By Vinay Pandaram
Senior Claims Manager, Medico Legal Adviser
Avant Mutual Group Limited
Many clinicians and health service providers have in place policies addressing the taking, use and storage of clinical images captured on private hand-held devices, but some clinicians may still not be aware of their legal obligations in relation to the capture, the use and the storage of clinical images using personal smartphone technology.
Capturing an image of a patient’s medical condition and sending it to a colleague on the other side of the country for the purposes of ongoing monitoring, management and training are benefits of mobile technology. In a remote setting, a smartphone can very easily serve as an important part of a clinician’s armoury.
Any personal information collected by a clinician must be used or disclosed only for the particular purpose it was collected (known as the ‘primary purpose’) or for a secondary purpose, that is, if it is in the patient’s reasonable expectation of how the information would be used or disclosed or an exception applies. One example of an exception is where a person faces a serious and imminent threat to their life or health.
It is important that a patient’s fully-informed consent is obtained prior to any use or disclosure of their personal information.
Consider this example. A clinician might use their smartphone to take a picture of his patient’s anterior segment projected on the screen of a device fixed to the slitlamp. A facial tattoo of the patient is visible in the picture taken. In this scenario, prior to taking a picture of the image, the clinician did not obtain the patient’s informed consent or explain the purpose for which a picture of her eye was taken. This image was then saved in an unsecured app within the phone.
The above scenario presents several privacy issues for the clinician.
To ensure compliance with the Privacy Act 1988 (Privacy Act), a careful assessment of several issues should be taken into account before taking, saving and sharing photos of patients.
Is the patient reasonably identifiable from the image?
A photograph taken or uploaded of a patient in the context of a clinical setting is deemed ‘personal information’ under the Privacy Act, if the patient is identifiable from that image.
If an image taken of the patient includes health information about the person or is collected to provide a ‘health service’, it is considered ‘sensitive information’ for the purposes of the Privacy Act and there are stricter requirements around its collection, use and disclosure.
De-identified information is not considered to be ‘personal information’ under the Privacy Act. An image can be de-identified by removing any information that might allow the individual to be identified, such as a facial tattoo, scar or birth mark.
With the advent of web-based technologies, clinicians are able to blur or hide a patient’s face as many photo-sharing apps have a feature that allows health-care providers to conceal a patient’s face or distinctive markings.
However, health-care providers should proceed with caution as careful assessment is required to determine whether the patient is still sufficiently de-identified before using or disclosing the image.
Was the patient’s full informed consent obtained prior to the photograph of their eye being taken?
The Australian Government’s Office of the Australian Information Commissioner (OAIC) cautions health-service providers taking photographs of their patients which contain ‘personal information’ to ensure that they have the patient’s consent to collect the image before they photograph the patient, and prior to using or disclosing the image taken.
There are very limited circumstances in which consent need not be obtained. One such example is where a person faces a serious and imminent threat to their life or health.
Where is the image being stored? Is it secure?
Protecting one’s online information is becoming one of the perennial issues for technology users everywhere. Security of information is an important issue and clinicians are cautioned by the OAIC to take reasonable steps to protect the personal information they hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
What constitutes ‘reasonable steps’ will depend on the circumstances and further detail can be found in the OAIC’s Guide to securing personal information. According to the OAIC, health practitioners who store photos of their patients on a mobile phone or tablet will need to make sure that their security settings are adequate to protect the information.
When disclosing to an overseas entity, the OAIC advises that health-service providers also need to consider whether they comply with the requirements of Australian Privacy Principle 8 of the Privacy Act regarding cross-border disclosure.
Privacy legislation update
In the context of the above matters, on the last occasion that Avant provided a privacy legislation update to members of Optometry Australia, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 had passed in Parliament. The amendments subsequently came in to effect on 12 March 2014.
The amendments aim to enhance the protection of an individual’s personal information.
The reforms introduced a single set of privacy principles called the Australian Privacy Principles (APPs), which apply to both public and private sector entities. These replaced the 10 National Privacy Principles that previously existed under the Privacy Act 1988.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 also ushered in other changes to how personal information is handled, including when it can be used for direct marketing purposes and sent overseas, and there are new, enhanced penalties and investigatory powers. The Privacy Commissioner has the power to conduct privacy assessments or investigations.
Members of Optometry Australia should review the steep civil penalties that both corporations and individuals face in the light of the legislative changes. There is a civil penalty of up to $1.8 million for corporations and $360,000 for individuals.
In addition to the Commonwealth’s privacy legalisation, Victoria, New South Wales and Australia Capital Territory each has its own legislation governing privacy obligations with which medical practitioners must also comply.
Disclaimer: This article is not comprehensive and does not constitute legal advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision-making with regard to the individual circumstances. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is current only at the date initially published.
Avant provides professional indemnity insurance cover to Optometry Australia on behalf of its members.