Transformation Directorate

This guidance has been reviewed by the Health and Care Information Governance Working Group, including the Information Commissioner's Office (ICO) and National Data Guardian (NDG).

Have we done a good job? Let us know.

HIV and Sexually Transmitted Infections (STIs)

Decorative image of 2 staff in a meeting
Information:

Published: October 2023

Introduction

This guidance provides advice on patient confidentiality and the sharing of information on sexually transmitted infections (STIs) and HIV in England. It explains to patients, health professionals and Information Governance (IG) professionals how this personal information is used, shared and kept confidential.

The guidance is aimed at publicly funded services, including those provided by private providers.

It provides advice to health and IG professionals working in organisations across the health system that deliver STI and HIV services, including:

  • sexual health services dedicated to providing specialist and non-specialist STI and HIV services (unlike a GP practice or hospital)
  • young people’s sexual health services
  • online sexual health services
  • hospitals (for example HIV treatment services)
  • independent abortion clinics offering STI and HIV testing
  • pharmacies providing sexual health services
  • outreach sexual health services
  • GP services

Some of these services will be provided face to face and some will be provided online or remotely.

The Information Commissioner has also provided advice for HIV services to help them handle sensitive information with care.



Guidance for patients and service users

You can choose to access sexual health care in different ways, for example via a dedicated sexual health service or via your GP practice. You have a right to privacy and confidentiality, and for your personal information to be kept safe and secure no matter how you access care.

If you are living with HIV and have been a victim of a data breach in relation to your HIV status or personal information, the Information Commissioners Office (ICO) has published advice on how to make a complaint.

Information held by dedicated sexual health services

When you visit a dedicated sexual health service, the information recorded about the services you receive from the sexual health clinic will not be shared with others caring for you outside the dedicated sexual health service unless you give your explicit consent. For example, the information would not be shared with your GP or hospital consultant. Explicit consent is a very clear and specific statement or indication of your wishes. It can be given in writing, for example by signing a declaration, or verbally.

You can choose to register at sexual health clinics under an alias. However this is not encouraged - you can be assured that your sexual health record will not be connected to your other NHS records. We encourage you to use your real name, because you are more likely to remember it as the name you registered with us if you seek care at later date, this helps us keep track of your medical history for safest care.

Information about your sexual health held by your GP, hospital and other organisations that provide care

Other health services providing STI and HIV services, such as infectious disease clinics in hospitals that regularly treat people living with HIV, or your GP practice, are not dedicated sexual health services. The information you provide will be linked to your NHS number, including personal details such as your real name, address and how to contact you as well as information about your care such as symptoms and previous treatments.

If you provide information relating to your HIV or STI care with your GP or other care providers, for example a hospital, those caring for you must inform you of how it will be shared. It is your right to be informed about how your information is shared so you should feel confident about asking for further information if you are not sure.

Only relevant information will be shared with those caring for you. For example, if your GP referred you to a specialist for treatment for genital warts, relevant information about your condition would be shared with the specialist. If you have an STI test outside a dedicated sexual health for example at a hospital appointment, or an opt out HIV test in an emergency department, the test request and its results may be visible to others providing care for you

Some information from your GP practice record is included in the Summary Care Record. An HIV or STI diagnosis would not be included in your Summary Care Record unless you request that your GP practice adds this. However, any medication you are taking would be included. It may therefore be possible for those accessing your Summary Care Record to work out your diagnosis from the medication you are taking. The Summary Care Record can be requested by other health care providers, for example a hospital, if they require your medical history in order to provide safe care to you. You can opt out of having a Summary Care Record by completing a patient consent preference form and returning it to your GP practice.

You may also have a shared care record. Your care team should ask your explicit consent before any information relating to HIV or STI is accessible via your shared care record. If you choose not to share a diagnosis in your record, your medication may still reveal it, so you may also choose not to share your medication as well. However, this may have an impact on the care you receive.

Information in your GP record may be available for you to read via the NHS App. Use of the NHS App is optional. You can also ask your GP practice if you do not want a specific piece of information to be visible via the NHS App. If you can see your records via another patient portal, for example one provided by your hospital, then you should speak to those caring for you if there is information that you do not want to be visible. They will be able to advise you on how to ensure information is not visible to you via the portal.

