This site is intended for health professionals only

At the heart of general practice since 1960

pul jul aug2020 cover 80x101px
Read the latest issue online

Independents' Day

Can I share a photograph of a patient’s skin condition?

Three experts advise a GP in a quandary about confidentiality and security

I want to take a photograph of a skin condition on a patient to send to a colleague for a second opinion. Can I do this? Can I use it in a presentation?

Professor Azeem Majeed: Sharing is fine with consent

The practical uses of sending and sharing information electronically have rapidly outstripped published guidance. Many NHS organisations have draconian policies about email – in some cases saying that sending patient information by unencrypted email is as unsecure as ‘sending it on a postcard’. No empirical evidence is ever presented that sending information electronically is less secure than sending it by post or telephone. In my experience, most patients would be happy for you to share the image if this helped to get a better diagnosis or a more appropriate treatment plan. You should, though, obtain consent from the patient before sharing the image with your colleague.

Guidance from NHS organisations does generally permit sending (albeit grudgingly) information by unencrypted email if the patient is informed about the (in my view theoretical) risks. If you are apprehensive about using a photo or file-sharing app, you could send the image from one NHSmail account to another, as this is fully encrypted.

In my opinion, it is acceptable for the photo to be stored on your phone as long as you take reasonable precautions to secure your device.

A picture of a skin rash by itself with no name or date of birth is highly unlikely to lead to identification of the patient. Indeed, on some online GP forums, you will find lots of pictures of skin rashes and lesions.

If you want to use the image in a presentation, you should get explicit consent from the patient, ideally in writing, as is now standard for case reports in medical journals.

Professor Azeem Majeed is a GP in Lambeth and head of the primary care and public health department at Imperial College London 

Dr Beverley Ward: Transmit and store the photo securely

You need to get the patient’s consent to take the photo, and to send it to your colleague. If the patient is a child or incapacitated, someone with legal authority needs to give consent on their behalf. If you are planning to use the photo in a presentation to healthcare colleagues, you should anonymise it and get patient consent. If the photograph will be shown to a wider public audience, this consent should be in writing. Document details of these discussions in the notes.

Ensure the picture is transmitted and stored securely. If you are using your mobile phone, tablet or laptop to store the photo, it could easily fall into the wrong hands. It is essential that these devices are encrypted and password protected to protect patient confidentiality, and comply with the Data Protection Act 1998, your practice information security policies and your ethical obligation to protect patient confidentiality. Don’t use a photo sharing app or website to seek your colleague’s opinion as these may not be secure. Only NHSmail accounts should be used to send confidential patient information unless it is encrypted.

Anonymising the photo does not mean just removing the patient’s name – consider whether the photograph includes a feature that could allow someone, including the patient, to identify them.

Dr Beverley Ward is a medicolegal adviser at the Medical Defence Union 

Dr David Coleman: Explain to patients how you’re going to use the image

Consent is the first issue to consider. If you plan on sending the file digitally, explain to the patient how it will be sent, the security of the chosen method, who will have access to it, and the benefits of sending it to the other party. If using a photo-sharing app, ensure it has been approved as secure by the CCG’s IT department. Otherwise, opt for secure email.

The other important aspect is storage of the image. As incidents such as the iCloud security breaches have demonstrated, you cannot assume a file is safe on a private device. Be careful if you use a smartphone to take photos as copies may linger in the ‘deleted files’ folder or in cloud storage. A photograph of a patient, anonymised or otherwise, should be treated like any other part of their medical record and stored within a secure clinical system without rogue copies floating around elsewhere.

The GMC does not specify how you should record the patient’s consent. While I use a template to guide the discussion and obtain written consent, verbal consent is acceptable as long as the key points are recorded in the patient’s notes. GMC guidance states that you ‘may disclose anonymised or coded recordings for use in research, teaching or training’, but it is good practice to obtain consent for these when the photograph is taken.

Dr David Coleman is a GP in Conisbrough, South Yorkshire

Rate this article  (4.5 average user rating)

Click to rate

  • 1 star out of 5
  • 2 stars out of 5
  • 3 stars out of 5
  • 4 stars out of 5
  • 5 stars out of 5

0 out of 5 stars

Readers' comments (5)

  • I know I'm probably committing some great information governance sin here, but what if we provided the email address of our colleague or the proposed telemedicine dermatology service (wouldn't that be nice?), and got THE PATIENT to email the picture in for assessment. Are we not then neatly avoiding any IG issues regarding transmission or storage of data and instead the patient assumes this risk THEMSELVES. You know, patient responsibility and all that? All my punters have iPhones and cameras and seem very free and easy about posting their zits on Facebook for a group diagnosis, the guidance really is WAY behind the times here.

    Unsuitable or offensive? Report this comment

  • Azeem Majeed

    Anonymous | GP Partner09 Dec 2015 5:34pm

    Many NHS organisations have draconian policies about using any form of electronic communication (other than NHS net) to send information about patients. It's quite clear that not much thought has gone into preparing their policies (sections of which are often just cut and pasted from other documents) and that these policies have not kept up with the very rapid advances in information and communication technology we have seen in recent years.

    Unsuitable or offensive? Report this comment

  • Vincenzo Pascale

    I'm so stupid not understanding this speeches.. I'm taking a picture of a lesion of 5 mm of diameter in the middle of the shoulder and I would have to have a written authorization. This is on of the mysteries of this world

    Unsuitable or offensive? Report this comment

  • Brightondrjohn

    Nothing is ever new in medical illustration! When I used to edit the Pulse of Medicine section of PULSE 30 years ago - an article was submitted by one of my previous Consultants from the Radcliffe Infirmary (Oxford) with a picture of a patient suffering from severe septicaemia and comorbid with systemic Herpes simplex (patient isolated in the Slade with concern of Anthrax infection because of similarity of presentation).
    I knew this case very well - because it was me in the image! No one had asked my permission to take the image (though I was in Isolated ICU) or to use the picture for the article. Of course as I recognised the images I was able to let the Consultant know they were of me and I had no problem with publishing them.
    One of the 'Early Adopters' in Telemedicine was 'Teledermatology'. When I was working with the NASA Ames Laboratory, it was one of the easiest decisions to include it in the medical and surgical models for EHR/EMRs. Indeed one of the first telemedicine advisors at Richmond House was a Prof. of Dermatology who was providing a global remote Tele-dermatology service.
    Clinical Governance concerns are often overstated - usually because theoretic models are overlaid onto the reality of practical use.
    The goal of the IM&T strategy is the personal ownership of the total EHR/EMR (including all imaging) by the patient with simultaneous communication throughout the medical, surgical, mental health and social care continuum. With that in place, the instantaneous approval of image exchange would already be in place through user approval securely keyed in through the record. Until the EHR is a reality, the consent for image exchange really should not be a problem - especially when the patient realises that the process could lead to a virtual diagnosis and immediate initiation of effective treatment.

    Unsuitable or offensive? Report this comment

  • Azeem Majeed

    John P Stephenson | Work for a pharmaceutical company11 Dec 2015 3:54am

    Journals such as BMJ Open now require patients or their legal representative to give signed consent before case reports or patient images are published.

    See for sample consent forms.

    Unsuitable or offensive? Report this comment

Have your say