It is known that during the pandemic, mainstream consumer messaging apps were used by clinicians in order to manage very high activity levels, but what happens when Covid-19 related activity levels subside? A recent Digital Health webinar looked into the clinical and regulatory risks of mobile messaging platforms.

Mobile messaging systems are a vital tool to enable busy clinicians to manage heavy caseloads, but there is increasing concern about the clinical and regulatory risk to which some systems can expose users and their employers. A recent Digital Health webinar explored this topic and found that more than half of the 130 or so participants were concerned that the messaging platform they used for clinical work did not comply with GDPR. In addition, more than a third of participants were worried that decisions made using their messaging system did not link to their organisation’s electronic patient record (EPR).

These concerns about regulatory and clinical governance compliance are likely to be well-founded. Solicitor Darryn Hale, a senior associate specialising in health information law at DAC Beachcroft, told the webinar that use of generic messaging applications like WhatsApp to discuss patients’ clinical treatment would be unlikely to meet all legal and regulatory requirements.

Regardless of what it was designed for, any software or system being used to help decide patient care is likely to be regarded as a diagnostic medical device and therefore has to meet standards set by the Medicines and Healthcare products Regulatory Agency.

As a result, he said, “it has to be the case that using non-regulated devices is a clear risk for an organisation”.

“If data were to be lost or if there was a suggestion in a clinical negligence claim that information was shared inappropriately or didn’t get to the right place, the fact that you have used a non-regulated piece of software in support of diagnostic decisions could be an additional risk; it could be an aggravating factor,” he added.

“If you’re using something which has not received appropriate regulatory approval then you open yourself up to the risk of enforcement action by the Information Commissioner’s Office, or other forms of claims, exacerbating the liability you are exposed to.”

Using personal accounts for clinical care

He also warned that regulations enforced by the Care Quality Commission (CQC) require that there is an accurate, complete and contemporaneous in respect of each , and so if key decisions and episodes of care were not stored in the electronic patient record – because they had been taken using a messaging system that does not link to the Electronic Patient Record – then that record is arguably not complete and accurate, putting a trust at risk of action from the regulator.

He added that there are a number of aspects of the UK General Data Protection Regulation that are likely to be difficult to meet if trusts allow individual clinicians to use personal messaging accounts for clinical care purposes, particularly in respect of data security and mandatory contractual governance.

Impossible to stop

Despite the regulatory and clinical challenges raised by messaging systems, the webinar heard that it would be impossible to stop using mobile, digital messaging systems as they added so much convenience, speed and capability. A study in the BMJ found that 97% of clinicians were using WhatsApp for clinical purposes.

Dr Georges Ng Man Kwong, CCIO at Pennine Acute Hospitals NHS Trust and a respiratory medicine consultant, told the webinar his staff were so used to using messaging apps in their everyday lives that they could not be expected to rely on desktop computers alone.

“Our frontline staff are so digitally enabled now that they expect to be working in a mobile way, they are really keen to embed this in their workflow to make life easy. We have to support that and find a robust solution for them,” he said.

Meeting the requirements

The challenge was to find effective mobile messaging platforms which also met clinical safety and regulatory requirements, he added. Pennine Acute Hospitals NHS Trust is now using Bleepa, the only messaging platform to be given CE certification as an approved medical device under MHRA regulations.

Bleepa’s CEO, Dr Tom Oakley, agreed that technology developers had to come up with robust, safe, compliant and secure systems which met clinicians’ needs for instant, mobile communication.

“Clinicians are using mobile platforms for a reason, it’s the way they want to work. We recognise this is the way things are going and we want to give them this in an appropriate governance and regulatory framework,” Dr Oakley said.

Dr Oakley, a radiologist, told the webinar that Bleepa’s links to a trust EPR meant decisions taken using Bleepa would be recorded in the patient’s core record. Bleepa’s unique high-quality imaging capability also meant it could be appropriately used to share and review images with colleagues.

“This isn’t purely about regulatory compliance and liability, this is fundamentally a patient safety issue,” he said. “If you are being asked to give an opinion on an image of a patient you may not have seen, you want to be using imaging of the right quality, otherwise it’s just not safe.”

In addition to concerns around GDPR breaches, more than one third (38%) of webinar participants were also worried that their platform did not link to the EPR. Only 2% were concerned that their use may put the trust in breach of CQC standards – something which Dr Oakley believes may be an underestimation, based on a lack of understanding of how data handling relates to broader CQC standards about patient care and record keeping.

Overall, the webinar highlighted how many of the most high-profile systems fell woefully short across important areas. It also clearly underlined the need for safe, secure and compliant clinical messaging platforms, which clinicians need, want and expect to use in the course of their work.