Clinical photography is a valuable tool for physicians. Smartphones, as well as other devices supporting network connectivity, offer a convenient, efficient method to take and share images. However, due to the private nature of the information contained in clinical photographs there are concerns as to the appropriate storage, dissemination, and documentation of clinical images. Confidentiality of image data must be considered and the dissemination of these images onto servers must respect the privacy and rights of the patient. Importantly, patient information should be considered as any information deriving from a patient, and the concepts outlined therefore apply to any media that can be collected on, or transmitted with, a smart-device.
Clinical photography can aid in documenting form and function, in tracking conditions and wound healing, in planning surgical operations, and in clinical decision-making. Additionally, clinical photographs can provide physicians with a valuable tool for patient communication and education. Due to the convenience of this type of technology it is not appropriate to expect physicians to forego their use in providing their patients with the best care available.
The technology and software required for secure transfer, communication, and storage of clinical media is presently available, but many devices have non-secure storage/dissemination options enabled and lack user-control for permanently deleting digital files. In addition, data uploaded onto server systems commonly cross legal jurisdictions. Many physicians are not comfortable with the practice, citing security, privacy, and confidentiality concerns as well as uncertainty in regards to regional regulations governing this practice.1 Due to concern for patient privacy and confidentiality it is therefore incredibly important to limit the unsecure or undocumented acquisition or dissemination of clinical photographs.
To assess the current state of this topic, Heyns et al. have reviewed the accessibility and completeness of provincial and territorial medical regulatory college guidelines.2 Categories identified as vital and explored in this review included: Consent; Storage; Retention; Audit; Transmission; and Breach. While each regulatory body has addressed limited aspects of the overall issue, the authors found a general lack of available information and call for a unified document outlining pertinent instructions for conducting clinical photography using a smartphone and the electronic transmission of patient information.2
The discussion of this topic will need to be ongoing and it is important that physicians are aware of applicable regulations, both at the federal and provincial levels, and how these regulations may impact the use of personal devices. The best practices supported here aim to provide physicians and healthcare providers with an understanding of the scope and gravity of the current environment, as well as the information needed to ensure patient privacy and confidentiality is assessed and protected while physicians utilize accessible clinical photography to advance patient care. Importantly, this document only focusses on medical use (clinical, academic, and educational) of clinical photography and, while discussing many core concepts of patient privacy and confidentiality of information, should not be perceived as a complete or binding framework. Additionally, it is recommended that physicians understand the core competencies of clinical photography, which are not described here.
The Canadian Medical Association (CMA) suggests that the following recommendations be implemented, as thoroughly as possible, to best align with the CMA policy on the Principles for the Protection of Patient Privacy (CMA Policy PD2018-02). These key recommendations represent a non-exhaustive set of best practices - physicians should seek additional information as needed to gain a thorough understanding and to stay current in this rapidly changing field.
* Informed consent must be obtained, preferably prior, to photography with a mobile device. This applies for each and any such encounter and the purpose made clear (i.e. clinical, research, education, publication, etc.). Patients should also be made aware that they may request a copy of a picture or for a picture to be deleted.
* A patient's consent to use electronic transmission does not relieve a physician of their duty to protect the confidentiality of patient information. Also, a patient's consent cannot override other jurisdictionally mandated security requirements.
* All patient consents (including verbal) should be documented. The acquisition and recording of patient consent for medical photography/dissemination may be held to a high standard of accountability due to the patient privacy and confidentiality issues inherent in the use of this technology. Written and signed consent is encouraged.
* Consent should be considered as necessary for any and all photography involving a patient, whether or not that patient can be directly recognized, due to the possibility of linked information and the potential for breach of privacy. The definition of non-identifiable photos must be carefully considered. Current technologies such as face recognition and pattern matching (e.g. skin markers, physical structure, etc.), especially in combination with identifying information, have the potential to create a privacy breach.
* Unsecure text and email messaging requires explicit patient consent and should not be used unless the current gold standards of security are not accessible. For a patient-initiated unsecure transmission, consent should be clarified and not assumed.
* Transmission of photos and patient information should be encrypted as per current-day gold standards (presently, end-to-end encryption (E2EE)) and use only secure servers that are subject to Canadian laws. Explicit, informed consent is required otherwise due to privacy concerns or standards for servers in other jurisdictions. Generally, free internet-based communication services and public internet access are unsecure technologies and often operate on servers outside of Canadian jurisdiction.
* Efforts should be made to use the most secure transmission method possible. For data security purposes, identifying information should never be included in the image, any frame of a video, the file name, or linked messages.
* The sender should always ensure that each recipient is intended and appropriate and, if possible, receipt of transmission should be confirmed by the recipient.
* Storing images and data on a smart-device should be limited as much as possible for data protection purposes.
* Clinical photos, as well as messages or other patient-related information, should be completely segregated from the device's personal storage. This can be accomplished by using an app that creates a secure, password-protected folder on the device.
* All information stored (on internal memory or cloud) must be strongly encrypted and password protected. The security measures must be more substantial than the general password unlock feature on mobile devices.
* Efforts should be made to dissociate identifying information from images when images are exported from a secure server. Media should not be uploaded to platforms without an option for securely deleting information without consent from the patient, and only if there are no better options. Automatic back-up of photos to unsecure cloud servers should be deactivated. Further, other back-up or syncing options that could lead to unsecure server involvement should be ascertained and the risks mitigated.
4. Cloud storage should be on a Canadian and SOCII certified server. Explicit, informed consent is required otherwise due to privacy concerns for servers in other jurisdictions.
