was rushed to the emergency room of a nearby hospital. Minutes are ticking by, yet, Miss X remains unresponsive to treatment. When asked, Mr Y, a cousin of Miss X, who had brought her to the hospital, indicated that her primary care physician works at a health facility a few kilometres away. In this situation, it is perfectly appropriate for the ER doctor to request the record of Miss X and for the primary care doctor to release the documents irrespective of the failure to obtain Miss X’s consent.

3. Protection of health professionals. Confidentiality may be breached to protect the healthcare team in charge of the patient. This would be the case where the nature of the patient’s condition requires that those treating him adopt higher than routine precautionary measures to lessen their exposure to the patient’s illness. An attending physician whose patient is HIV positive or suffers from Hepatitis B or Hepatitis C would not be at fault for disclosing the positive status of the patient to the surgical team to which the physician referred the patient. Given that these conditions are lethal and highly transmissible, the surgical team ought to be apprised of the information so that they can adopt procedures that would, as far as possible, reduce their risk of exposure to the patient’s bodily fluids.73 Hospital accidents involving surgical instruments, such as needlestick injury (wound caused by accidental puncturing of skin with a needle), are not uncommon. According to the Canadian Center for Occupational Health and Safety, as much as one-third of nursing and laboratory personnel in some hospitals fall victim to such injuries annually.74 Protecting health professionals from adverse conditions that might result from such accidents is an ethical as well as a legal obligation.

4. Legally required disclosure. In some situations, the duty to respect confidentiality of medical information collides with the demands of the law or state policy. In such cases, the need to comply with the law leads directly to breaching patient confidentiality. In other words, the disclosure of confidential medical records pursuant to a legally imposed obligation excuses an otherwise illegal disclosure. The need to promote public health is a typical example. Like other African countries, Nigeria has incorporated the Integrated Disease Surveillance and Response (IDSR) strategy75 as a vital component of its long-term plan to improve capacity for effective detection and timely response to priority communicable diseases.76 The country’s IDSR system designates 40 diseases or conditions of public health importance as reportable diseases. By the instrumentality of this process, a duty is incumbent upon health providers, knowing of or in attendance on a case or suspected case of any of the 40 diseases or conditions to report the occurrence of these diseases to designated health officials and departments without the need to obtain consent from affected individuals.77 In addition to disclosures required as part of the public health approach to control or containment of diseases, physicians, like everyone else, are subject to a legitimate order issued by a court of competent jurisdiction. A court order compelling the release of medical records to the court or anyone else supersedes the patient’s right to confidentiality. As such, even though a physician, in releasing the document, acts in breach of the confidentiality obligation, the breach is excused.

5. Prevention of crime. Public interest in crime prevention provides yet another justificatory ground for breach of confidentiality. The evolution of this exception can be traced to the seminal case of Gartside v Outram.78 In that case, an action to prevent defendants, who were former employees of plaintiffs, from publishing information which was obtained in the course of employment and revealed that plaintiffs used fraudulent tactics in the conduct of their business, failed. In his ruling, Sir William Page-Wood V-C propounded what has come to be known as the iniquity rule:79

But there are exceptions to this confidence … The true doctrine is, that there is no confidence as to the disclosure of iniquity. You cannot make me the confidant of a crime or a fraud, and be entitled to close up my lips upon any secret which you have the audacity to disclose to me relating to any fraudulent intention on your part: such a confidence cannot exist.80

The word ‘iniquity’ has been interpreted to include ‘a crime, civil wrong or serious misdeed of public importance’.81 Thus defined, public interest in preventing criminal activities, enforced through the contribution of individual members of the public, trumps any obligation one might have regarding non-disclosure of confidential information. The Nigerian Code of Medical Ethics specifically excludes, from disclosure obligation, ‘situations in which … breach of confidentiality is necessary to protect … the community from danger’.82 Therefore, when, in the course of a therapeutic relationship, the patient confides in the physician his intention to commit a crime, the physician has no obligation whatsoever to keep the information secret. The converse echoes the equitable maxim ‘he who comes to equity must come with clean hands’ since what a plaintiff would, in essence, be asking is for the court to aid him in his iniquity by issuing an injunction preventing interference (disclosure) by a defendant physician. Protecting the community from crime is a public safety issue, an important public goal which demands vigilance on the part of every member of the community, including physicians. This duty compels the disclosure of any information that would result in breaching public safety, and overrides any conflicting obligation physicians might have regarding protection of confidential information.

