Pip: Welcome to the webinar ‘Using personal mobile devices for clinical photos in general practice’. My name is Pip Walter and I'm the project coordinator for the RACGP Practice technology and management team and I will be your host. I'm joined by Dr Penny Burns who will deliver the webinar presentation. A bit more about Penny. Penny Burns is a general practitioner based in Sydney. She has worked for over 20 years and urban and rural general practice. Penny is a member of the RACGP Expert Committee for Practice Technology and Management. She has been interested in computer and technology use in general practice since the early 1990s. Penny is interested in the use of technology to improve outcomes in learning and in 2018 she was involved in delivering education sessions as part of the ‘My Health Record in general practice’ national education awareness campaign. She is currently part of the CSIRO ‘primary care data quality content working group’ which examines the use of data in general practice. She is also Deputy Chair of the RACGP Disaster Management Specific Interest group. Thank you, Penny. Welcome to the webinar.
Penny: Thank you very much Pip.
Pip: So Penny, myself, and the RACGP would like to thank you for taking time out of your busy schedule to participate in this this webinar. And before we begin I would like to make an acknowledgement of country. I would like to acknowledge the traditional owners of the respective lands on which we are meeting and pay my respects to Elders past and present. I would also like to acknowledge any Aboriginal and Torres Strait Islander people participating in this webinar.
Penny: So it's exciting to have these new technologies that we can be using in general practice. But we do need to understand how to manage the issues associated. So we're hoping that by the end of this session you'll be able to know your obligations when using personal mobile devices to take clinical photos, understand the issues around collecting storing and disseminating these photos as well as understanding the process of obtaining consent from patients. We hope that you'll be able to know when to use clinical photos and when that might improve patient assessment and management and be able to implement a practice policy for staff on the use of clinical photos. So what we're covering today is going to go over some general considerations. We'll go over a few of the things I just mentioned - collecting storing and disseminating photos. We’ll look at the legislation, will look at consent and data breach issues will just touch on that as it's covered in more detail in another webinar. This presentation is based on the new RACGP ‘Using personal mobile devices the clinical photos in general practice’ factsheet. And this is freely available on the college website, and there should be a link to this in the handout section on your screen. I think this is a great resource as a starting point. It's really easy to read and understand and it's good reference for using personal mobile devices the clinical photos.
So there's many many benefits from taking clinical photos. And in fact, I'm already at the point where I can't see how I could practice without taking clinical photos. They can assist in many ways in improving patient management and assessment. Some of the ways they can assist is in capturing the state of an infection or a lesion. They can track changes over time. And for years, I think we've been dermatologist has been using it for tracking changes in the shape of a mole. We can also use it for progression of infection. We can share these photos or these images immediately with particular specialists. And for me, this is the way I'm using them a lot at the moment. And this can really help with continuity of care or obtaining a second opinion as needed and it's really timely it's really efficient and it's becoming much more of a norm within particularly amongst the hospital specialist. So one really good example of this is taking photos of burns - so in order to get a second opinion on burns assessment and management. And I think as you're all aware, it can be really difficult to accurately assess burn depth initially and so for burns that appear more than a superficial epidemic epidermal burn, I actually will contact the burns teams at either North Shore Concord or Westmead Children's Hospital for advice. And an integral part of that is actually sending an image with consent from the patient for a more accurate assessment of the burned by specialist staff. And for advice on dressings and follow-up. And sometimes they'll say immediately that they need to be sent down. Other times – they’ll say ‘no, this is great. Trim the skin, use this dressing, review it in a few days and send us another photo so we can track it. For rural and more remote doctors in particular this is really essential and it optimises patient care. I learnt a lot about this when I attended a burns management workshop last Friday, and we've actually included a link to the State-wide Burn Injury Service ‘Burn Patient Management Guidelines’. And the reason for that is that page 15 is dedicated to digital photography of the burn wound for clinicians. And I think it provides a really good example of how you can use it and it gives some good clues on how to take the actual photos.
