Clinical photography is a valuable tool for physicians. Smartphones, as well as other devices supporting network connectivity, offer a convenient, efficient method to take and share images. However, due to the private nature of the information contained in clinical photographs there are concerns as to the appropriate storage, dissemination, and documentation of clinical images. Confidentiality of image data must be considered and the dissemination of these images onto servers must respect the privacy and rights of the patient. Importantly, patient information should be considered as any information deriving from a patient, and the concepts outlined therefore apply to any media that can be collected on, or transmitted with, a smart-device.
Clinical photography can aid in documenting form and function, in tracking conditions and wound healing, in planning surgical operations, and in clinical decision-making. Additionally, clinical photographs can provide physicians with a valuable tool for patient communication and education. Due to the convenience of this type of technology it is not appropriate to expect physicians to forego their use in providing their patients with the best care available.
The technology and software required for secure transfer, communication, and storage of clinical media is presently available, but many devices have non-secure storage/dissemination options enabled and lack user-control for permanently deleting digital files. In addition, data uploaded onto server systems commonly cross legal jurisdictions. Many physicians are not comfortable with the practice, citing security, privacy, and confidentiality concerns as well as uncertainty in regards to regional regulations governing this practice.1 Due to concern for patient privacy and confidentiality it is therefore incredibly important to limit the unsecure or undocumented acquisition or dissemination of clinical photographs.
To assess the current state of this topic, Heyns et al. have reviewed the accessibility and completeness of provincial and territorial medical regulatory college guidelines.2 Categories identified as vital and explored in this review included: Consent; Storage; Retention; Audit; Transmission; and Breach. While each regulatory body has addressed limited aspects of the overall issue, the authors found a general lack of available information and call for a unified document outlining pertinent instructions for conducting clinical photography using a smartphone and the electronic transmission of patient information.2
The discussion of this topic will need to be ongoing and it is important that physicians are aware of applicable regulations, both at the federal and provincial levels, and how these regulations may impact the use of personal devices. The best practices supported here aim to provide physicians and healthcare providers with an understanding of the scope and gravity of the current environment, as well as the information needed to ensure patient privacy and confidentiality is assessed and protected while physicians utilize accessible clinical photography to advance patient care. Importantly, this document only focusses on medical use (clinical, academic, and educational) of clinical photography and, while discussing many core concepts of patient privacy and confidentiality of information, should not be perceived as a complete or binding framework. Additionally, it is recommended that physicians understand the core competencies of clinical photography, which are not described here.
The Canadian Medical Association (CMA) suggests that the following recommendations be implemented, as thoroughly as possible, to best align with the CMA policy on the Principles for the Protection of Patient Privacy (CMA Policy PD2018-02). These key recommendations represent a non-exhaustive set of best practices - physicians should seek additional information as needed to gain a thorough understanding and to stay current in this rapidly changing field.
* Informed consent must be obtained, preferably prior, to photography with a mobile device. This applies for each and any such encounter and the purpose made clear (i.e. clinical, research, education, publication, etc.). Patients should also be made aware that they may request a copy of a picture or for a picture to be deleted.
* A patient's consent to use electronic transmission does not relieve a physician of their duty to protect the confidentiality of patient information. Also, a patient's consent cannot override other jurisdictionally mandated security requirements.
* All patient consents (including verbal) should be documented. The acquisition and recording of patient consent for medical photography/dissemination may be held to a high standard of accountability due to the patient privacy and confidentiality issues inherent in the use of this technology. Written and signed consent is encouraged.
* Consent should be considered as necessary for any and all photography involving a patient, whether or not that patient can be directly recognized, due to the possibility of linked information and the potential for breach of privacy. The definition of non-identifiable photos must be carefully considered. Current technologies such as face recognition and pattern matching (e.g. skin markers, physical structure, etc.), especially in combination with identifying information, have the potential to create a privacy breach.