The English case of W v Egdell is illustrative.83 Following his conviction for murder, W, a paranoid schizophrenic, was detained in a secure hospital under §§ 37 and 41 of the Mental Health Act 1983. Ten years later, W’s attorneys hired Dr Egdell, a psychiatrist, to evaluate W’s mental condition, intending to use the report of the evaluation to support an application to the Mental Health Review Tribunal for W’s discharge from the hospital or transfer to a less secure facility. But, contrary to their expectation, Dr Egdell found that W was still a danger to the public and documented this finding in his report. On the basis of this adverse report, W’s attorneys withdrew the application. But upon becoming aware that his negative finding was not seen by the hospital or the review tribunal, Dr Egdell dispatched his report to the hospital with instruction to forward a copy to the tribunal. W sued for breach of confidence. The Court of Appeal held that although the information was protected by the psychiatrist’s duty of confidentiality, the duty was nullified by public interest in the protection of members of the community from criminal acts and, therefore, Dr Egdell was not liable. Sir Stephen Brown P. explained:

The balance of public interest clearly lay in the restricted disclosure of vital information to the director of the hospital and to the Secretary of State who had the onerous duty of safeguarding public safety. In this case the number and nature of the killings by W must inevitably give rise to the gravest concern for the safety of the public.84

Implicit in this judgment is that the information disclosed – the subject of an action for breach of confidence – need not explicitly pertain to the commission of a crime. Where from the information obtained, the physician has reasonable belief that the patient is likely to engage in conduct that could endanger public safety, the physician will be protected by law from liability for the disclosure of the information. So, although practising physicians in Nigeria are advised that ‘announced intention of a patient to commit a crime’ is excluded from the confidences they are bound to respect, they should also be aware that protection is afforded to them even if there was no explicit announcement of intention to engage in criminal activities.85 A reasonable belief that the patient is likely to commit a crime, formed upon professional evaluation by the physician, would suffice.

It is noteworthy that even though prevention of public endangerment is an exculpatory factor in a charge of breach of confidence, the nature of the disclosure is also an important consideration in deciding whether the defendant’s conduct is justified. Since the specific purpose of the disclosure is to prevent the commission of crime, the disclosure must be limited to individuals or authorities in a position to take such actions as are necessary to prevent the crime. In many cases, disclosure to the police would be justified, but not to members of the public, as the case of Duncan v Medical Practitioners Disciplinary Committee demonstrates. In that case, Dr Duncan, a general practitioner in New Zealand, advised his patient, a bus driver who underwent a triple coronary bypass operation, against continuing to drive. But the patient refused. The surgeon who performed the surgery, however, issued a certificate to him, stating that he was fit to drive.86 Since Dr Duncan had reached a different medical conclusion, he not only reported to local police that the bus driver was unfit to drive and posed a danger to the public but proceeded to warn other people in the community about the bus driver’s medical condition and against travelling on the bus with him. An action against the physician for breach of confidence was upheld by the court.

6. Medical research. For purposes of biomedical research, physicians are not constrained by confidentiality protection in divulging medical information to researchers. This is a public interest exception with roots in utilitarian considerations. The benefit to society from biomedical research (new or improved pharmaceuticals and therapeutic procedures, for instance) is weighted higher than the good served by maintaining confidentiality. Once a research protocol is approved by an institutional review board (IRB) or some other designated entity, the physician may divulge protected medical data in absence of consent. But this privilege is subject to one crucial caveat. Prior to disclosure, the data must be stripped of all identifying information such that the data cannot be linked to any particular patient or group of patients. Unauthorized transmittal of data containing patients’ names or other identifying markers is actionable as a breach of confidence.

