Can I share a photograph of a patient’s skin condition?
Three experts advise a GP in a quandary about confidentiality and security
I want to take a photograph of a skin condition on a patient to send to a colleague for a second opinion. Can I do this? Can I use it in a presentation?
Professor Azeem Majeed: Sharing is fine with consent
The practical uses of sending and sharing information electronically have rapidly outstripped published guidance. Many NHS organisations have draconian policies about email – in some cases saying that sending patient information by unencrypted email is as unsecure as ‘sending it on a postcard’. No empirical evidence is ever presented that sending information electronically is less secure than sending it by post or telephone. In my experience, most patients would be happy for you to share the image if this helped to get a better diagnosis or a more appropriate treatment plan. You should, though, obtain consent from the patient before sharing the image with your colleague.
Guidance from NHS organisations does generally permit sending (albeit grudgingly) information by unencrypted email if the patient is informed about the (in my view theoretical) risks. If you are apprehensive about using a photo or file-sharing app, you could send the image from one NHSmail account to another, as this is fully encrypted.
In my opinion, it is acceptable for the photo to be stored on your phone as long as you take reasonable precautions to secure your device.
A picture of a skin rash by itself with no name or date of birth is highly unlikely to lead to identification of the patient. Indeed, on some online GP forums, you will find lots of pictures of skin rashes and lesions.
If you want to use the image in a presentation, you should get explicit consent from the patient, ideally in writing, as is now standard for case reports in medical journals.
Professor Azeem Majeed is a GP in Lambeth and head of the primary care and public health department at Imperial College London
Dr Beverley Ward: Transmit and store the photo securely
You need to get the patient’s consent to take the photo, and to send it to your colleague. If the patient is a child or incapacitated, someone with legal authority needs to give consent on their behalf. If you are planning to use the photo in a presentation to healthcare colleagues, you should anonymise it and get patient consent. If the photograph will be shown to a wider public audience, this consent should be in writing. Document details of these discussions in the notes.
Ensure the picture is transmitted and stored securely. If you are using your mobile phone, tablet or laptop to store the photo, it could easily fall into the wrong hands. It is essential that these devices are encrypted and password protected to protect patient confidentiality, and comply with the Data Protection Act 1998, your practice information security policies and your ethical obligation to protect patient confidentiality. Don’t use a photo sharing app or website to seek your colleague’s opinion as these may not be secure. Only NHSmail accounts should be used to send confidential patient information unless it is encrypted.
Anonymising the photo does not mean just removing the patient’s name – consider whether the photograph includes a feature that could allow someone, including the patient, to identify them.
Dr Beverley Ward is a medicolegal adviser at the Medical Defence Union
Dr David Coleman: Explain to patients how you’re going to use the image
Consent is the first issue to consider. If you plan on sending the file digitally, explain to the patient how it will be sent, the security of the chosen method, who will have access to it, and the benefits of sending it to the other party. If using a photo-sharing app, ensure it has been approved as secure by the CCG’s IT department. Otherwise, opt for secure email.
The other important aspect is storage of the image. As incidents such as the iCloud security breaches have demonstrated, you cannot assume a file is safe on a private device. Be careful if you use a smartphone to take photos as copies may linger in the ‘deleted files’ folder or in cloud storage. A photograph of a patient, anonymised or otherwise, should be treated like any other part of their medical record and stored within a secure clinical system without rogue copies floating around elsewhere.
The GMC does not specify how you should record the patient’s consent. While I use a template to guide the discussion and obtain written consent, verbal consent is acceptable as long as the key points are recorded in the patient’s notes. GMC guidance states that you ‘may disclose anonymised or coded recordings for use in research, teaching or training’, but it is good practice to obtain consent for these when the photograph is taken.
Dr David Coleman is a GP in Conisbrough, South Yorkshire