* Unsecure text and email messaging requires explicit patient consent and should not be used unless the current gold standards of security are not accessible. For a patient-initiated unsecure transmission, consent should be clarified and not assumed.
* Transmission of photos and patient information should be encrypted as per current-day gold standards (presently, end-to-end encryption (E2EE)) and use only secure servers that are subject to Canadian laws. Explicit, informed consent is required otherwise due to privacy concerns or standards for servers in other jurisdictions. Generally, free internet-based communication services and public internet access are unsecure technologies and often operate on servers outside of Canadian jurisdiction.
* Efforts should be made to use the most secure transmission method possible. For data security purposes, identifying information should never be included in the image, any frame of a video, the file name, or linked messages.
* The sender should always ensure that each recipient is intended and appropriate and, if possible, receipt of transmission should be confirmed by the recipient.
* Storing images and data on a smart-device should be limited as much as possible for data protection purposes.
* Clinical photos, as well as messages or other patient-related information, should be completely segregated from the device's personal storage. This can be accomplished by using an app that creates a secure, password-protected folder on the device.
* All information stored (on internal memory or cloud) must be strongly encrypted and password protected. The security measures must be more substantial than the general password unlock feature on mobile devices.
* Efforts should be made to dissociate identifying information from images when images are exported from a secure server. Media should not be uploaded to platforms without an option for securely deleting information without consent from the patient, and only if there are no better options. Automatic back-up of photos to unsecure cloud servers should be deactivated. Further, other back-up or syncing options that could lead to unsecure server involvement should be ascertained and the risks mitigated.
4. Cloud storage should be on a Canadian and SOCII certified server. Explicit, informed consent is required otherwise due to privacy concerns for servers in other jurisdictions.
5. AUDIT & RETENTION
* It is important to create an audit trail for the purposes of transparency and medical best practice. Key information includes patient and health information, consent type and details, pertinent information regarding the photography (date, circumstance, photographer), and any other important facts such as access granted/deletion requests.
* Access to the stored information must be by the authorized physician or health care provider and for the intended purpose, as per the consent given. Records should be stored such that it is possible to print/transfer as necessary.
* Original photos should be retained and not overwritten.
* All photos and associated messages may be considered part of the patient's clinical records and should be maintained for at least 10 years or 10 years after the age of majority, whichever is longer. When possible, patient information (including photos and message histories between health professionals) should be retained and amalgamated with a patient's medical record. Provincial regulations regarding retention of clinical records may vary and other regulations may apply to other entities - e.g. 90 years from date of birth applies to records at the federal level.
* It may not be allowable to erase a picture if it is integral to a clinical decision or provincial, federal, or other applicable regulations require their retention.
* Any breach should be taken seriously and should be reviewed. All reasonable efforts must be made to prevent a breach before one occurs. A breach occurs when personal information, communication, or photos of patients are stolen, lost, or mistakenly disclosed. This includes loss or theft of one's mobile device, texting to the wrong number or emailing/messaging to the wrong person(s), or accidentally showing a clinical photo that exists in the phone's personal photo album.
* It should be noted that non-identifying information, when combined with other available information (e.g. a text message with identifiers or another image with identifiers), can lead to highly accurate re-identification.
* At present, apps downloaded to a smart-device for personal use may be capable of collecting and sharing information - the rapidly changing nature of this technology and the inherent privacy concerns requires regular attention. Use of specialized apps designed for health-information sharing that help safeguard patient information in this context is worth careful consideration.
* Having remote wipe (i.e. device reformatting) capabilities is an asset and can help contain a breach. However, inappropriate access may take place before reformatting occurs.
* If a smartphone is strongly encrypted and has no clinical photos stored locally then its loss may not be considered a breach.
* In the event of a breach any patient potentially involved must be notified as soon as possible. The CMPA, the organization/hospital, and the Provincial licensing College should also be contacted immediately. Provincial regulations regarding notification of breach may vary.