If you do not want your information to be shared for your care

If you do not want your information to be shared with other health and care professionals involved in your care, you should speak to those caring for you. To help you decide whether to share, any possible consequences of not sharing your information will be explained, for example, the impact this could have on your care. There may be good reasons to share the information with others. For example, your GP may need to know about your diagnosis to ensure the different medications you are taking are safe to be taken together. However, your choice not to share with others caring for you will be respected unless it would put someone else at risk of serious harm, or if your health and care professional considers that you do not have sufficient mental capacity to make this decision (further information is in the section for healthcare professionals).

If you do not have capacity to make a decision, your care team will need to consider the urgency of the information sharing request. If they can wait until you regain capacity so that you can make the decision yourself, they will do so. However, where your care team has assessed that you lack capacity to make this decision, they will make a decision in your best interests. Your care team will consider any wishes or indications relating to information sharing you may have made when you have had capacity in the past before deciding whether it is in your best interests to share information.

Protecting others

If you are diagnosed with HIV or another STI, you may be asked to inform other people who are at risk. For example, people who you have recently had sex with, so they can get tested and treated as needed. If you do not wish to inform other people yourself, those caring for you may offer to do this on your behalf with your consent. For example those caring for you may be able to notify a person that they have recently been in contact with someone who has tested positive for an STI and that they should get tested. This may help to preserve your anonymity. However, if you do not consent to any affected people being informed, the care team, where they hold contact details for those affected, may need to inform them without your consent. Any decision to inform a person without your consent is not taken lightly. The care team looking after you must be convinced that other people, for example a partner or someone you have recently had sex with, are at risk of serious harm before informing them. It is best practice for the care team to notify you of any information they have shared, unless there is a valid reason not to for example if it would impact a criminal investigation.

Other uses of information beyond your individual care

Research and planning: Information relating to HIV and STIs is important for research and planning, for example to research new treatments. Whenever possible, data used for research and planning is anonymised so that you cannot be identified. You cannot opt out of anonymous information being used for research.

If identifiable information is required, then you will usually be asked for your explicit consent. If it is not possible to seek your consent, special approvals are required, and these are managed by the Health Research Authority. You can read more about special approvals and the safeguards in place on the Understanding Patient Data website by scrolling down to the ‘What organisations are involved?’ section and looking under the ‘Health Research Authority’ tab. Even if a research programme has received special approval, you can still opt out of your identifiable data being used: either by opting out of an individual piece of research when you are informed about it or by opting out of your information being used for research and planning via the NHS website.

UK Health Security Agency: HIV and STI data, which does not include information that could be used to identify you, is shared securely with the UK Health Security Agency (UKHSA). This helps experts understand trends, for example numbers of people being tested for HIV and other STIs, and whether the number of new diagnoses is increasing or decreasing. The UKHSA also aims to detect possible outbreaks of disease and epidemics as rapidly as possible.

Infectious diseases: It is the law that all medical staff in England, including those working in dedicated sexual health services, must inform the UKHSA if you have one of the infectious diseases listed here. The diagnoses that a dedicated sexual health service would report to the UKHSA include hepatitis A, hepatitis B, hepatitis C, dysentery and mpox. The report from medical staff to the UKHSA may include information which identifies you but only relevant clinical information for health protection purposes, for example your name, address, when you started to have symptoms and the date of diagnosis. Staff will normally inform you if they need to submit a report.

Information required by law: There are times when a healthcare organisation must share information because they are required to do so by law, for example where there is a court order. Where information is required by law you cannot object to the information sharing.

How to find out more

The organisation providing you with care will give you further details about how they use and share your information. This may be provided in leaflets or on their website for example. You can also ask those caring for you if you need to know more about how they share your information.


Guidance for healthcare workers

If you work in a dedicated sexual health service

Health and care professionals usually share information for individual care on the basis of implied consent. However, if you work in a dedicated sexual health service you must obtain the explicit consent of the patient before sharing relevant information with other health and care professionals outside your organisation such as their GP, even for individual care purposes. Further information about why this is the case is in the ‘IG professionals’ section of this guidance.

If you work in another care setting for example GP practice or hospital

It is important that patients understand how their information is used and shared. If you share HIV or STI information on the basis of implied consent, you must be confident that a patient has a reasonable expectation that this will happen. For example, if you refer a patient for treatment relating to their STI it is likely that they will expect that this information will be shared. However, patients may expect that information relating to HIV and STIs is particularly confidential, because it is treated differently in dedicated sexual health services. Therefore if you are not certain that the patient would expect their information to be shared, you must seek their explicit consent before sharing this information.

