Electronic communication has numerous advantages but can also pose some medico-legal risks to practitioners and teams, writes Dr Volker Hitzeroth, medico-legal consultant at Medical Protection.
Practitioners and their staff often rely on email and WhatsApp to exchange information quickly and easily with patients, their families, or their colleagues. They are familiar to many people in South Africa and accessible to most, yet their use is not without problems.
Email is mostly used to assist in the administration and running of a medical practice or department (e.g, reminders, memos, appointments, cancellations, notices, updates, billing) while WhatsApp has found significant traction in the medical setting (e.g, acute care in ER, routine outpatient visits and the provision of longer-term chronic care).
At the outset it is worth emphasising that registered healthcare practitioners in South Africa are obliged to abide by the ethical rules published by the Health Professions Council of South Africa (HPCSA) in their numerous informative booklets. This applies to every practitioner and includes their interactions and communication with patients and colleagues alike.
All communication and correspondence, whether a conversation or by pen and paper, by email and WhatsApp, must comply with the HPCSA’s ethical rules.
Furthermore, the Protection of Personal Information Act (POPIA) impacts on many aspects of professional communication and correspondence, especially when providing a healthcare service.
POPIA sets out several conditions by which you must abide, also when using email or WhatsApp:
• Accountability – you must ensure the conditions for lawful processing are complied with.
• Processing limitation – you must ensure a patient’s information is processed in a fair and lawful manner e.g, information collection must be proportionate, minimal, and specific to the purpose for which it is collected, it requires a patient’s informed consent which must be acquired directly from the patient. The patient may object in a prescribed manner.
• Purpose specification – you must ensure a patient’s information is only processed for explicit, specific and legitimate reasons e.g, collecting a patient’s information only for a specifically defined and lawful purpose in line with the function of your establishment, the patient must be aware of this purpose, you may not retain patient information longer than needed for the purpose for which it was initially collected for unless required to do so by law, contract or the patient consented to its retention, you also have to abide by certain obligations regarding the destruction, deletion or de-identification of information.
• Further processing limitation – you may not process a patient’s information for a secondary purpose unless that processing is compatible with the original purpose e.g. you must consider the potential consequences, noting any contractual rights and obligations, with some allowances for historical, statistical or research purposes.
• Information quality – you must take reasonable steps to ensure the personal information collected is complete, accurate, not misleading and updated as necessary.
• Openness – you must ensure your patient is aware you are collecting their personal information and for what purpose e.g, the patient must be fully informed, keep your PAIA manual updated, the patient must be aware of your name and address.
• Security safeguards – you must keep your patients’ information secure against the risk of loss, unlawful access, unauthorised destruction, and disclosure e.g, maintain appropriate and reasonable technical and organisational security measures and notify the Information Regulator in the event of a breach.
• Data subject participation – patients may request you to disclose to them where their personal information is held, they may also ask you to correct and / or delete any personal information held about them e.g, establish communication channels with patients, provide them with access to their information and facilitate correction of information as needed.
While there are many benefits to email and WhatsApp communication, there remain numerous risks.
Brevity
Both WhatsApp and emails rely on written text. This means that complex medical issues must be captured and conveyed in a relatively short narrative. An occasional accompanying photo of a patient’s condition or a relevant radiology image may assist in clearer communication. Yet it must be remembered that such brief written/text communication can never be a substitute for a longer and detailed conversation, be that between a practitioner and a patient/their family, or even between colleagues.
WhatsApp and email will inevitably omit much information as the usual verbal and non-verbal cues are absent. Similarly, WhatsApp users use numerous abbreviations that may lead to miscommunication and mistakes. Hence, there is a risk of clinical error when information is lost “in translation” and misunderstood by the receiver.
Records
At Medical Protection we have noticed that electronic communication is rarely added to the patient’s clinical records. This is a serious omission and can cause significant problems for both the patient and the practitioner. The HPCSA has published ethical guidance for record-keeping (Booklet 9) and every practitioner is obliged to follow this guidance.
Wrong recipient
Messages can be sent to the wrong individual or the group due to a slip of the finger, an erroneous self-populating contact address or a moment of distraction. If any patient’s identifiable information (e.g, name, email address, date of birth, ICD codes, diagnosis or treatment etc.) is thus disclosed, a serious breach of confidentiality has occurred. The POPI Act directs what steps a practitioner is obliged to undertake in the event of this.
Privacy
There is no guarantee electronic communication will remain completely confidential. Privacy settings may vary, and WhatsApp messages and emails can be forwarded to any number of individuals. They may even be posted on the internet. Electronic communications, unlike paper-based records, can never be destroyed, removed, or deleted and may even be found and accessed far into the future by unrelated or malicious actors.
Consent
Healthcare practitioners should be mindful when taking and sharing photographs or videos of patients. It is necessary to ensure every patient whose photograph is taken and whose images are shared, has given voluntary and fully informed consent to do so. The consent should be in writing and documented in the contemporaneous clinical record. This may be complicated when treating incapacitated patients or those deemed mentally unwell. Specific precautions and care must be taken when taking photographs of intimate body areas (e.g. breast, genital, and anal conditions).
Boundaries
Another risk is that the professional doctor-patient relationship becomes more social, where the professional boundaries become blurred, and practitioners assume they are on friendly – or even social – terms with the patient or their family. This can sometimes lead to over-familiarity, unusual requests, boundary crossing and subsequent medico-legal consequences.
International borders
Sometimes a WhatsApp or email may require sending information across international borders to servers or cyber clouds in other countries. The implication of such a logistical arrangement is that a South African patient’s personal information is transferred to, and stored in, a foreign jurisdiction. This might conflict with South Africa’s privacy legislation and may have legal implications.
To manage your professional WhatsApp and email communications safely and mitigate any potential medico-legal risk, your practice, department, or hospital should consider producing a clear and comprehensive electronic/social media communications policy. This should be aligned with current legislation and the HPCSA’s ethical rules. It should be easily accessible to staff and patients alike. Your establishment’s terms and conditions as per the initial “patient contract” should summarise the policy and refer the patient to its full text.
If you are in any doubt about the risks you face either from your social media or interactions with patients on social media, contact your medical defence organisation for advice.
See more from MedicalBrief archives:
Be pro-active as cyber thugs target global healthcare sector
POPIA is coming into force – are you ready?