Approved by the CMA Board of Directors March 2018
i Heyns M†, Steve A‡, Dumestre DO‡, Fraulin FO‡, Yeung JK‡
† University of Calgary, Canada
‡ Section of Plastic Surgery, Department of Surgery, University of Calgary, Canada
1 Chan N, Charette J, Dumestre DO, Fraulin FO. Should 'smart phones' be used for patient photography? Plast Surg (Oakv). 2016;24(1):32-4.
2 Unpublished - Heyns M, Steve A, Dumestre DO, Fraulin FO, Yeung J. Canadian Guidelines on Smartphone Clinical Photography.
These Guidelines constitute an implementation tool of seven recommendations and are informed by Guidelines for CMA’s Activities and Relationships with Other Parties (aka CMA’s Corporate Relationships Policy) and CMA’s Advertising and Sponsorship Policy.
These Guidelines apply to the Canadian Medical Association (and not to its subsidiaries). As these are Guidelines, exceptions may be necessary from time to time wherein staff may use their discretion and judgment.
Endorsement is an umbrella term encompassing “policy endorsement”, “sponsorship1” and “branding”.
Policy endorsement includes:
(a) CMA considering upon request, non-pecuniary public approval, which may include the use of
CMA’s name and/or logo, of an organization’s written policy, on an issue that aligns with CMA policy, where there is no immediate expectation of return; or,
(b) CMA adopting the policy of another organization as our policy; or
(c) CMA asking another organization to publicly support our policy.
(a) Criteria: For policy endorsement requests from another organization to endorse their policy2 the following criteria shall be applied:
i) we have a policy on the subject-matter and
ii) we are actively working on advancing that policy position and
iii) the organization has a follow-up action plan associated with its request.
(b) Approval: Where policy exists, approval requires a policy staff member (with portfolio responsibility) and the VP of Medical Professionalism, or the policy staff member (with portfolio responsibility) and the Chief Policy Advisor. Where no policy exists, approval of the Board of Directors is required.
(c) Annual confirmation: Where CMA adopts the policy of another organization3, CMA staff shall confirm annually, or more frequently if circumstances dictate, that the policy has not been altered by the other organization.
(d) Requests: Pursuit of personal endorsement requests are not appropriate. Wherever possible, requests should come from an organization and not an individual.
(a) Where CMA adopts the policy of another organization, the adopted policy shall become CMA policy, and will include a notation on the document as being an adopted policy of [organization].
(b) All adopted policies will be housed in an accessible searchable database.
(c) All requests by organizations for CMA to endorse their policy will be tracked in a central location, along with any response.
1 Sponsorship means, to consider upon request, pecuniary public approval, which may include the use of CMA’s name and/or logo, of an organization’s event (eg., conference), on an issue that is supported by CMA policy or that promotes CMA brand awareness, where there is an immediate expectation of return.
2 That is, part (a) of the definition in Section 2.
3 That is, part (b) of the definition in Section 2.
Health and safety in the workplace continue to be areas of concern to the CMA. The CMA recommends that educational programs on the risks of drug-related impairment to health and safety in the workplace be directed toward labour, management and the public in general. Occupations for which impairment resulting from drug use may constitute a serious hazard should be identified and designated as such. The association recommends that supervisors be trained to refer a worker in a safety-sensitive job for a health assessment if the supervisor has reasonable grounds to suspect impairment of the worker. Workers holding safety-sensitive jobs should be educated to report any departure from their usual state of health as well as any drugs (prescribed or otherwise) being taken to the occupational health physician or, in the absence of such, to the physician of the worker's choice. The CMA is opposed to routine pre-employment drug testing. It recommends that random drug testing among employees be restricted to safety-sensitive positions and undertaken only when measures of performance and effective peer or supervisory observation are unavailable. Drug testing should always be conducted in such a way as to protect confidentiality and should be undertaken with the subject's informed consent (except when otherwise required by law).