The Summary Care Record is created from GP records. HIV and STI diagnoses are excluded from the Summary Care Record unless a patient asks for this information to be included in which case it can be manually added by the GP practice. Whilst HIV and STI diagnoses are excluded from the Summary Care Record by default, prescriptions are included. It may be possible to infer a diagnosis from the prescriptions which have been issued to the patient. Patients can opt out of having a Summary Care record.

You should seek a patient’s explicit consent before allowing HIV or STI information to be visible in their shared care record.

Information relating to STIs or HIV which is recorded in the GP practice record may be visible to patients via the NHS App. GPs can redact this information if a patient requests for the information not to be visible. If you are uncertain whether the patient would want STI or HIV related information to be visible you should check this with them. If you work in another care setting and provide a patient portal for patients to view their records, you should engage with patients to ensure that they are happy for information relating to HIV or STIs to be visible on the portal. Patients increasingly have access to their records online and new diagnoses may be visible to them before there has been a discussion of the results with their clinician. Local procedures should be followed to mitigate this risk.

Patients who do not wish to share their information

Patients may have specific personal circumstances for not wanting information to be shared. If a patient does not wish to share their information you can discuss this with them, including any impact this might have on their care.

If they still do not wish to share you should generally respect their decision and note this on their record. Exceptions include:

  • where there is a legal requirement to share information
  • where you decide there is an overriding public interest (as described in the next section)
  • where, in your professional judgement, you have concluded that the patient lacks mental capacity to make this decision and, following the principles of the Mental Capacity act 2005, it is considered to be in the patient’s best interests to share the information.

Where a patient lacks capacity you must consider the urgency of the information sharing request. If it is possible to wait until the patient regains capacity, you should do so. You must take into account any wishes or indications that the patient expressed when they had capacity before deciding to share information in the patient’s best interests.

Public interest disclosures

Where a person is diagnosed with HIV or an STI, you should ask or encourage them to inform other people such as a partner or recent sexual contact who may be at risk of serious harm or death from an undiagnosed infection. You could also offer to inform those at risk on behalf of the patient, without disclosing their name, if they would prefer you to do so.

If they refuse, you may nevertheless need to inform those people if they are at risk of serious harm or death. This should generally be done without disclosing the name of your patient or client to the individual who is at risk. This disclosure must not be taken lightly, and a robust justification is required. You must be convinced that the public interest to protect others from serious harm outweighs the person’s right to confidentiality and the public interest in maintaining a confidential health service. Where you have made a disclosure in the public interest you should generally inform the patient unless there is a valid reason such as it would put people at risk or prejudice a criminal investigation.

Similarly, if you receive a request from the police then relevant and necessary information should only be disclosed without explicit patient consent if it is in the public interest and there is a risk of serious harm or death to an individual. For example, a police investigation into a case where a patient may intentionally or recklessly have passed on an infection during sexual activity with others.

You should consult your IG team and Caldicott Guardian before making a public interest disclosure decision.

Notifiable diseases

You are legally required to report suspected cases of certain infectious diseases. Some can be transmitted sexually (for example hepatitis B and hepatitis C) and others are commonly spread within sexual networks (mpox). A full list together with information about how to report a notifiable disease is on gov.uk

Where to seek advice or support

If you are concerned or unsure about how to deal with a request to share patient information, check with your IG team, Caldicott Guardian or senior team for advice.


Guidance for IG professionals

There is no HIV or STI condition-specific legislation governing the information of people accessing these services. The NHS Trusts and Primary Care Trusts (Sexually Transmitted Diseases) Directions 2000 have been revoked as of 12 October 2023.

Patient information obtained by STI and HIV services can be lawfully used and shared in the circumstances permitted within the legal framework described below.

UK GDPR

Under UK GDPR, the legal bases for processing HIV/STI information are:

  • Article 6 1(e) - public task
  • Article 9 2(h) - for individual care
  • Article 9 2(i) - for public health protection

References to consent in the guidance do not refer to UK GDPR consent (see the section on common law duty of confidentiality in relation to consent).

Health and Social Care Act 2012

The Health and Social Care (Safety and Quality) Act 2012 (HSCA) includes a duty on health and care providers to share information for individual care purposes. It also imposes a duty to use a consistent identifier (NHS number) when sharing information with other health and care providers.

