This page is part of the learning materials to support our Confidentiality guidance

Back to the Confidentiality flowchart - Would anonymised information be sufficient for the purpose?

Disclosing information for tax purposes


Dr Greenfield is a dermatologist with a private practice. Several of her patients have failed to pay for their treatment and attempts to recover the fees have been unsuccessful 


As part of her standard HMRC compliance investigation, Dr Greenfield wishes to write the fees off as bad debt. In order to do so, she will need to prove that she provided treatment that was not paid for. 

However, she is worried about giving information about the patients’ treatment to HMRC, in case that could be considered a breach of confidentiality. She cannot seek consent from the patients themselves as she has no effective contact details for them. 

What the doctor did

Dr Greenfield calls HMRC to check whether she is required by law to provide identifiable information about the patients.

The adviser explains that HMRC recognises the sensitivity of medical information, and although they sometimes have powers to do so, they don’t usually require doctors to disclose personal health information about patients. In this case, the advisor says, anonymised information will be sufficient.

Dr Greenfield prepares copies of the patients’ billing information which lists the medical services she provided but removes the patient’s name, address, date of birth and any reference to their gender.

She judges that, as the procedures in question are relatively common and the information doesn’t go into any detail about any unusual clinical features of individual cases, the risk of the individual patient being identified is very low.

What the doctor had to consider 

  • Information about patients disclosed for financial and administrative purposes should be anonymised if that is practicable and will serve the purpose (paragraph 99).
  • Removing obvious identifiers such as a patient’s name and address may not be enough to prevent that patient from being identified. Doctors should follow the Information Commissioner’s code of practice, or seek expert advice, if they are anonymising or disclosing anonymised information (paragraphs 81–83).
  • If identifiable information is requested, doctors should satisfy themselves that there is a legal basis for disclosing it. That might be, for example, when the disclosure is required by law, or the patient has given consent (paragraph 80).