The idea of drug testing among workers has developed from society's concern over the relation between drug use and impairment, with resultant risks to the worker, fellow workers and the public.
Education: Since prevention is the principal and ultimate objective the association recommends that educational programs on the risks of impairment to health and safety in the workplace be directed toward labour, management and the public in general.
Illicit drugs are not the only ones that may cause impairment. Certain prescription drugs and even some over-the-counter medications may affect a person's ability to carry out professional functions safely; such effects may vary considerably from one person to another.
Alcohol is by far the most common impairing drug implicated in accidents; in addition, the scientific literature contains a growing body of information on impairment and dangers resulting from the use and misuse of various therapeutic medications. Far less is documented or known about the role of illicit drugs in work-related accidents.
Safety-sensitive occupations: In most workplaces there are occupations for which impairment may constitute a serious hazard. Such occupations should be identified and designated as such. Workers who hold such safety-sensitive jobs must accept the fact that other workers and the public need to be protected from the hazards of impairment, whether from physical or psychologic ill health or from the use of drugs (over-the-counter, prescription or illicit).
Performance assessment of safety-sensitive occupations: The CMA recommends that supervisors be trained to refer a worker in a safety-sensitive job for a health assessment if the supervisor has reasonable grounds (e.g., unsatisfactory performance or observed unusual behaviour) to suspect impairment of the worker. The examining physician may recommend that some tests (including tests for the presence of certain drugs) be carried out under pre-agreed protocols. Workers holding safety-sensitive jobs must be educated to report any departure from their usual state of health as well as any drugs (prescribed or otherwise) they may be taking to the occupational health physician or, in the absence of such, to the physician of the worker's choice.
Testing: Any discussion of drug testing must take the following into account:
If a quantitative test is to be used to determine impairment a limit must be established beyond which a person is deemed to be impaired. However, since the threshold of impairment varies from one person to another this variation should be taken into account when a worker is being assessed.
The tests must be valid and reliable. They must be performed only in laboratories accredited for drug testing.
The tests must provide results rapidly enough to be useful in deciding whether the person should continue to work.
If different testing procedures are available and the differences between the validity and reliability are not significant the least intrusive alternative should be chosen.
The test should be conducted in such a way as to ensure confidentiality and should be undertaken with the subject's informed consent (except when otherwise required by law).
Pre-employment testing: The CMA opposes routine pre-employment drug testing for the following reasons:
Routine pre-employment drug screening may not objectively identify those people who constitute a risk to society.
The mass, low-cost screening tests may not be reliable or valid.
The circumstances may not justify possible human rights violations.
Random testing: The CMA believes that random drug testing among employees has a limited role, if any, in the workplace. Such testing should be restricted to employees in safety-sensitive positions and undertaken only when measures of performance and effective peer or supervisory observation are unavailable.
Role of occupational health services: Occupational health physicians must not be involved in a policing or disciplinary role with respect to employee testing.
CMA recommends that employers provide a safe environment for all workers. With the help of experts such as those from national and provincial agencies dedicated to dealing with substance abuse occupational health departments should develop lists of drugs known to cause short-term or long-term impairment, including alcohol. These lists should be posted prominently in the workplace, and workers should be advised that in the event of obvious impairment those involved in safety-sensitive occupations will be asked to undergo medical assessment. If testing for drugs is indicated refusal to submit to testing may result in a presumption of noncompliance with the health requirements of the job.
Alcohol impairment should not be tolerated, and legislation should be considered that would set a legal blood alcohol level for safety-sensitive occupations. Breathalyzers or other detection methods could be used if alcohol impairment is suspected in a person holding safety-sensitive occupation. As stated previously, refusal to submit to testing may result in a presumption of noncompliance with the health requirements of the job.
These measures should be discussed with labour and management. Labour should be expected to recognize drug-related impairment as a serious health and safety issue, and management should demonstrate its concern by ensuring access to treatment, prevention and educational programs such as employee assistance programs.