However, the HSCA sets out that where a service is anonymous access provision, such as a dedicated HIV and STI service, the duty to share information with other health and care organisations and use a consistent identifier does not apply. This means that dedicated HIV and STI services should not routinely share information and should seek explicit patient consent before sharing information with other health and care organisations.

Services covered by the anonymous access provision include:

  • Genitourinary medicine (GUM) clinics, sexual health clinics or services - dedicated for testing and treatment of STIs and diagnosing HIV
  • HIV clinics that are integrated with a GUM clinic or sexual health service - dedicated for testing and treatment of STIs and HIV
  • Integrated sexual health services: GUM and contraception integrated - dedicated as above and provide contraception
  • Contraception services offering STI screening – dedicated as above

Common law duty of confidentiality

For individual care, dedicated HIV and STI clinics will satisfy the common law duty of confidentiality by seeking explicit patient consent prior to sharing confidential patient information outside the service.

Other care settings can rely on implied consent where they are confident that the patient has a reasonable expectation that information relating to their HIV or STIs will be shared. In some circumstances this may be clear for example if referring a patient for treatment specifically relating to their STI or HIV diagnosis. However, where health and care staff are not confident that the patient would expect information relating to their HIV or STIs to be shared for their care, they must seek explicit consent from the patient before sharing information. This is because they may have expectations that this information will not be shared without explicit consent because they have been given this expectation through their contact with dedicated sexual health services.

Where a health and care professional has judged that a patient lacks the mental capacity to be able to make the decision whether or not information should be shared, and the information sharing decision must be urgently made, they should make a decision in the patient’s best interests. This must take into account any known wishes or indications around information sharing. The principles of the Mental Capacity Act 2005 should be followed.

Health Service (Control of Patient Information) Regulations 2002

UK Health Security Agency (UKHSA) has a legal basis to collect the data for the purpose of communicable disease surveillance and control, such as recognising risks and trends, identifying monitoring and managing disease outbreaks. The legal basis that permits the data to be pseudonymised and collected without consent is Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

This legislation allows for confidential patient information about communicable diseases to be shared with relevant public health bodies, such as the UKHSA.

The UKHSA also collects routine pseudonymised STI and HIV surveillance data. This data is used to publish official STI and HIV statistics.

Public interest disclosures

Information may be disclosed where the public interest served by disclosure outweighs the public interest served by respecting the privacy of the individual and the public interest served by maintaining public trust in the confidentiality of the health and care system. An example would be where disclosure is necessary to protect another person from serious harm.

Staff should be routinely encouraged to seek the advice of their organisation’s Caldicott Guardian in this situation.

Legal requirements to disclose

As with any other information, HIV and STI information must be disclosed when there is a legal requirement to do so. This includes where there is a court order. NHS England can require data from health and care organisations where they have been directed to establish an information system.

Organisations can request data held by NHS England. Before agreeing to share any STI and HIV data, NHS England will ensure that the organisation requesting the data has a lawful basis and ethical need for the data, and that they can maintain the security and integrity of the data. Prior to sharing STI and HIV data, NHS England will pseudonymise it to remove any information that could identify an individual patient. Identifiable data will only be used where lawful and absolutely necessary. A robust approval process will be undertaken prior to release including a data protection impact assessment as appropriate.

Electronic Patient Records

It is best practice that dedicated sexual health services maintain their own patient record systems, separate from other health care services. Services that use Electronic Patient Records (EPRs) should ensure that HIV and STI patient records are not freely available to all those with access to the EPR system. Access to these records should be restricted to those that need to have access (such as staff providing care and support to HIV and STI patients).

Only EPR systems that have gone through a robust IG due diligence process should be used for sexual health and HIV services as these systems can disable or restrict access to specific information, including relating to sexual health in individual records. Due diligence should include conducting a Data Protection Impact Assessment (DPIA) and a Digital Technology Assessment Criteria (DTAC), covering information management, storage and data transfer.

Transparency

Healthcare organisations must provide information to patients about how their information will be used, how it may be accessed by or shared with other organisations and when, if at all, their identifiable information will be used. Where sexual health services are provided within a larger organisation such as a trust, you should ensure that there is separate section in your privacy notice which sets out clearly how HIV and STI information is used and shared.

Decorative image of 2 staff in a meeting