WhatsApp doc: Legal and practical perspectives of using mobile messaging
With General Data Protection Regulation (GDPR) coming into force in Spring 2018, we explore the legal and practical implications of using mobile messengers in the healthcare sector and finding a balance between convenience and compliance.
Research published in BMJ Innovations found a widespread use of WhatsApp for communication between healthcare professionals. According to the study, 97% of surveyed doctors routinely send patient information on instant messenger without consent, despite the fact 68% were concerned about sharing information in this way.
Having reviewed over 100 clinician-led studies, there are clear advantages to using a mobile messenger service like WhatsApp in a clinical setting, such as more efficient spreading of medical knowledge and overcoming inefficient hierarchical barriers within clinical teams.
However, the two main advantages most commonly noted are: first, it saves a lot of time making a clinical decision within a care team because communication is quick and accessible; and second, patient referrals are of a higher quality because doctors can share images, videos and other media.
In sharp contrast to the software that clinicians historically use, WhatsApp is mobile and facilitates both asynchronous and synchronous communication, lowering the barriers for users to organise themselves, in addition to being very easy to use. It is an unrivalled method that can overcome slow practices in healthcare that cause significant delay, and ultimately provide better care to patients.
Clearly there is a fundamental need for better communication between clinicians; one that is not addressed by existing regulatory IT systems. Yet despite the benefits for those working on the ground, NHS trusts have openly stated that the technology and security standards services like WhatsApp are ‘inappropriate’ and ‘insufficient’ for the healthcare sector.
The legal considerations for sharing patient data
The consumer mobile messaging services target market is not and will never be the healthcare sector. Mobile messengers used by healthcare professionals must adhere to additional security and privacy standards required of medical professionals, which many of them are are unable to uphold.
While researching the legal implications of using social media messaging in medical practice, we concluded that despite end-to-end encryption on WhatsApp which covers data-in-transit security, data on the phone and servers must also be secure and comply with additional security and privacy standards.
However, the business model of consumer messengers like WhatsApp is designed to make it as easy as possible for their users to backup and share their media over their phone and with other apps.
This is contrary to how healthcare professionals must handle patient information. Last, but not least, there is no formal arrangement between users and messaging services such as WhatsApp in respect of processing and storing of any patient information which is a fundamental requirement under GDPR.
The General Medical Council (GMC) stipulates that “the standards expected of doctors do not change because they are communicating through social media rather than face to face or through other traditional media.”
Doctors and other healthcare professionals may share patient information as long as the use is compliant with the standards and seven main principles stipulated by the General Medical Council in respect of confidentiality, of which the first principle is: ‘Any personal information held by or in the Medical Professional’s control should be effectively and appropriately protected against improper access, disclosure and loss at all times’.
Bringing patient confidentiality in perspective with patient safety
Every clinical study on mobile messaging dictates that clinicians should safeguard patients’ privacy above all else if WhatsApp is being used in clinical care.
If you ask a doctor if they have used it in a professional capacity, the default response will be that if they talk about patients “they never share identifiable patient information.”
In other words, healthcare professionals believe that WhatsApp can be used as long as all patient data is anonymised. However, this impulse to safeguard privacy by anonymising the data overlooks a very fundamental principle in healthcare. This principle, first coined by Liverpool surgeon Thomas Inman, is to “do no harm” to patients.
When discussing patients, all participating care team members must be fully confident about the identity of the patient, to avoid potentially life-threatening incidents as a result of mistaking one patient for another.
In short, in healthcare professionals’ assumption that they can use WhatsApp provided patient information is anonymised, doctors are prioritising confidentiality over patient safety which is a harmful practice potentially raising separate but equally serious concerns.
So how do we deal with the fact that anonymisation of patient information isn’t a viable work around to meet the unfulfilled communication need of clinicians?
Turning a growing liability into an opportunity
Despite advice to the contrary, it is apparent that WhatsApp is being used by many UK doctors to discuss patients, whether in an anonymised form or otherwise. Simply forbidding the use of consumer messengers is not enough. The empowering value of a mobile messaging service tailored to clinicians is persistent and too valuable not to grasp.
For their own interests, NHS trusts and IT leads need to embrace these developments in digital communication by offering compliant alternatives and provide guidance on how to correctly use mobile messaging in a way that meets the strict requirements of the GMC, and the soon-to-be-introduced GDPR, which comes into play later this year.
Any fit-for-purpose messenger app that wants to compete with WhatsApp will struggle to penetrate the market if compliance is the only driver for clinicians to use it. The messenger must offer at least a similar user experience to WhatsApp, with added healthcare features that maintain their current experience.
If you consider that WhatsApp took eight years to get where they are now, it is not an easy challenge. But there are companies that appear to have not only made significant steps in the right direction but are also being embraced in the UK and across Europe by the clinical workforce and hospitals; not only because they’re a viable alternative but a better option given the tailored features.
For the sake of the empowerment of their clinical workforce and their own GDPR compliance, we urge clinicians, trusts and IT leads to actively research and test for the most appropriate alternative for WhatsApp by seeking a tailor-made service for their profession.
This article is written by Adam Rose, partner, and Stefania Littleboy, associate, from the data protection group at Mishcon de Reya LLP; and Joost Bruggeman and Arvind Rao from Siilo.