This page is part of the learning materials to support our Confidentiality guidance
Back to the Confidentiality flowchart - Would anonymised information be sufficient for the purpose?

Disclosing information for financial audit purposes


Mr Mitra is a consultant vascular surgeon who works at a large private hospital. He and his colleagues have been asked by the hospital management to provide copies of patient records to an insurer for the purposes of a financial audit. The insurer wishes to check that the hospital is billing correctly for investigations arranged by the consultants.


The hospital has supplied copies of consent forms signed by the patients in question. However, Mr Mitra is concerned that the form is not very clear, and that the patients may not have understood that they were agreeing to their confidential medical information being shared with a third party.

What the doctor did 

Mr Mitra discusses his concerns with his colleagues and with the hospital’s Caldicott Guardian. With their agreement, he writes to the hospital and insurers to explain the reason for their doubts about whether valid, informed patient consent has been obtained.

He also suggests that the way forward would be to contact the patients directly to seek separate, explicit consent for the disclosure of their records.

Neither the hospital nor the insurers are happy with the delay that seeking further consent would introduce into the audit process.

However, they agree that it is practicable to contact the patients, all of whom have been treated within the last year and for whom the hospital has up-to-date contact details.

What the doctor had to consider 

  • Some important uses of patient information are not directly connected to patient care. These include disclosures for purposes such as financial audit and insurance claims (paragraph 78).
  • Doctors asked to provide information to third parties such as a patient’s insurer, should be satisfied that the patient has been informed about the scope of the disclosure and have obtained or seen written consent (paragraph 115).
  • Doctors should get explicit consent to disclose information about patients for purposes other than their direct care, unless the disclosure is required by law or can be justified in the public interest (paragraph 8fparagraphs 79-80).