Another application that we use frequently where I work which is very close to an ED, is around fracture presentations where you might be seeking a second opinion on the imaging that you get after you've taken an x-ray for someone with a suspected fracture. And so we sometimes need to send the specialist a photo of the image because they're not able to access it – they might be in theatre, and this really ensures accurate management. And it enables us to quickly attend to whatever needs to happen in terms of plastering, cam boot and then we can organize a follow up referral. So again really valuable and I don't know how we'd manage these patients without use of imaging.
But of course there are potential hazards around taking clinical photos and it's really important to be aware of these to use them so safely. So clinical photo can capture details of a very sensitive nature and it can contain identifiable information about a patient despite your best efforts to try and remove them, for example part of the person's face. In the digital age, a photograph can be a permanent record and if it ends up in the public domain it's got the potential to cause embarrassment or psychological harm to the person in the photo. And photos can be sent to the wrong person quite easily and there is a risk that they may be intercepted during transmission to other devices. If it's the first time I've sent a photo to someone I'll actually text them first and say I'm just checking this as the correct mobile number and I'll wait till I get a message back and then I'll send the photo. When images are sent to other clinicians for consultation or second opinion, there's no guarantee that they'll be stored securely on that persons end either.
So in terms of General considerations, we really need to treat clinical photos taken on a mobile device with particular care. A clinicians own phone or tablet often not as secure as other devices that we use in the practice for storing sensitive medical information. And it's more likely to be lost or stolen or given to someone else to use and inadvertently that image could be shared. Another hazard is that a clinician might forget to transfer the photos from the personal mobile device onto the patient's medical record, or to delete the photo from the device after the photo has being transferred. And sometimes we don't even know. We think we're deleted it, but it's still actually on the phone. So the general considerations we need to think about is knowing your obligations under the law with regard to collection, disclosure and storage of clinical photos in your jurisdiction. Checking your practices policy with regard to the use of personal mobile devices for clinical photos, obtaining consent before collecting the photos, and then reporting data breaches if they occur. The college has a really good fact sheet on the notifiable data breach scheme. And I really strongly recommend you have a look at this to see what kind of data breaches are required to be reported to the Office of the Australian Information Commissioner. And of course, this doesn't just apply to breaches related to clinical photos but any breach of patient data. And you'll find this in your supplementary resources. It simplifies the process. It sounds onerous, but if you read through it, it actually clarifies that and it's not as onerous as it appears.
GP’s are businesses and have obligations under the Privacy Act. And although all these sort of policies and processes can seem a little bit boring they are really important in protecting patient information and confidentiality. And the college has produced some really good documents that simplify these. So the Australian Privacy Principles state that health information is regarded as one of the most sensitive types of personal information and there are 13 Privacy Principles covering open and transparent management of personal information, collecting personal information, using and disclosing personal information, data security, access to personal information being given out, the quality and correction of personal information and what to do with patients who wish to be anonymous or use a pseudonym.
So Australian privacy principle number 11 is the security of personal information. And that's the most relevant privacy principle in this context and it states a practices must take reasonable steps to protect personal information that it holds from misuse, from interference, from loss and unauthorized access, modification or disclosure. Which is all very sensible and very logical really when you think about it. When the practice no longer needs the personal information practices must take reasonable steps to destroy or deidentify the information according to the law, or any court order, to retain the information. And so an example that I think we all know that the law dictates we must hold onto a patient's record for a certain amount of time and for most states and territories this is seven years. So you would just treat your clinical photos as you would any other piece of health information in the patient's record.
First we'll look at an example of a good clinical photo and one that's inappropriate. I think it's pretty obvious which is which. So in the first image, you can clearly see the patient's face, which of course is an identifying feature. There's also a lot of unnecessary detail in this photo. You wouldn't need to include so much of the upper body. You don't need to include the undergarments. You don't you don't need to have nearly that much in a photo of a mole. So you also need to consider the patient's modesty and dignity which again is unnecessary detail. And if you can't avoid having those in the photo, you can cover them with a drape or something that you've got available so that they're not actually being seen. The other thing is that the photo is really no use the mole way too far away to actually give any definition or detail of the mole. So the photo to the right with the t is a much better example of how to take a clinical photo. There's no identifying features and there's no unnecessary details. It's Really well-lit you can actually see that there's the mole very clearly. It's in much enough detail so you can see the details of the mole and there's nothing obstructing the mole. Having the thing is there is actually quite useful because it gives you a bit of scale as well.
