The NHS has released new guidance to help doctors, nurses and other staff safely use instant messaging during emergencies.
While instant messaging is not a new phenomenon, it has become clear just how instrumental it can be in supporting the delivery of acute care. Medical staff have turned to communication platforms such as WhatsApp in emergency situations such as the Croydon tram crash, Grenfell Tower fire and terrorist attacks in London and Manchester.
A 2017 study in British Medical Journal (BMJ) Innovations entitled ‘The ownership and clinical use of smartphones by doctors and nurses in the UK: a multicentre survey study’ found that 70% of surveyed doctors and 37% of nurses expressed the desire for a secure way of sending patient information to colleagues over their smartphones. Of the 98.9% of doctors across five hospital sites who owned a smartphone, just over a third of those used web-based messaging apps to send clinical information.
The NHS has now provided new guidance to help organisations and staff decide when and how to use instant messaging safely in acute clinical settings. However, while beneficial in some respects, this does raise the issue of confidentiality, security and data protection.
From providing a ‘friendly forum’ in which to contact senior colleagues, to sharing pictures of injuries or wounds and retrospectively discussing test results and investigations such as ECGs, WhatsApp group chats offer doctors an alternative way in which to communicate with each other.
Group chat through instant messaging can also be used by doctors for more informal purposes, such as organising rotas and arranging social gatherings. However, if the conversation ever overlaps into care of patients, this can lead to problems.
Security and Data Protection
While WhatsApp introduced end-to-end encryption in 2016, concerns have been raised with the security feature after it was found that anyone who controls WhatsApp's servers could add new people into a private group – without the permission of the group administrator. This is because anyone can join a WhatsApp group by clicking on an invitation link without any additional authentication, so it’s possible that the group administrator(s) or members may not realise when a new, unidentified member joins the group.
WhatsApp addresses this concern by stating that users can verify the security code of chat participants by clicking on ‘group info’ in the chat, in order to check the security code of each member. However, it would take a dedicated chat participant or admin to carry out routine security checks and help minimise a security breach. Concern has similarly be raised that other chat groups on encrypted instant messaging apps like Signal and Threema were also less secure than they claimed.
On 25 May this year, the EU General Data Protection Regulation (GDPR) came into force, directly affecting every European country. The GDPR was incorporated into the UK Data Protection Act (2018) which reflects the increasingly digital world in which we live, allowing people to take greater control of their own personal data.
The regulations affect how patients can access their data and confirm that their data is processed fairly. Any data breach affecting a patient’s privacy rights must be reported to Information Commisioner’s Office (ICO) “without undue delay”, unless the data was anonymised or encrypted. Failure to report breaches or any non-compliance can now result in much higher fines.
Confidentiality plays a vital part in the trust a patient places with their doctor. It is an important legal and ethical principle – doctors must abide by the principles of the existing data protection law and the General Medical Council’s guidance.
The duty of care includes the element of confidentiality, making doctors responsible in ensuring any written, visual or audio recording of patient information is kept securely. Software company CommonTime published a report about the use of instant messaging in the NHS. In the survey, healthcare professionals anonymously gave examples of times they had experienced a data breach. While these examples were not verified, the anecdotal findings were not surprising. The examples included staff sending patient data to the wrong person, photos of patients being taken without their permission, x-ray images being shared with friends, and even a patient’s contact details being sent outside the organisation.
The new NHS guidelines state the following about record management in instant messaging:
- Minimise the amount of patient identifiable data you communicate via instant messaging
- Instant messaging does not change your responsibility to maintain a comprehensive medical record. Don’t use the instant messaging conversation as the formal medical record. Instead, keep separate clinical records and delete the original messaging notes. Any advice you receive on instant messaging should be transcribed and attributed in the medical record
- Remember that instant messaging conversations may be subject to freedom of information requests or subject access requests.
There are already some messaging apps in the market that have been created and developed specifically to meet the needs of healthcare professionals. Some apps can even integrate messages into electronic patient records and store patient’s test results for diagnosis.
“The competing issues here are embracing the benefits of digital communication in the interests of patients whilst being mindful of the potential pitfalls, which include consent, confidentiality and record keeping” says Dr Richard Stacey, Head of Policy and Technical. “The risks relating to confidentiality can be mitigated to some extent by encryption, device locking, disabling message notifications on the device lock screen and deleting original messages once the content has been transcribed to the patient notes, ”
“This NHS guidance is welcome and should be followed by healthcare professionals when it is introduced,” Dr Stacey continues.
With new technologies emerging all the time that can improve patient care and help doctors become more efficient and streamlines, we need to embrace apps like these but remain wary of any limitations that could affect security and confidentiality. Instant messaging apps that allow for group chats can make things quicker and more convenient, less hierarchical and allow the exchange of photos and videos. However, users are not immune from security and data breaches and all medical professionals need to keep this in mind.
If you are unsure about the use of instant messaging apps in a clinical setting, you can get in touch with us for advice on 0800 561 9000 or at medicalprotection.org.