Here we discuss Canadian recommended best practice relating to the use of smartphones for clinical photography. Provincial/territorial colleges have provided some recommendations; however, the Canadian Medical Association has tried to bring it all together by publishing their recommendations.
In July 2018, the Canadian Society of Physician Leaders (CSPL) published an article entitled Canadian guidelines on smartphone clinical photography. The article highlights the general lack of guidelines pertaining to smartphone clinical photography across provincial/territorial colleges. They call for concise national guidelines and suggest such guidelines along with six categories. They base these suggestions on elements of recommendations from provincial/territorial colleges.
Just prior, in March 2018, the Canadian Medical Association (CMA) published Best Practices for Smartphone and Smart-Device Clinical Photo Taking and Sharing. They cite the, at the time, unpublished CSPL article and provide recommendations using the same six categories.
Key Recommendations from the CMA
The following recommendations are a summarized version. Please see the document linked above for more detail.
- Informed consent must be obtained for each encounter.
- Consent should be documented.
- Written and signed consent is encouraged.
- Consent should be considered as necessary for any and all photography involving a patient, whether or not that patient can be directly recognized.
Comment: PicSafe allows you to do all of these things.
- Insecure text and email messaging should not be used unless the current gold standards of security are not accessible.
Comment: PicSafe makes the "current gold standards of security" accessible by all so there should be no reason to use "insecure text and email messaging."
- Transmission of photos and patient information should be encrypted as per current-day gold standards (presently, end-to-end encryption (E2EE)) and use only secure servers that are subject to Canadian laws.
- Efforts should be made to use the most secure transmission method possible.
Comment: PicSafe does end-to-end encryption. The PicSafe app encrypts patient data and packages it into a .picsafe file. This file can then be transmitted through means deemed otherwise insecure (email, text message, even WhatsApp or Facebook Messenger). When sending via text message, a copy of the encrypted file is temporarily stored on a server controlled by PicSafe. For Canadian users, the server is in Canada.
- For data security purposes, identifying information should never be included in the image, any frame of a video, the file name, or linked messages.
Comment: PicSafe complies. All metadata is removed from photos.
- If possible, receipt of transmission should be confirmed by the recipient.
Comment: PicSafe stores a log of those that have viewed the "report." PicSafe allows you to receive a notification when a report has been opened.
- Storing images and data on a smart-device should be limited as much as possible.
- Clinical photos should be completely segregated from the device’s personal storage.
- Automatic back-up of photos to insecure cloud servers should be deactivated.
Comment: PicSafe does not store images or data on the device once it has been sent. Nothing appears in the gallery of the device, and therefore nothing can be automatically backed-up insecurely.
- All information stored (on internal memory or cloud) must be strongly encrypted and password protected.
- Media should not be uploaded to platforms without an option for securely deleting information without consent from the patient, and only if there
are no better options.
Comment: PicSafe does not store images or data. Rather, PicSafe facilitates sending images or data to third-party services that store the data. Examples include Box, Dropbox, Google Drive, OneDrive, and various Electronic Medical Record systems.
- Efforts should be made to dissociate identifying information from images when images are exported from a secure server.
Comment: All metadata is removed from photos.
- Cloud storage should be on a Canadian and SOCII certified server. Explicit, informed consent is required otherwise due to privacy concerns for servers in other jurisdictions.
Comment: PicSafe facilitates the transmission of "reports" directly from the device to a recipient or a third-party storage service. Patient data does not travel through PicSafe servers unless sending via text message. In this case, a copy of the encrypted file is temporarily stored on a server controlled by PicSafe. For Canadian users, the server is in Canada and is run by Amazon Web Services (AWS). AWS has SOCII certifies servers.
- It is important to create an audit trail. Key information includes patient and health information, consent type and details, pertinent information regarding the photography (date, circumstance, photographer), and any other important facts such as access granted/deletion requests.
Comment: PicSafe provides such an audit trail. There is a log of how, when, where, and by whom photos are accessed.
- Access to the stored information must be by the authorized physician or health care provider and for the intended purpose, as per the consent given.
- Records should be stored such that it is possible to print/transfer as necessary.
- Original photos should be retained and not overwritten.
Comment: PicSafe allows you to do all these things. Given PicSafe does not store photos; instead, it integrates with various systems that already provide storage services, much of this is not relevant to PicSafe.
- All photos and associated messages may be considered part of the patient’s clinical records and should be maintained for at least 10 years or 10 years after the age of majority, whichever is longer.
- When possible, patient information (including photos and message histories between health professionals) should be retained and amalgamated with a patient’s medical record.
- It may not be allowable to erase a picture if it is integral to a clinical decision or provincial, federal, or other applicable regulations require their retention
Comment: PicSafe facilitates easy integration into various Electronic Medical Record systems.
- Any breach should be taken seriously and should be reviewed. All reasonable efforts must be made to prevent a breach before one occurs. A breach occurs when personal information, communication, or photos of patients are stolen, lost, or mistakenly disclosed. This includes loss or theft of one’s mobile device, texting to the wrong number or emailing/messaging to the wrong person(s), or accidentally showing a clinical photo that exists in the phone’s personal photo album.
Comment: By using PicSafe, you will not be storing patient photos or data on your device. This helps reduce the risk of a breach by losing your phone. Further, photos are not stored on your device, which means it is not possible to accidentally show clinical photos through your personal photo album.
- It should be noted that non-identifying information, when combined with other available information (e.g. a text message with identifiers or another image with identifiers), can lead to highly accurate re-identification.
Comment: This is why PicSafe packages and encrypts this data with the photo into a .picsafe file for transmission.
- At present, apps downloaded to a smart-device for personal use may be capable of collecting and sharing information – the rapidly changing nature of this technology and the inherent privacy concerns requires regular attention.
- Use of specialized apps designed for health-information sharing that help safeguard patient information in this context is worth careful consideration.
Comment: We have found every app not designed explicitly for health-related information to be wanting. It may be possible to comply with regulations, but the effort one has to go through to comply renders their use impractical. For example, documenting signed consent when sending a photo via text message is difficult. Photos sent via WhatsApp are, by default, stored in the gallery of your device, therefore, you have to delete the photo out of your gallery manually. Further, most other apps for "personal use" that are tempting to use has patient data traveling through US servers.
- Having remote wipe (i.e. device reformatting) capabilities is an asset and can help contain a breach. However, inappropriate access may take place before reformatting occurs.
- If a smartphone is strongly encrypted and has no clinical photos stored locally then its loss may not be considered a breach.
Comment: That is why PicSafe does not allow patient data to be stored on the device in the first place.
- In the event of a breach any patient potentially involved must be notified as soon as possible. The CMPA, the organization/hospital, and the Provincial licensing College should also be contacted immediately. Provincial regulations regarding notification of breach may vary.
Comment: PicSafe does not store photos or patient data and does not have access to photos or patient data. Instead, it allows you to capture and send photos and patient data.
TLDR: PicSafe allows you to comply with Canadian regulations.
We hope you find this information useful. Should you have any questions, please don't hesitate to contact us.