So when collecting photos you need to take care using clinical photography apps. So there's many smartphone apps and I think I've got about 10 of them that are specifically designed for capturing and managing photos. And then there's many that are also available for capturing clinical photos. And I guess we sort of would advise caution in using apps that have been downloaded from online stores for health information as it's really difficult to tell whether they're credible and secure. And it might not be possible to control the use or disclosure of photos shared by an app. So it's wise for users to review the apps privacy policy before they start using an app. And in fact, we probably recommend that you avoid doing that. You need to ensure your device has got a high resolution camera, that it can take clear detailed images with accurate colour retention to reduce the potential for miss diagnosis. So returning to the example of the patients with burns in their advice, they say when taking photos or extensive burn, it's important to take a more global photo first (missing audio). And for smaller burns, to use a ruler so that you can see the size of the burn. And then you use a neutral coloured sheet such as a green sterile sheet as a background and that's because the darker skin on a white background can make the burn look more severe and pale skin on a white background will not provide enough contrast. So there's an art to this and I think as we you know, as the years progressed will get better and better at this but there's no point taking a photo if it is actually not going to be useful to show what we need to see. And again capture only what is required. That's really common sense. You know protecting patient privacy and confidentiality as we discussed before. You don't want extra detail and you need to be mindful that for a patient to be identified by their eyes or facial structures or race or age or scars or birthmarks or tattoos or piercings that can actually occur and the rarer the presentation the more likely the patient will be able to be identified. So there are photo-sharing apps that have a feature which allows a user to conceal parts of the image that may contain potentially identifying details. With each use, it's important to consider whether the concealments sufficiently de-identify the patient before the image is distributed. And then of course, there's metadata. So digital photos contain this hidden information or metadata that might identify the person, including the time and date the image was taken, the manufacturer and model of the device and the global positioning system location. So when a clinical photo that is used in research or as a teaching tool, metadata needs to be removed as part of the process of deidentifying the image. It's good practice for us all to learn how to remove image metadata if we're going to be using a device to take images.
So as touched on in the previous slide, there's smartphone apps that are specifically designed for capturing and managing clinical photos and even sharing them with colleagues. Generally speaking, we don't recommend those. But if you choose to use them then please be cautious. The things you need to consider are the apps privacy policy, and is the server hosted in Australia. Once you’ve shared patient data and it leaves Australia, it's not covered by our privacy legislation. And you need to obtain patient consent to the take the photo, but you also need to disclose what you intend to do with that photo including upload the photo to an app and you need to be really vigilant about protecting the patient's privacy and particularly where that image is going to be uploaded to be seen by other people.
So if you take photos, you will need to know how to delete or store them. If you're storing them then use the strict privacy settings on the device. The RACGP Standards for general practice 5th Edition has some information and says that generally practices should take reasonable steps to ensure personal mobile devices used the practice and the information stored are accessed on them, are as secure as a practices desktop computers and network. So it's the same as a piece of patient information and it needs to be treated with exactly the same security and privacy as your notes. And it's good for practice clinicians to have personal mobile devices with pins and passwords and other identity recognition software. I think most of us have that and that helps protect and secure the information. All mobile devices have a unique identification number which can be retrieved in the settings menu and these can be quoted to the service provider or the police in the event of a theft and allows the owner to lock or arrays data from a device remotely. Some practice may have a practice phone to use for photos and I think this is really really important. And I think in the future maybe most practices will have one of these and it simplifies the number of devices being used in the practice to hold records. And it ensures that someone's following up storage and proper deletion of records. Clinical photos taken on personal mobile device should be stored against the patient's health record as soon as possible. They are part of the patient record. And then they need to be labelled and notes taken about the photo. Some clinical information systems allow you to upload a digital photo to files for easy storage. And another option is to just print the photo and scan them as you normally do into the patient records, as you might an ECG.
