WhatsApp doc: Legal and practical perspectives of using mobile messaging
- 9 February 2018
With General Data Protection Regulation (GDPR) coming into force in Spring 2018, our guest columnists explore the legal and practical implications of using mobile messengers in the healthcare sector and finding a balance between convenience and compliance.
Research published in BMJ Innovations found a widespread use of WhatsApp for communication between healthcare professionals. According to the study, 97% of surveyed doctors routinely send patient information on instant messenger without consent, despite the fact 68% were concerned about sharing information in this way.
Having reviewed over 100 clinician-led studies, there are clear advantages to using a mobile messenger service like WhatsApp in a clinical setting, such as more efficient spreading of medical knowledge and overcoming inefficient hierarchical barriers within clinical teams.
However, the two main advantages most commonly noted are: first, it saves a lot of time making a clinical decision within a care team because communication is quick and accessible; and second, patient referrals are of a higher quality because doctors can share images, videos and other media.
In sharp contrast to the software that clinicians historically use, WhatsApp is mobile and facilitates both asynchronous and synchronous communication, lowering the barriers for users to organise themselves, in addition to being very easy to use. It is an unrivalled method that can overcome slow practices in healthcare that cause significant delay, and ultimately provide better care to patients.
Clearly there is a fundamental need for better communication between clinicians; one that is not addressed by existing regulatory IT systems. Yet despite the benefits for those working on the ground, NHS trusts have openly stated that the technology and security standards services like WhatsApp are ‘inappropriate’ and ‘insufficient’ for the healthcare sector.
The legal considerations for sharing patient data
The consumer mobile messaging services target market is not and will never be the healthcare sector. Mobile messengers used by healthcare professionals must adhere to additional security and privacy standards required of medical professionals, which many of them are are unable to uphold.
While researching the legal implications of using social media messaging in medical practice, we concluded that despite end-to-end encryption on WhatsApp which covers data-in-transit security, data on the phone and servers must also be secure and comply with additional security and privacy standards.
However, the business model of consumer messengers like WhatsApp is designed to make it as easy as possible for their users to backup and share their media over their phone and with other apps.
This is contrary to how healthcare professionals must handle patient information. Last, but not least, there is no formal arrangement between users and messaging services such as WhatsApp in respect of processing and storing of any patient information which is a fundamental requirement under GDPR.
The General Medical Council (GMC) stipulates that “the standards expected of doctors do not change because they are communicating through social media rather than face to face or through other traditional media.”
Doctors and other healthcare professionals may share patient information as long as the use is compliant with the standards and seven main principles stipulated by the General Medical Council in respect of confidentiality, of which the first principle is: ‘Any personal information held by or in the Medical Professional’s control should be effectively and appropriately protected against improper access, disclosure and loss at all times’.
Bringing patient confidentiality in perspective with patient safety
Every clinical study on mobile messaging dictates that clinicians should safeguard patients’ privacy above all else if WhatsApp is being used in clinical care.
If you ask a doctor if they have used it in a professional capacity, the default response will be that if they talk about patients “they never share identifiable patient information.”
In other words, healthcare professionals believe that WhatsApp can be used as long as all patient data is anonymised. However, this impulse to safeguard privacy by anonymising the data overlooks a very fundamental principle in healthcare. This principle, first coined by Liverpool surgeon Thomas Inman, is to “do no harm” to patients.
When discussing patients, all participating care team members must be fully confident about the identity of the patient, to avoid potentially life-threatening incidents as a result of mistaking one patient for another.
In short, in healthcare professionals’ assumption that they can use WhatsApp provided patient information is anonymised, doctors are prioritising confidentiality over patient safety which is a harmful practice potentially raising separate but equally serious concerns.
So how do we deal with the fact that anonymisation of patient information isn’t a viable work around to meet the unfulfilled communication need of clinicians?
Turning a growing liability into an opportunity
Despite advice to the contrary, it is apparent that WhatsApp is being used by many UK doctors to discuss patients, whether in an anonymised form or otherwise. Simply forbidding the use of consumer messengers is not enough. The empowering value of a mobile messaging service tailored to clinicians is persistent and too valuable not to grasp.
For their own interests, NHS trusts and IT leads need to embrace these developments in digital communication by offering compliant alternatives and provide guidance on how to correctly use mobile messaging in a way that meets the strict requirements of the GMC, and the soon-to-be-introduced GDPR, which comes into play later this year.
Any fit-for-purpose messenger app that wants to compete with WhatsApp will struggle to penetrate the market if compliance is the only driver for clinicians to use it. The messenger must offer at least a similar user experience to WhatsApp, with added healthcare features that maintain their current experience.
If you consider that WhatsApp took eight years to get where they are now, it is not an easy challenge. But there are companies that appear to have not only made significant steps in the right direction but are also being embraced in the UK and across Europe by the clinical workforce and hospitals; not only because they’re a viable alternative but a better option given the tailored features.
For the sake of the empowerment of their clinical workforce and their own GDPR compliance, we urge clinicians, trusts and IT leads to actively research and test for the most appropriate alternative for WhatsApp by seeking a tailor-made service for their profession.