Like all scientific and medical procedures, assisted human reproduction has the potential for both benefit and harm. It is in the interests of individual Canadians and Canadian society in general that these practices be regulated so as to maximize their benefits and minimize their harms. To help achieve this goal, the Canadian Medical Association (CMA) has developed this policy on regulating these practices. It replaces previous CMA policy on assisted reproduction.
The objectives of any Canadian regulatory regime for assisted reproduction should include the following:
(a) to protect the health and safety of Canadians in the use of human reproductive materials for assisted reproduction, other medical procedures and medical research;
(b) to ensure the appropriate treatment of human reproductive materials outside the body in recognition of their potential to form human life; and
(c) to protect the dignity of all persons, in particular children and women, in relation to uses of human reproductive materials.
When a Canadian regulatory regime for assisted reproduction is developed, it should incorporate the following principles:
For the regulation of assisted reproduction, existing organizations such as medical licensing authorities, accreditation bodies and specialist societies should be involved to the greatest extent possible.
If the legislation establishing the regulatory regime is to include prohibitions as well as regulation, the prohibition of specific medical and scientific acts must be justified on explicit scientific and/or ethical grounds.
If criminal sanctions are to be invoked, they should apply only in cases of deliberate contravention of the directives of the regulatory agency and not to specific medical and scientific acts.
Whatever regulatory agency is created should include significant membership of scientists and clinicians working in the area of assisted reproduction.
Elements of a Regulatory Regime
The regulation of assisted reproduction in Canada should include the following elements:
Legislation to create a national regulatory body with appropriate responsibilities and accountability for coordinating the activities of organizations that are working in the area of assisted reproduction and for carrying out functions that other organizations cannot perform.
The development and monitoring of national standards for research related to human subjects including genetics and reproduction. The regulatory body would work closely with the Canadian Institutes of Health Research, other federal and provincial research granting councils, the National Council on Ethics in Human Research and other such organizations.
The development and monitoring of national standards for training and certifying physicians in those reproductive technologies deemed acceptable. As is the case for all post-graduate medical training in Canada, this is appropriately done through bodies such as the Royal College of Physicians and Surgeons of Canada and the College of Family Physicians of Canada.
The licensing and monitoring of individual physicians. This task is the responsibility of the provincial and territorial medical licensing authorities which could regulate physician behaviour in respect to the reproductive technologies, just as they do for other areas of medical practice.
The development of guidelines for medical procedures. This should be done by medical specialty societies such as the Society of Obstetricians and Gynaecologists of Canada (SOGC) and the Canadian Fertility and Andrology Society (CFAS).
The accreditation of facilities where assisted reproduction is practised. There is already in Canada a well functioning accreditation system, run by the Canadian Council on Health Services Accreditation, which may be suitable for assisted reproduction facitilies.
Whatever regulatory body is established to deal with assisted reproduction should utilize, not duplicate, the work of these organizations. In order to maximize the effectiveness of these organizations, the regulatory body could provide them with additional resources and delegated powers.
The CMA is opposed to the criminalization of scientific and medical procedures. Criminalization represents an unjustified intrusion of government into the patient-physician relationship. Previous attempts to criminalize medical procedures (for example, abortion) were ultimately self-defeating. If the federal government wishes to use its criminal law power to regulate assisted reproduction, criminal sanctions should apply only in cases of deliberate contravention of the directives of the regulatory agency and not to specific medical and scientific acts.
Guidelines for CMA’s Activities and Relationships with Other Parties
As the national voice of medicine in Canada, the CMA provides leadership for physicians, promotes the highest standards of health and health care for Canadians and acts as advocate for all Canadian physicians. In the furtherance of its purpose, the CMA conducts a variety of activities and has a variety of relationships with other parties. The CMA’s activities range from policy development to the delivery of products and services to physicians and the public. Its relationships with other parties range from the purchase of goods and services that support operations to partnerships that further or are consistent with its advocacy strategies.
