Information Governance Alliance drafts guidelines for instant messaging use
- 2 March 2018
The Information Governance Alliance (IGA) has drafted guidelines for clinicians using instant messaging for work purposes, hailing such systems as a ‘useful tool’ but highlighting the possibility of ‘serious’ data security concerns.
The guidance, published in February, confirms instant messaging services can be used to share clinical information.
But it adds clinicians should ‘minimise the amount of patient identifiable data’ they communicate through such instant messaging services and should be done so in the correct context.
Dr Felix Jackson, founder of clinical messaging app medCrowd, has previously commented to Digital Health on how instant messaging platforms, particularly WhatsApp, are widely used by doctors and clinical teams for quick and easy communications.
While the service is branded a ‘useful tool’ in emergency situations, the guidance is quick to remind clinicians that ‘there are some serious data protection concerns surrounding the use of these systems’ including ‘compliance with data protection requirements’.
“A proportionate approach is therefore needed. Clinicians need to balance these risks against the purpose for which they wish to use instant messaging (e.g. using it in an emergency versus as a general communication tool),” it adds.
The IGA is a partnership which includes NHS Digital, NHS England, the Department of Health and Social Care and Public Health England.
It acts as a source of advice and guidance about the rules on using and sharing information in health and care.
The full list of do’s and don’ts are as follows:
DO
- minimise the amount of patient identifiable data you communicate via instant messaging
- set your device to require a passcode as soon as you start using it for this purpose
- switch on additional security settings such as two-step verification
- set message notifications to private and disable banners on your device’s lock-screen
- ensure you are communicating with the correct person or group, especially if you have many similar names stored in your personal device’s address book
- take care when selecting the membership of the group if you are an instant messaging group administrator, and review the membership periodically
- separate groups that share clinical or operational information from social groups
- review links to other apps that may be included with the Instant Messaging software and consider whether they are best switched off
- follow your organisation’s policies in relation to mobile devices and instant messaging
- remember that losing your phone now has professional ramifications as well as personal
- remember that instant messaging conversations may be subject to Subject Access Requests and potentially Freedom of Information requests
DON’T
- use a standalone instant messaging application if your organisation provides a suitable alternative
- use an instant messaging platform unless it meets advanced encryption standards
- use the instant messaging conversation as the formal medical record: keep separate clinical records and ensure original messaging notes are deleted
- allow anyone else to use your device at any time
Digital Health News understands the guidance is a draft and is subject to change.
An IGA spokesperson said: “We are currently preparing guidance to enable NHS organisations to implement policies balancing the potential risks to privacy against improvements in patient safety when using instant messaging technologies.”
6 Comments
Wow, so it’s now ok to use PERSONAL devices to hold identifiable information about patients?!
How did that become acceptable in the age of increasing botnets, mining, malware, ransomware for uncontrolled devices to hold such data?
If I was a professional, I’d be rather worried about using the freely available apps without sufficient assurance and thereby breaching of data protection legislation. In the event of a harmful incident, they would be penalties galore!
How many people know if WhatsApp’s encryption surpasses the NHS requirement (both in transit and at rest) and that every time a device changes, the new device needs to be re-paired with other’s to ensure messages are encrypted…
This great fuel to the industry that is developing over data protection negligence though!
Doesn’t the NHS have a perfectly decent IM facility freely available to all staff?
Its a wonder that the clever people at Whats app don’t include a ‘hidden’ option where marked conversations would only appear when the user re-authenticated their identity (through password/ finger print etc.
Apologies – my comment below was actually meant as a response to Jason’s comment dated 05 March 09:21 (sorry, if it looks like a standalone comment on the article).
I don’t think there is any explicit legal requirement for ALL conversations between clinical staff to be documented. And any information that a doctor does feel should be documented, can still be copied over into the relevant clinical portal whenever appropriate – but its at the discretion of the individual.
In the longer term, there may indeed be benefits from messaging solutions which are integrated with EHRs, but in the short term, this seems like a very pragmatic series of guidelines.
Moreover, it could also be argued that when messaging systems are fully integrated with EHRs, there is a risk that this might actually discourage chat between clinical staff as there would be the perception that every conversation was being recorded and documented….i’m not at all sure that is an scenario we would want to actively encourage.
I actually find this somewhat irresponsible given the focus on disclosure and patient access requests. Without these systems being interfaced to EHRs then I suspect 90% of all communications will go undocumented.
Comments are closed.