Registrar to Consultant (showing an image on a smartphone): ‘Have a look at this case!’

Consultant (horrified): ‘You have a picture of a patient’s vagina and vulva on your personal device.’

Registrar: ‘She was anaethetised.’

Consultant (panicked): ‘What consent did you obtain?’

Registrar: ‘Don’t worry! All cool. She is a young adolescent. She, her mum and I have a really good relationship.’

Consultant (terrified, thinking): ‘If you were scrubbed, then who took that photo? And why did no one in the theatre stop it?

Have you ever captured a patient image on your smartphone? Digital technology is ubiquitous in hospitals and medical care, with readily available devices for capturing, sending and reproducing patient images. It is likely that this is a common event in your hospital to aid with diagnosis and teaching. It is particularly useful in rural and remote areas where doctors can instantly send images for help with patient management from tertiary experts. Allowing the capture of images for immediate communication with specialists can ensure rural patients receive time-critical, lifesaving interventions. However, digital dissemination of patient information has significant implications for privacy, security, ethics and the law.

The Privacy Act 1988 is the starting point for legislation concerning use of digital images in healthcare. However, when the Act was drafted, patient consent for medical images involved allowing photographs to be physically stored in hospitals with tight rules for authorisation, reproduction and access. Smartphones speed up this process with immediate transmission of patient images. There is no intermediary regulatory figure to check for patient consent and take accountability for dissemination of the files.

In response to the potential harms from digital devices, amendments to Australian privacy laws were effected in March 2014. They uphold that medical professionals with unsecured patient images on their smart devices could face fines up to A$340,000 and institutions up to A$1,700,000.00 for breaches
of privacy.

Mandatory data breach notification obligations will come into force in early 2018. The Notifiable Data Breaches scheme establishes requirements for entities to respond legally to a ‘data breach’, where it is likely to result ‘in serious harm’ to any individuals whose personal information is exposed. From 12 February 2018, this obligation involves all agencies and organisations (including healthcare), with existing personal information security obligations under the Australian Privacy Act 1988. The notification is to the individual whose privacy has been breached and the Australian Information Commissioner. Part of the review process for the entity with the data breach (for example, hospital) is to consider reporting the incident to, amongst others, the police and relevant professional bodies. It seems likely this will involve (as a minimum) lodging a complaint to a Disciplinary Board. Be mindful!

Smartphones – a threat to patient privacy?