Is it OK to take photos of patients with your smartphone?

Under Australian law taking a photo for patient records is considered exactly the same as recording any other information for the purpose of providing healthcare. Whether it’s digital, photographic or written, how you handle and store records must be met with the same level of care such as storing records for 7 years or until the patient reaches 25 years of age.

MIPS is aware that many practitioners are routinely taking photos on their smartphone and sharing photos with colleagues to assist in diagnosis and treatment. While some practitioners are avoiding this or diligently filing photos, many photos and messages are likely transmitted insecurely, never attached to a patient record and stored inappropriately in a cloud storage system outside of Australia which a third party can access.

In a study of Australian healthcare practitioners use of mobile devices it was discovered that What’s App was the most common app for sharing messages and photos.* Its use is widespread in Australian hospitals from students through to consultants. The study found:

  • An average 12 messages shared per day with patient info
  • That practitioners view:
    • apps positively for quickly communicating patient information
    • have concerns about the privacy implications arising from sharing patient information in this way.
  • 67% consider patient data moderately safe on these apps
  • 50% were concerned use was inconsistent with current legislation and policy
  • Apps were more likely to be used if they were fast, easy to use, had an easy login process, and were already in widespread use

MIPS recommends practitioners who intend to use their phones to record and share patient information take the following into consideration:

  • Every photo must be attached to the patient’s medical record as soon as is reasonably practible (that includes photos that may be deleted off the smart device). 
  • Any email/message to/from a practitioner in relation to an photograph sent electronically which provides details of the subject of the photograph (ie lesion, necrotised site, etc) which seeks, expresses an opinion or gives a direction re patient care based on the photograph and accompanying email must be attached to the patient’s medical record as soon as is reasonably practible.
  • To avoid confusing a photograph of a patient with any number of other patients, a patient should be clearly identified by name, UR No etc.
  • If the patient is not able to give consent for a photo then consent must be sought from senior next of kin, guardian or person with medical power of attorney.
  • A photo of a patient should never be used in a publication without the express consent of the patient.
  • It is inadvisable to store any photographs of genitalia on a mobile device.
  • Practitioners must satisfy themselves that proper secure systems and processes are in place to ensure that emails/messages and photos are able to be transferred onto a hospital patient record or their practice medical record for the patient.
  • Gmail, Outlook web mail and any other email is not secure.
  • Security must be effective on a mobile device, such devices can be hacked, scanned etc and if lost there is real risk of a data breach which is reportable.
  • Care needs to be taken when forwarding an email/message or photo on any device; if the email/message or photo is widely circulated the risk of a breach increases exponentially.  Ideally, an email and photo should only be circulated to the person from whom advice is sought, not to multiple people
  • Practitioners need to check with hospitals where they are accredited regarding any policies / procedures that those hospitals have in place about the use of mobile devices and photography.
  • Junior doctors are particularly exposed as they will take photos out of interest and for future reference, often without any thought of consequence.
  • Remember mobile devices become redundant quickly and disposed of appropriately.  With this comes risk so arrangements need to be made to permanently delete all stored data from the device if it is to be disposed of or given to another user.
  • If an adverse event / complaint happens and a practitioner is involved then they should be prepared to give evidence about what was on their device and what happened to the email or photo if it is not otherwise attached to a patient record.  This may include having Court orders made to surrender the device.
  • Choose an app that can securely transmit information, ie end to end encryption (eg What’s App, Medex)
  • Set up a process to identify and record/store any patient health records (eg secure personal cloud backup, copy or transcribe messages into patient record system, delete information after it has been copied and stored appropriately).
  • Do not use apps where the terms and conditions provide ownership, use or access to your photos or messages as this would constitute a privacy breach.

Facebook Messenger vs WhatsApp

Facebook Messenger

  • Encryption turned on by option of ‘secret conversations’
  • Cloud storage and backup
  • Facebook can access the data
  • Even if you delete it, it is not deleted from Facebook’s server
  • Not advisable for patient records

WhatsApp

  • Uses end to end encryption by default
  • Does not store data in the cloud
  • If you delete or fail to backup conversations they are lost
  • You can opt to automatically backup images received/sent
  • If managed appropriately, then suitable for use with patient information

Facebook purchased WhatsApp in February 2014 for a 21.8 billion, 20 times the price Facebook paid for Instagram. What’s App user growth is very strong and while it is not monetised at the moment Facebook see potential for the App’s use to become further widespread.

Australian practitioners can also use MedX as an alternative to mainstream messaging services. MedX is free like mainstream services but is designed specifically for AHPRA registered doctors and includes end to end encryption and may provide better legal compliance than mainstream applications. MIPS is unaware what the current uptake among practitioners is for MedX but the system relies on practitioners registering with the service and installing the app.

As per all other healthcare, the AHPRA Code of Conduct applies and practitioners should be aware of the AHPRA Social Media Policy.

* JMIR Med Inform. 2018 Feb 9;6(1):e9. doi: 10.2196/medinform.9526. ‘The Use of Communication Apps by Medical Staff in the Australian Health Care System: Survey Study on Prevalence and Use’.

Related on-demand education you may be interested in

webinar
AHPRA and other Mandatory Requirements
All members are subject to AHPRA's mandatory reporting requirements, that is, of being reported or to report a colleague. This webinar considers your obligations to make a mandatory notification and what to properly consider in order to make such a decision. The webinar was r ...

Share this article on:

Provide feedback

How would you rate this article?* - required
Mandatory field(s) marked with *

Got an article to submit?

More news...

The materials provided are for educational purposes only. Whilst all reasonable care has been taken in preparing these materials, including the accuracy of the information supplied, MIPS does not accept any liability whatsoever arising out of the use or reliance of the information provided. Contact MIPS 24/7 Clinico-Legal Support 1800 061 113 or education@mips.com.au for specific advice.