The scenario

A doctor in the Foundation Programme was coming off a busy run of nights covering the acute medical take. She saw a patient with fulminant meningococcal septicaemia presenting with a classic rash. Without the patient noticing, the doctor took a photograph of the patient’s rash on her phone and showed the image to several of her colleagues later in the doctors’ mess.

One of the colleagues who had been shown the photograph raised concerns with the doctor’s consultant, questioning whether patient consent had been obtained and whether the image should have been shared. Subsequently, the doctor was asked to attend a meeting with the Foundation Programme director and human resources.

She called the MDU advice line asking for assistance.

MDU advice

Advances in information technology have increased the opportunities for dissemination of important clinical lessons and arguably made learning easier. However, the wide availability of high-quality digital photography in mobile phones has also increased the incidence of doctors getting into trouble when recording clinical images.

Whilst there are many circumstances where taking a photo or otherwise recording a consultation might be useful to the patient and others, the GMC has published clear guidance on what it expects of doctors in this situation. In addition, the hospitals for which you work will have applicable policies and procedures that they will expect to be followed. These are very likely to be available on the intranet and discussed in your induction.

In the case described above, it was hospital policy that only clinical photographers were allowed to take clinical photographs.

Consent

The GMC makes it clear that, amongst other things, you ‘must make recordings only where you have appropriate consent or other valid authority for doing so’ and ‘make appropriate secure arrangements for storing recordings’ as well as following the law and local guidance and procedures applicable where you work.

When the patient is a child who is not Gillick competent or an adult who lacks capacity, you must obtain permission from someone with authority to act on their behalf for recordings which form part of clinical care. Bear in mind that as young patients mature, you will need to seek their consent to use images taken in previous years.

You need a patient’s explicit consent to take a picture; this applies whether or not they are identifiable. You should reassure them that they can withdraw consent at any point without affecting the care they will receive.

Storage

If an image has been taken as part of a patient's care, perhaps to trace the progress of their condition over time, you should have already obtained and noted the patient’s consent, setting out how it will assist in their care, and you should confirm that the image will be stored securely.

In the above case, the hospital was unhappy that their policy hadn’t been followed and that, further, a personal mobile phone was being used to store clinical information without proper security and in breach of data protection policies.

The ICO guidance, Bring your own device advises using strong passwords, encryption and automatic locks when a password is entered incorrectly too many times.
It also advises registering devices with a remote 'locate and wipe' facility to maintain confidentiality of the data should a device be lost or stolen.

We strongly advise doctors not to store identifiable patient images on unencrypted mobile devices. Not only is this against Department of Health guidance, which states that 'any data to be stored on a…portable device such as a laptop, PDA or mobile phone, should be encrypted,' but if your phone was stolen or mislaid, it would be difficult to argue that you had taken all reasonable steps to protect its security.

Social media

Thanks to photo sharing apps, there is a further risk that information might leak online in an uncontrolled manner. Again the GMC makes it clear that confidentiality must be maintained when using social media and that you must not share identifiable information about patients. The GMC reminds doctors that, although individual pieces of information might not breach confidentiality, the sum of information published online might be enough to identify a patient.

Lessons learned

The MDU adviser warned the doctor that she would have to demonstrate that she had deleted the photographs from her device. The MDU also advised that she review all of the relevant guidance from the GMC, as well as the hospital policies and procedures.

Before her meeting with the Foundation Programme director and human resources, the doctor wrote a long and detailed apology to the patient. The letter detailed where she had erred and what she had learned as a result. She took this to the meeting and the trust shared it with the patient.

The trust warned her about her behaviour and the importance of following their policies and procedures.