If you use a digital tool for group messaging or clinical discussions within your practice, you’re in the majority—85% of over 2000 GPs in an April Healthed survey report using WhatsApp, WeChat, Messenger, Signal, practice management software or another tool to discuss patients.

But beware, as this can potentially breach AHPRA regulations, says lawyer David Gardner, a former AHPRA investigator who now runs compliance training for health professionals.

Messenger is particularly problematic because not all chats are encrypted (although that is slowly changing), but even apps that use encryption can pose risks.

For example, if one person in the chat backs up their data to the cloud, that data is quite likely to be stored overseas – and you may be breaching the Privacy Act if you’re discussing patient information. Quality of encryption can vary too.

End-to-end encryption (where content is not decrypted until it is received by the receiver’s device) is safer than other forms of encryption where the data is encrypted and decrypted at multiple points, including on international servers.

“Encrypted apps like WhatsApp are certainly the much safer choice over Messenger. However, even those have security risks. If anyone is backing up their chats to the cloud, which many people do, then that data is being stored overseas, and can expose users to significant risks around privacy/confidentiality breaches,” Gardner says.

For example, if you discuss someone’s health condition in a chat and that information gets leaked in the United States, you could be legally liable for any losses that person experiences—even if a bad actor was involved.

“In contrast, if health information is only ever transmitted and stored within Australia and you’ve taken appropriate measures to protect it, your risk of being found liable for a data breach is far lower, even if a third party maliciously accesses your system,” Gardner says.

Messaging via your practice management software is safest, but it’s still important to check that data is not transmitted or stored overseas.

What if a patient asks a clinical question over email?

In this scenario, 36% of Healthed survey respondents said they’d forward the email to the practice manager to respond with booking options.

Seems innocent enough, and this is not necessarily an AHPRA breach, but it could be.

Depending on the situation, and what the patient has consented to regarding use of their data, it could compromise the patient’s confidentiality and privacy if the email contains their health information. If health information doesn’t need to be disclosed to a person (in this case, the practice manager), and the patient has not consented to their information being disclosed to that person, then the email should not be sent to them, Gardner explains.

“Better options would include asking the practice manager to call the patient for a booking – but not mentioning the content of the email — or for the doctor who receives the email to reply and ask the patient to book an appointment,” he says.

This means you don’t have to disclose their private details to another party, and it helps protect your own boundaries too.

Calling the patient to discuss their concerns and documenting in the clinical record is unlikely to breach privacy, but you wouldn’t want it to become a pattern, Gardner notes.

“As a once-off, I think that would usually be fine, although it would depend on what the issue is, and whether it is something that you’re even able to help with over the phone,” he says, but it’s important to let the patient know they should book in to discuss future issues.

“A problem would arise if a patient regularly started emailing you and you just called them each time they did. That’s where boundaries really start to crumble a bit.”

He also warns that providing clinical advice via unsecured email creates both clinical and confidentiality risks, and disclaimers about the limitations of advice without examination are unlikely to mitigate those risks.

Digital consent forms

Using a third-party app that collects patient consent and integrates it with your practice management software also poses a compliance risk. Many of these apps are hosted overseas, Gardner explains, which again creates confidentiality and privacy risks that could leave you liable for breaches.

If you do want to use one of these tools, be sure that information is stored locally and will not be used improperly. For example, you need to make sure that the app is not going to harvest the patient’s information and sell it to other companies.

It’s generally best to get both written and verbal consent, but telehealth consultations can make it trickier to obtain written consent, he notes.

“If you have a particularly complex patient where you might need to have a really detailed consent discussion and you may need to give them information that they need to consider before they can properly give informed consent, then they may not be suitable for telehealth or you may need to have the discussion, send the information, and then have a telehealth appointment later once they’ve had an opportunity to review it,” Gardner adds.

“Ultimately, if it isn’t written down, it didn’t happen – so you need to ensure that however consent is obtained, it is clearly documented.”

Key takeaways:

• Messenger is especially risky for workplace/clinical discussions, but other apps can also be problematic.
• Messaging apps and third-party consent tools that transmit or store information overseas could leave you liable for losses if a breach occurs.
• If a patient emails a clinical question, it’s best to arrange for them to book an appointment.
• Obtain both verbal and written consent where possible, but however it is obtained, make sure it is well-documented.

 
For more information about how to AHPRA-proof your practice, check out part 1 and part 2 of this series.