This article is written by Adam Rose, partner, and Stefania Littleboy, associate, from the data protection group at Mishcon de Reya LLP; and Joost Bruggeman, former surgical resident and Arvind Rao, both founders of Siilo.
Want to contribute a feature article or write a guest column for Digital Health? Please go through our contributors’ guidelines (link at the bottom of our homepage) to get in touch with us.
15 Comments
Has anyone tried applying any of the data standards to first class mail, which seems to be the NHS default messaging service? Security in transit?…paper thin. Significant risk of data loss…etc.
The argument is well made that WhatsApp improves communication beyond the rubbish currently available to healthcare professionals. We might plausibly assume that improves clinical care and therefore outcomes. Would I be really odd if I said that, if I were ill, then I would want those caring for me to get the right answer? If WhatsApp does that, they should use it.
IG and other risk management activities seem to be allowed to function without any form of risk(/cost)-benefit analysis, on the facile implicit predication that all risk must be eliminated, whatever the cost. Should someone tell the GMC that being dead is a worse risk than having your data shared effectively via WhatsApp.
There are 2 very strong, compelling reasons that medical staff use WhatsApp – it is easy to use/ readily available and it does what they want (mostly). -ok that might be 3 reasons. There might be a 4th reason -it has reach in the medical world and already used by millions.
None of this makes it right share patient info using this service but until the nhs can offer something at least equal to it, it will continue to be used. Telling a relative that a patient is dead because they couldn’t get in touch with someone probably makes the knuckle wrap from the ICO seem somewhat preferable.
Yes it would be nice if the app connects to the EHR but is that really 100% necessary? When you have a conversation about a patient on the phone or in person, it is up to the clinician what gets documented in the EHR. Are we going to start implanting audible files of phone conversations into the EHR – no.
Do what you’ve always done get what you always got
Absolute madness. WhatsApp is “free”? No. It wants the data. It takes the data and anything else it can access on your phones. After all the fuss of Caldicott and DPA and stopping data leaving the EU you are firing it across WhatsApp. Read the terms and conditions or find someone who can explain where this stuff goes. Google, Facebook, even Microsoft with Windows 10: they all want your data to train AI and sell on to the highest bidder, encouraged by Trump revising laws to enable even greater dissemination. Follow the money. THINK!
Signal from Open Whisper Systems is better (who funds that) but the only way to get this secure is to integrate the functionality into NHS mail and get that to integrate with trust / GP systems.
There is a paid for option of Siilo that the NHS Trust purchases that gives SLA/contract guarantees etc. I am not sure how many UK Trusts have purchased this option but it is how Siilo will eventually make money. It runs in a free mode as well (which most people will be familiar with), that gives most of the options of the paid version.
There is also the option to archive a discussion to PDF which can be inserted into the EHR. The rest of the MPI stuff, although nice, would get bogged down in the various EHR/PAS implementations and fail in getting message through.
Whilst I understand the value of messenger apps, I can’t help but this is typical of an overstretched NHS – it resorts to cutting corners and using plasters to cover holes.
Clearly there is a need for a professional, fully evaluated, designed-for tool to aid clinicians. That’s in everybodies interests and should not be seen as seeking the gold at the end of rainbow.
WhatsApp, FB Messenger or even Telegram are not the solution though. Particularly at a time when doctors are rightly concerned about litigation and liabilities. Using any free tool (no contract/SLA/etc) is a recipe for disaster.
There are at least one or two medical messaging apps that could fulfill this function, and NHSE should be leading on this and directing NHS organisations, but as usual we have total inaction.
Remember if a clinical messaging app is free then ‘You are the Product’ and if it can’t connect to an EMR using HL7 FHIR its useless.
Spot on
Why is WhatsApp any more a data processor than, say, Microsoft or NHS Digital, if I choose to email colleagues about patients via Outlook email?
Interesting article.
Would be interested to know how Siilo (the app created by the co-authors of this article) compares against Telegram ?
“clinicians should safeguard patients’ privacy above all else if WhatsApp is being used in clinical care.”
Whilst I agree it is unacceptable to use whatsapp when there are so many services that would full-fill this role much better within an NHS context, to suggest we put privacy and security above life and death is an abhorrent attitude.
What we are witnessing here is another abject failing in NHS policy and adoption of very basic and sensible technology.
The NHS is putting patients directly in harms way with its ludicrous approach to systems and IG.
If I’m suffering and need my medical information transferring from A to B I’m really not concerned if you use NHS.uk or NHS.net …. JFDI !
Of course the NHS would never know this as yet again it has completely forgotten about the patient. The NHS puts itself and its priorities first and has little idea about what patients really want. They just make broad brush wild generalisation to support their own agenda.
If they actually cared they would have asked and they haven’t.
A messenger app has to do more than just messaging. It has to interface to MPI etc to get patient details and it has to be able to send a copy of the chat back to the record. Just talking about a clinical WhatsApp is missing the point
far more should be being done @ the national level shouldn”t Adrian? please be honest
Comments are closed.