From emergency calls to patient follow-ups, the telephone is now widely used in the delivery of healthcare.¹ The telephone can both reduce the time pressures on doctors and nurses and also allow patients and relatives to consult from the comfort of their own homes. Yet, despite the everyday use and increasing popularity of the telephone in healthcare settings, remarkably little has been said of the security issues associated with its use, in particular the risk of breaching patient confidentiality. The most recent NHS Confidentiality Code of Practice contains only one mention of the word “telephone” and one mention of “phone” in its 48 pages.² The code states that “Staff should check that any callers, by telephone or in person, are who they say they are.”² Guidance for US doctors is similarly unsatisfactory.³ In an extensive literature review on telephone consultations, we could not identify any guidance on how this should be achieved.^1,4

Currently, hospital (or general practice) staff adopt one of two approaches to the telephone calls of patients or relatives. In the first approach, a patient or relative can telephone the hospital for the result of a procedure without any proof of identity. This leaves open the possibility of non-authorised people, such as curious friends, relatives or journalists, calling the hospital and obtaining confidential information with considerable ease. An outright lie may be enough to dupe the patient’s nurse or doctor.⁵ The unquestioned reliance on the caller’s honesty makes this approach prone to misuse.

In the second approach, clinicians categorically refuse to disclose any information over the telephone. Although this protects patient confidentiality, it is highly impractical for those who have legitimate access to the information, but who must nevertheless travel long distances to obtain it. It is possible, in our view, to find an alternative that will avoid the pitfalls of the options above.

In practice, the second approach—the categorical refusal to divulge information—tends to collapse into the first once staff recognise the voice of the caller. Forensic phoneticians, however, have long shown that even close relatives can fail to recognise the voices of their loved ones.⁶ Over the telephone, the acoustic properties of the voice are modified further and it is unrealistic to expect healthcare staff to decipher whether callers really are who they claim to be. The spoken reassurances of the caller or the supposed recognition of the voice is not sufficient proof of the caller’s identity. We therefore suggest the adoption of a password system, similar to those used in some European hospitals, which will surmount these obstacles and provide greater protection of patients’ confidentiality.

Under the proposed system, people who are granted access to confidential information by the express authorisation of the patient will receive a password. Healthcare staff can thus control the dissemination of information and satisfy the wishes of the patient once the caller has disclosed the password. In one hospital in Austria, for example, the patient’s chosen password is recorded in the patient’s paper and electronic notes, where it can be easily accessed from any computer in the hospital. We believe that a similar system should be implemented in the UK and elsewhere. Password arrangements are widely used in commercial customer services to safeguard confidential information.

The strongest objection to the proposal concerns the time burdens on NHS staff. Even if processing the password takes only 1 min, the sheer numbers of telephone consultations with patients and their relatives mean that hundreds of hours will be spent on the task each year. Are the likely advantages of the password system sufficient to offset the extra time burden? Should confidentiality be protected at the cost of efficiency? This is a delicate question. It is unclear, however, whether a password system would be less efficient than the current system in which staff may spend several minutes establishing the identity of callers and their relationship with patients. The new system would obviate the need for exploratory questions, allowing staff to share information immediately and making the health service more user friendly. Clearly, much can be gained by conducting pilot studies to explore current practice,⁷ find out the views of doctors, nurses and patients on the issue, and even test and evaluate the password system.

Even if we grant that asking for passwords will take longer than the current system, preventing violations of confidentiality, even if these are presently rare, may outweigh a relatively minor reduction in overall efficiency. If we accept that disclosing patient information to a stranger without consent is inappropriate, we must also accept that providing that same information to an unidentified caller is objectionable.² As there are no morally relevant differences between the two practices, consistency requires us to either permit easier access to patients’ notes or to tighten the security of telephone consultations. The ethical primacy of respect for autonomy, coupled with empirical studies showing that patients prefer their confidentiality to be upheld, weigh heavily in favour of tightening the security of telephone consultations option.^8,9

The widespread use of the telephone and, more generally, the rapid developments of information technology in healthcare require accompanying advances to protect patients’ confidentiality. Yet, in the current situation, patient confidentiality is jeopardised by slack or undefined rules regulating the imparting of information over the phone. The introduction of a password system may provide a more stringent method of access control. Although relatively straight forward, such a measure could appreciably improve the security of patient data while allowing the continuing evolution of telephone consultations.