You always need to delete the photos from the device and I know that's not always easy. I've found that I thought I'd deleted photos and personal photos and they're up in the cloud. So clinical photos need to be deleted from the personal mobile device on which they taken and once they’ve been stored against the patient's file. So once they're in the patient's file you need to delete them. You need to avoid third party storage options and prevent automated backups. And this is the cloud-based issue. And it can be really fraught with problems. There's many different companies that offer this service for storage and their privacy policies very. Many apps used on personal mobile devices periodically backup their data and often you don't know that's happening. It's happening in the background. And it's best to disable this feature if you're using an app the clinical photos, as anything uploaded to the cloud has the potential to be accessed and distributed by others.
Absent organised recent photos in a device for easy upload such as Facebook really need to be used with caution. As this feature can lead to accidental dissemination of really sensitive material. And then the other thing you need to do is you need to treat the photos sent by others as if you took them yourself. So clinicians who receive a clinical photo from another person, are bound by the same ethical and legal requirements that would apply if they taken the photo themselves. They need to ensure the photos stored against the patient's health. And then deleted from the device.
Then there is the issue of disseminating photos. So you need to take measures to transmit photos securely where possible. They can be intercepted by a third party when they're sent from one device to another - such as when they're sent to someone, like a specialist, for an opinion. Where possible it's good to set up file passwords or use data encryption software to protect clinical information during transmission. A lot of the time this is not easy to do and not practicable. Never share photos outside of a professional context. It's really easy to do that. But GPs really need to treat that as if they're sharing personal notes. We've got ethical professional legal duty to respect patient privacy and confidentiality. And we need to refrain from exhibiting clinical photos on a personal device outside of professional context. And then be really wary of social media share media sharing. Photos posted to a social media platform can easily end up in the public domain, even when they're sent in private message conversation and or secretive or closed groups or personal profile with strong security section settings. They are still able to be shared. So don't post clinical images to social media and there's the patient has specifically given you permission to do this and you have provided permission ensure that the image has been de-identified prior posting it on Facebook, Twitter or Instagram. I personally am not confident enough to do that.
So clinical photos and the law. So broadly clinical photos taken for the purposes of patient management part of that person's health record, even if they only exist in electronic form. And again, we keep saying this but it's really important, they should be treated like every other personal health data and there's subject to the same conditions - the Collection disclosure and storage, for your state or territory. They may be access for legal proceedings and in situations where a complaint is raised against a health practitioner, this may be the case. And fines may apply for breaches of privacy as well as for unauthorized disclosure. So again, you have to treat these things really carefully. GPs need to act in accordance with the Privacy Act as we mentioned when collecting and distributing clinical photos. And so under the Privacy Act of photo of a patient's considered personal information, even individual is reasonably identifiable in the image. A photo is considered sensitive information if either it contains health information about individual or is collected for the purposes of providing a health service. Again, you just need to be really sensible and treat it like any other piece of medical data.
Consent. So consent must be obtained before photos are taken. And you think ‘that's obvious, they’ve stood there and they've had the photo taken’ but posing for a photo or putting yourself in front of a device is not considered an acceptable form of consent in a legal context. You need to actually have a discussion with the patient about why the photos are being taken, how the photos will be used specific, specify each possible use, whether the photos will be shared with others and if so with whom. Whether the photos will be posted to social media for the clinical opinion of peers. How and where the photos will be stored after they've been taken on a personal mobile device, whether the photos will be deidentified and how the photos will be archived or disposed of so. That is consistent with federal and state legislation and it must be a product of a discussion between the doctor and the patient and it needs to be really well documented in the notes. You don't need to actually have written consent, but it does need to be documented clearly in a notes.
So the consent has to be specific for purpose. When using clinical photos for purposes beyond that for which the person has given consent, that actually is when you may become vulnerable to complaints to the Medical Board of Australia or other authorities. You should only send a clinical photo to a third party with the patients express consent and I often do that with the patient there in the room. And in a situation with a patient would reasonably expect that the image will be sent to another person as part of their care - I guess that could be where someone unconscious has a huge burn. And that might be very reasonable then to send it to a burn specialist for consideration of persistence with management - unlikely a GP would be managing that but still. And then otherwise in a situation where you are, otherwise permitted by law to share the image.
