GP College Issues New Guidance on Cyber Security for Doctors

The Royal Australian College of General Practitioners (RACGP) has cautioned doctors to think carefully before using personal phones for taking clinical photos and how they store those records. In the new guidance issued to GPs, the College says that clinical photos taken for the purposes of patient management are part of that person’s health record, even if they only exist in an electronic format.

Therefore, it says, the photos should be treated like any other personal health data and are subject to the same conditions for collection, disclosure and storage specified in state/territory and federal laws and regulations.

Cyber Security & Safety

It’s become common practice for GPs to use their own phones or tablets to take photos to send to colleagues for a second opinion.

The RACGP says clinical photos taken on personal mobile devices should be treated with particular care.

A clinician’s own phone or tablet might not be as secure as other devices used in the practice for storing sensitive medical information. A personal device is perhaps more likely to either be lost, stolen or accessed by other people.

Doctors have also been known to snap particularly interesting or abnormal cases for further study or discussion at industry conferences. The College warns particular care should be taken to make sure no identifying details are in the images.

One of the focuses of the new guidelines is informed consent – making sure practitioners let patients know about why the photo is being taken, how it will be stored and transmitted, with whom it will be shared and why, and whether the photos will be de-identified.

Patient and GP Awareness

The RACGP suggests that general medical practices establish dedicated policies and procedures to ensure patients and doctors are informed of their legal obligations and adhere to best practice privacy and security standards.

GP practices are advised to use a dedicated phone that’s securely stored on-premises to take clinical photos, rather than use personal devices, to ensure compliance across the clinic and prevent accidental loss or the forwarding of images to the wrong people.

The College suggests that clinicians should avoid third-party storage options to limit the risk of a data breach and instead to upload photos straight to patient medical files “as soon as practicable”, deleting the photos from their own devices immediately afterwards.

Think Technology Australia has a track record in assisting small to medium-sized medical practices with their cyber safety and security requirements including the use of mobile devices to undertake clinical work.