7. Protection of public health. Akin to the preceding exception, utilitarian calculations provide compelling justification for subjecting individual liberty to the protection of public health, the greater good of the community. Public health challenges at times raise a number of problems which cannot be resolved without constraining individual liberty. In times of emergency, such as an outbreak of infections, the need to contain the spread of the disease in question might warrant extraordinary measures which, in some cases, may adversely impact certain segments of the population. Isolation might be necessary for infected individuals as would be quarantine for people who, although not ill, have been exposed to infectious agents. These measures obviously infringe upon several fundamental rights, particularly the freedom of association and movement, and confidentiality protection – all of which are important values guaranteed to everyone in a civilized society. These values are, however, not inviolable in appropriate cases – for instance, in order to protect the health of the population. In all such cases, the duty to protect public health is prioritized over and above any duty owed to the patient by the physician and the community.

The emergence of HIV/AIDS in the 1980s, coupled with concerted efforts to arrest the spread of the infection, has brought this exception to the forefront of medical ethics. This is especially true in countries with a large population of people living with HIV/AIDS (PLWHA). Nigeria is one of them. As of 2009 (the most recent data), 3.3 million Nigerian children and adults are infected with HIV, making the country home to the second largest population of PLWHA in the world, after South Africa.87 There are several reasons an HIV-infected individual would like to keep the information private, even from close friends, family members and sexual partners. Shame, ridicule, stigma, discrimination, abandonment, loss of intimacy and so forth are typical reasons that would operate against willingness to disclose.88 Yet, without disclosure of positive status, individuals in close relationships with the patient, especially sexual contacts and needle-sharing partners, risk contracting the disease.

Upon becoming aware of the positive status of patients, physicians traditionally encourage them to notify all sexual contacts, or needle-sharing partners in the case of drug users. Often, patients would voluntarily notify their partners. Still, in other cases, patients would refuse to disclose their positive status. Recalcitrant patients do not just refuse notification duties; they also do not stop engaging in risky behaviour. In other words, knowing their status does not necessarily mean that they will adopt less risky behaviour or, at any rate, take steps to protect their partners from infection. And even if they do, that does not address the fact that their partners, who might already be infected but unaware of their status, would seek treatment or take measures to protect themselves or others from infection, since they are deprived of the key information that would have propelled them to get tested. Faced with this predicament, what is the proper course of action for the physician? The following section discusses the ethical-legal duties of the physician in this circumstance.

HIV/AIDS and Duty to Warn

In Nigeria, there is no legislation which explicitly requires physicians to warn sexual or needle-sharing partners of HIV/AIDS positive patients of their risk of exposure to infection. At first, one might be troubled by this seeming lacuna in the nation’s corpus of laws given, as noted previously, that the country hosts the second highest number of PLWHA in the world. One might intuitively assume that imposing a duty to warn would result in reducing the rate of infection since, once notified, it is plausible that the partner would adopt measures that would protect him or her from infection, assuming the person is not yet infected – and even if infected, take measures that would shield others from infection. This thinking is widespread and has led to the imposition of notification duties in many jurisdictions. The seminal case on duty to warn is Tarasoff v The Regents of the University of California, a decision handed down by the Supreme Court of California in 1976.89 Prosenjit Poddara, a graduate student from India, confided in his psychotherapist his intention to murder Tatiana Tarasoff, a woman who had rebuffed his advances. Concerned about the mental stability of Prosenjit, the psychotherapist filed a report to the police, requesting that the patient be committed for observation in a mental hospital. However, he did not communicate the threat to Tatiana. Upon release from confinement, Prosenjit promptly murdered Tarasoff. A principal issue for consideration by the Supreme Court of California was whether a cause of action is maintainable against the defendant psychotherapist for negligent failure to protect Tatiana.

The Court began by noting that although, under the common law, no person owes a duty to control the conduct of another, an exception to this rule has been carved out in cases where some special relationship exists between the defendant and the dangerous person or the foreseeable victim.90 The Court held that a therapist who knows or ought to know that ‘a patient poses a serious danger of violence to others … bears a duty to exercise reasonable care to protect the foreseeable victim of that danger’, and since the therapist failed to do so, he was liable to the plaintiffs.91 Significantly, the Court further noted that even where, as in this case, the plaintiffs’ pleadings assert no special relationship between a foreseeable victim and the defendants, so long as they establish, as between the dangerous person and the defendants, the special relationship that arises between a patient and his doctor or psychotherapist, such a relationship may be relied upon to support affirmative duties for the benefit of a third party.92