And then data breaches. So if a device containing clinical photos is hacked, stolen or lost, or photos are sent to a third party without the prior consent of the patient, this might be considered a data breach under the Australian privacy policy number 11. And so for advice on this situation, if you do think you've got a notifiable data breach you can use the RACGP information on the notifiable data breach scheme, which has a flow chart to help you determine if your data breaches notifiable. You can also contact your medical defence organisation for advice specific to your situation. But there's also a time frame on this and so you need to act quickly if you think there is potential data breach. So practice policies and procedures are really really important for consistency across the practice. So general practices where personal mobile devices are going to be used at clinical purposes really need to consider developing an organisational policy for the staff on the use of photos. We all think about managing photos differently. Such a policy might include as listed above production, reproduction, management, retention and disposal of clinical photos, issues of consent and copyright, how and when clinical photos should be uploaded or attach the patient's medical file, how they should be removed from a personal mobile device when they've been uploaded or attached, whether a photo app is going to be used to capture the image, the maximum number and resolution of clinical photos to be taken and where the photos will be stored. Because there's an issue with if you're storing a large number of high resolution images in clinical information software, you can get back up issues and you would need to discuss that with the practices IT consultant. The practices policy can be revised as required. It doesn't need to be complicated. It can just be a really simple list with those sort of top points and it needs to be gone through with all new staff including non-clinical staff during their induction. And as suggested already, practice owners could also consider purchasing a device reserved specifically for taking clinical photos, to be housed securely on site and I think that's going to be really important and I think in the future we'll all have one of those.
So a final word -we've heard a lot of reasons and a lot of cautions about taking clinical photographs, but I really wanted to end on a positive note. I think in the future this is really going to improve the way we practice medicine. The benefits of there. We can take and share images with our colleagues. We can get immediate advice. We can very quickly act on those in managing our patients. We can get a second opinion which can be very reassuring. We can track images over time. And so on in the future I think this may be something that actually becomes more expected in patient care. You may find that you've got a burn that wasn't managed as well as it could be and you didn't consult and share an app with a specialist, you may need to consider the reason that wasn't done. And so I think that we have a big opportunity here to embrace this sort of change in medicine, and I think that as long as we understand the issues, as with all the other technological issues, I think it will improve our care of patients.
So before we wrap up with some frequently asked questions, let's have a little look at some of the RACGP Practice Technology and Management resources that relate to today's topic.
And I as I said before, some of these topics can look a little bit dull in terms of you just want to get out there and clinically manage the patient, but these documents from the college just simplify this. They give you what you need to know and what you need to do. And so I think it's really really important that you understand and are across all these documents are not onerous. They are short, punchy documents and if you have an understanding of these and I think you'll be doing well. So there's the information security in general practice resource that supports the 5th edition standards and that's benn redeveloped to be much less prescriptive and more indicative of best practice in regards to information security. It goes through guidance and solutions to improve information security, staff roles and responsibilities, policies, backups, business continuity and information recovery, physical facilities and links to other RACGP resources, including templates. And these RACGP Templates are great. They make it very easy. The second one is the privacy and managing health information in general practice. This aligns with the Australian privacy principles, all 13 and it provides guidance and examples of compliance with each Australian privacy principle within general practice. The third one which is the one we've been discussing today is using personal mobile devices for clinical photos in general practice and it just covers pretty much what we've discussed this evening and highlights considerations that need to be taken when using personal mobile devices. And then the fourth one which I think is really important is the notifiable data breaches resources. And that scheme was established in February last year with the Office of the Australia Information Commissioner and it covers mandatory requirements for organizations, which includes general practice, in reporting data breaches. And we all need to know that in great detail. And again, that's the one where there is a time urgency if you are concerned that you've had a data breach. But again, it takes you through it very simply and it's not as scary as it sounds. It has a fact sheet and it's got a flow chart that takes you through step-by-step.
