Siilo : the Legal Framework for the use of Social Media Messaging within the UK Healthcare sector
Codes of practice and guidance on confidentiality obligations of Medical Professionals to their patients clearly stipulate that the duty to share information can be as important as the duty to protect patient confidentiality, especially in connection with the provision of safe, complete and effective patient care.
The General Medical Council has expressly stipulated that "the standards expected of doctors do not change because they are communicating through social media rather than face to face or through other traditional media.
However, social media does raise new circumstances to which the established principles apply.” It must therefore be noted and appreciated that in the first instance and as a general rule of thumb, the standards and main principles stipulated by the General Medical Council in respect of confidentiality (‘Confidentiality: Good practice in handling patient information’ – January 2017 – in effect from 25 April 2017) shall apply to all Medical Professionals, including those intending to communicate via Social Media Messaging Server and for that fact any Mobile Messaging Services, including Medical Messaging Services.
(i) Any personal information held by or in the Medical Professional's control should be effectively and appropriately protected against improper access, disclosure and loss at all times;
(ii) The Medical Professional should develop and maintain an understanding of information governance that is appropriate to his/her responsibilities;
(iii) The Medical Professional should know what Patient Data handling he/she can and should be undertaking and help within the perimeters of the law;
(iv) The Medical Professional should share relevant information only for direct care except where the patient has expressly objected;
(v) Where appropriate, the Medical Professional should ask for and obtain explicit written consent to disclose patient personal data for purposes other than care or local clinical audits unless the disclosure is required by law or is in the public interest;
(vi) The Medical Professional should inform patients of any and all Patient Data disclosure he/she intends to make that they would not otherwise expect, keeping a record of the discussion to disclose, not to disclose and the information disclosed; and
(vii) The Medical Professional should respect and always provide assistance and help to parties wishing to exercise their legal rights to be informed of how their information is used and how to access copies of such information.
The overarching principles detailed above should always be considered and borne in mind by Medical Professionals seeking to maintain an appropriate balance between confidentiality and disclosure of Patient Data, both in the interest of the patient.
Click here to download the Free iOS or Android App - https://www.siilo.com/#download
A Medical Professional may disclose and share Patient Data over and above the rule on confidentiality where the following circumstances are established:
Consent can be implied so as to ensure patient's care is maintained (such as Patient Data disclosure to persons involved in the treatment of the patient) or for a local clinical audit;
Patient consent has been expressly granted;
Disclosure and Patient Data sharing is of overall benefit to patients otherwise lacking capacity consent; or
Disclosure is in the public interest.
The onus of ensuring any disclosure of Patient Data will not breach a patient's right to confidentiality vests with the Medical Professional disclosing such information, as it is this individual who has control over the confidential Patient Data to be transferred or data access to be granted to another Medical Professional. The receiving Medical Professional will gain control over the confidential information following the sharing and disclosure of the Patient Data, albeit potentially as a Data Processor acting under the instruction of the disclosing Medical Professional. Clearly identifying the Data Controller during the data transfer and sharing process is important in that it further clarifies the responsibilities on the relevant Medical Professionals.
Ultimately, Patient Data can be shared between Medical Professionals, including by way of a Mobile Messaging Service, provided the principles referenced above are followed and one of the permitted purposes for the disclosure and sharing of information taking priority over patient confidentiality applies.
Where Medical Professionals can establish that it is in the relevant patient's interest for their medical information to be disclosed to other Medical Professionals, it is important that the Medical Professional establishes what, if any, express patient consent is required in connection with such disclosure. In the first instance the Medical Professional must determine whether the receiving Medical Professional has an existing professional treatment relationship with the patient or not.
This will ultimately determine whether patient consent is required for such disclosure and secondly whether the anonymisation of such Patient Data would be an inappropriate and potentially negligent act on the part of the Medical Professionals for not clearly identifying the patient that is being discussed when communicating within the medical team of the patient. This second aspect is emphasised in light of a widespread belief by the Medical Professional community that anonymising Patient Data is always the most appropriate way to utilise Social Media Messaging Services for work related purposes, where they don't want to risk breaching data protection laws and guidance thereto.
(This White Paper was produced to address the trending topic of the use of social media messaging within the UK healthcare sector, and has been written by Mishcon de Reya in collaboration with Siilo, a leading secure messenger in Europe and UK.)