The CMA actively seeks out relationships with others in recognition of the benefits these bring in the attainment of the CMA’s purposes. Such benefits may include:
- unifying the profession through relations with physician groups, including the divisions and affiliates
- enabling a stronger advocacy voice in association with others
- enhancing the CMA’s credibility with other parties
- providing financial and human resources to support CMA activities
- providing skills and capabilities that CMA may not possess
- providing additional membership services.
Activities or relationships with other parties and products and services produced through the activity or relationship (“activities or relationships”) that undermine the CMA’s reputation of professionalism, independence and quality are to be avoided, not only for their own sake but also because a diminishment of the CMA’s reputation impedes its ability to achieve its purposes.
The following principles have been developed to help guide decisions about the kinds of activities CMA undertakes and about its relations with other parties, with the objective of ensuring the integrity and good reputation of the CMA. A process or processes will be developed to implement the principles, which will include the preparation of subdocuments on applying the principles to specific areas; for example, sponsorship, endorsement and coalitions.
The CMA should rigorously and actively pursue its laudable ends and seek out relationships with others to attain them with the caveat that activities or relationships that would tarnish the integrity or reputation of CMA or the medical profession or that would diminish the trust placed in them should be avoided.
Conformity with CMA’s purpose
The activity or relationship should further or support the CMA’s purposes as elaborated in its objects, vision and mission.
The CMA’s purposes have been explicitly and widely agreed upon.
The CMA holds itself to be, and encourages reliance that it is, an organization that pursues its specified purposes.
Activities and relationships that do not further or support the CMA’s purposes have the potential to thwart these purposes in a number of ways, including inadequate accountability, inappropriate use of resources, unconstrained exercise of merely private judgement or inappropriate self-interest.
2. Medical professionalism and ethics
The activity or relationship should be consistent with medical professionalism and with CMA’s Code of Ethics.
The CMA is an association of physicians.
When the CMA acts, it represents the medical profession.
The CMA’s actions reflect upon the medical profession.
The CMA’s stature and reputation are inextricably linked to the medical profession’s work, the professional stature of its member physicians and the trust Canadians place in their physicians.
Engaging in activities or relationships that are inconsistent with medical professionalism and CMA’s Code of Ethics would erode trust in the CMA.
The activity or relationship should not undermine the CMA’s independence.
To be a credible voice and influence and to be worthy of the trust and confidence of physicians and of the public, the CMA should be, and be seen to be, free of undue influence and in control of the decisions it makes.
Undue influence occurs when one is induced to do or not do something that is contrary to what one would otherwise do if left to act freely. Undue influence deprives one of free agency and destroys free will such that it is rendered more the will of another than of one’s own.
Activities and relationships that may undermine independence include:
activities or relationships that provide revenue or benefit to the CMA such that ongoing dependency on the revenue or benefit impedes independence
activities and relationships that create a product or service that is seen to be associated with the CMA but over which the CMA does not have final control or veto or the capacity to extricate itself
Consistency with policy
The activity or relationship should be consistent with CMA policy.
The CMA develops policy in pursuance of its purposes; these should be referred to when making decisions in connection with activities or relationships.
Conflicting goals and activities
Relationships with parties whose goals or activities directly conflict with the CMA’s objects, mission or vision should be avoided.
This does not preclude discussion with others or participation in events for the purposes of obtaining information, monitoring or lobbying.
The terms and conditions of the activity or relationship should be transparent.
Transparency promotes an openness to scrutiny and serves to enhance accountability and to discourage relationships or activities that could be considered problematic.
The principle is generally applicable except in connection to matters related to competitive advantage, trade secret or a reasonable agreement of confidentiality.
Compliance and accountability
Processes must be in place to ensure that proposed and ongoing activities or relationships are appropriately reviewed for compliance with and clear accountability for these principles.
These include the activities of the secretariat and the corporate subsidiaries.