So the RACGP eHealth webinar Series - this is one of many webinars that the eHealth team have been rolling out and they're planning on continuing them next year. They'll be covering some practice management type topics as well as some more practice technology topics. Webinars are accredited for two category two quality improvement and CPD points for the 2017 to 2019 triennium for RACGP members. Topics presented so far include the Notifiable notifiable data breaches scheme, medical legal concerns and the My Health Record, information security in general practice, SafeScript, Telehealth and technology in general practice. And they're all currently available online to view in the future. In 2020 we're hoping to cover My Health Record a year on, medicine safety, data quality and the general practice business toolkit.
Pip: Thank you Penny for providing such a great overview of the resources that the RACGP have developed for our members and for practice staff. As promised we have collected some common questions that we have had from members on the topic of using mobile devices for photos, so I’d just like to take a couple of minutes if you happy to go through some of those questions and have little bit of a chat. One question we have had had is “what is the RACGPs stance on clinical photo apps such as Figure One?” and you did touch on this a little bit earlier in the webinar.
Penny: So the basic RACGP stance is that we really need to be very careful when we're going to use an app. And we need to understand the apps privacy policy in detail. And so I guess the overarching stance is to be really cautious about using apps. Figure One is one of the apps for health care providers to share clinical photos with other professionals, and there are a lot of doctors sharing that. And it can be used to share interesting cases or seek advice and it's got it's the one that's got built-in features to automatically blurr faces or other identifying features. So there will be a lot of doctors who do want to get involved in using apps, but I just think you need to really understand what's happening in the privacy issues at the back of that app - what's happening with the photos, who's managing if are they being stored somewhere else that you're not aware of, - you just have to be very very careful before you do that.
Pip: Thank you Penny. And if a patient consents to the clinical photo remaining identifiable, are you as a GP still able to distribute it, such as for clinical learning with your colleagues?
Penny: So yes, you should be able to and I would note in the notes that you've actually received express consent for that and that they're aware of what you're going to be doing with a photo. You need to also be aware though that sometimes patients do change their mind. And so unless you need to have them identifiable I would suggest that there's no reason to do that. You should really avoid it if you can. I mean a lot of patients don't mind - they are happy to let you share their photos, but I think a lot of them don't quite understand that these photos are around for a long time. So I don't see any reason to have them identifiable if they don't need to be but if you if you do need them identified, you need to have expressed consent and have it very clearly documented in the notes.
Pip: Thank you. And if photos on my phone are stored in the cloud who owns those photos?
Penny: So that's a good question. And I would imagine that would differ among services. It would depend on the cloud storage service you using. So again, this is the bit of the boring bit, but you'd need to actually look at your cloud services privacy policy or terms and conditions. And so in reality if you're taking a clinical photo, it's really recommended not to send it to the cloud. And if your phone or device does this automatically I would remove that sort of automatic sending of photos to the cloud. So again, it's Depend on your particular storage service.
Pip: And if I've shared an image, say you have sent a photo to someone at a hospital and then they misuse that photo by distributing an inappropriately, who would be deemed at fault and could I personally be reprimanded?
Penny: So this is probably a little bit out of my scope and it’s getting into medico-legal territory. So I definitely seek MDO advice for this. I would make sure when you're sending it off in the first place, that the patient is informed that it's being sent to a third party and who that third party is. And that is a real risk when sending a clinical photo to a third-party - you're not guaranteed that the user at the other end will always use the photo appropriately. So that would again be a matter of looking at the notifiable data breach information and then also talking to you medical defence organisation. And again, I would do that in a very timely manner. Hopefully this would be uncommon scenario, but we don't know.
Pip: And lucky last “when taking a clinical photo is there anything else we should include in the photo to indicate the size of whatever we're capturing or where on the body the photo is taken?”
Penny: Absolutely. As mentioned before you can use a ruler, or you can use something like a coin. If you don't have that, something that can indicate the size of a lesion. And sometimes even having someone's hand or a finger there can be enough. In burns, for example, it might be appropriate to photograph the entire body if the burns are extensive and in this scenario, you could have a close-up version as well and maybe even a note of actually where that location is. But I think in terms of indicating size, that's really important.
Pip: Beautiful. Thank you very much Penny.