5. AUDIT & RETENTION
* It is important to create an audit trail for the purposes of transparency and medical best practice. Key information includes patient and health information, consent type and details, pertinent information regarding the photography (date, circumstance, photographer), and any other important facts such as access granted/deletion requests.
* Access to the stored information must be by the authorized physician or health care provider and for the intended purpose, as per the consent given. Records should be stored such that it is possible to print/transfer as necessary.
* Original photos should be retained and not overwritten.
* All photos and associated messages may be considered part of the patient's clinical records and should be maintained for at least 10 years or 10 years after the age of majority, whichever is longer. When possible, patient information (including photos and message histories between health professionals) should be retained and amalgamated with a patient's medical record. Provincial regulations regarding retention of clinical records may vary and other regulations may apply to other entities - e.g. 90 years from date of birth applies to records at the federal level.
* It may not be allowable to erase a picture if it is integral to a clinical decision or provincial, federal, or other applicable regulations require their retention.
* Any breach should be taken seriously and should be reviewed. All reasonable efforts must be made to prevent a breach before one occurs. A breach occurs when personal information, communication, or photos of patients are stolen, lost, or mistakenly disclosed. This includes loss or theft of one's mobile device, texting to the wrong number or emailing/messaging to the wrong person(s), or accidentally showing a clinical photo that exists in the phone's personal photo album.
* It should be noted that non-identifying information, when combined with other available information (e.g. a text message with identifiers or another image with identifiers), can lead to highly accurate re-identification.
* At present, apps downloaded to a smart-device for personal use may be capable of collecting and sharing information - the rapidly changing nature of this technology and the inherent privacy concerns requires regular attention. Use of specialized apps designed for health-information sharing that help safeguard patient information in this context is worth careful consideration.
* Having remote wipe (i.e. device reformatting) capabilities is an asset and can help contain a breach. However, inappropriate access may take place before reformatting occurs.
* If a smartphone is strongly encrypted and has no clinical photos stored locally then its loss may not be considered a breach.
* In the event of a breach any patient potentially involved must be notified as soon as possible. The CMPA, the organization/hospital, and the Provincial licensing College should also be contacted immediately. Provincial regulations regarding notification of breach may vary.
Approved by the CMA Board of Directors March 2018
i Heyns M†, Steve A‡, Dumestre DO‡, Fraulin FO‡, Yeung JK‡
† University of Calgary, Canada
‡ Section of Plastic Surgery, Department of Surgery, University of Calgary, Canada
1 Chan N, Charette J, Dumestre DO, Fraulin FO. Should 'smart phones' be used for patient photography? Plast Surg (Oakv). 2016;24(1):32-4.
2 Unpublished - Heyns M, Steve A, Dumestre DO, Fraulin FO, Yeung J. Canadian Guidelines on Smartphone Clinical Photography.
Inherent in all health care professional Codes of Ethics is the duty to provide care to patients and to relieve suffering whenever possible. However, this duty does not exist in a vacuum, and depends on the provision of goods and services referred to as reciprocal obligations, which must be provided by governments, health care institutions and other relevant bodies and agencies. The obligation of government and society to physicians can be seen as comparable to the obligations of physicians to their patients.
The recent experience of Canadian physicians during the SARS epidemic in Toronto has heightened the sensitivities of the medical profession to several issues that arose during the course of dealing with that illness. Many of the lessons learned (and the unanswered questions that arose) also apply to the looming threat of an avian flu (or other) pandemic. Canadian physicians may be in a relatively unique position to consider these issues given their experience and insight.
The intent of this working paper is to highlight the ethical issues of greatest concern to practicing Canadian physicians which must be considered during a pandemic. In order to address these issues before they arise, the CMA presents this paper for consideration by individual physicians, physician organizations, governments, policy makers and interested bodies and stakeholders. Although many of the principles and concepts could readily be applied to other health care workers, the focus of this paper will be on physicians.
Policies regarding physicians in training, including medical students and residents, should be clarified in advance by the relevant bodies involved in their oversight and training. Issues of concern would include the responsibilities of trainees to provide care during a pandemic and the potential effect of such an outbreak on their education and training.
A. Physician obligations during a pandemic
The professional obligations of physicians are well spelled out in the CMA Code of Ethics and other documents and publications and are not the main focus of this paper. However, they will be reviewed and discussed as follows.
Several important principles of medical ethics will be of particular relevance in considering this issue. Physicians have an obligation to be beneficent to their patients and to consider what is in the patient's best interest. According to the first paragraph of the CMA Code of Ethics (2004), "Consider first the well-being of the patient".
Traditionally, physicians have also respected the principle of altruism, whereby they set aside concern for their own health and well-being in order to serve their patients. While this has often manifested itself primarily as long hours away from home and family, and a benign neglect of personal health issues, at times more drastic sacrifices have been required. During previous pandemics, many physicians have served selflessly in the public interest, often at great risk to their own well-being.
The principle of justice requires physicians to consider what is owed to whom and why, including what resources are needed, and how these resources would best be employed during a pandemic. These resources might include physician services but could also include access to vaccines and medications, as well as access to equipment such as ventilators or to a bed in the intensive care unit. According to paragraph 43 of the CMA Code of Ethics, physicians have an obligation to "Recognize the responsibility of physicians to promote equitable access to health care resources".
In addition, physicians can reasonably be expected to participate in the process of planning for a pandemic or other medical disaster. According to paragraph 42 of the CMA Code of Ethics, physicians should "Recognize the profession's responsibility to society in matters relating to public health, health education, environmental protection, legislation affecting the health and well-being of the community and the need for testimony at judicial proceedings". This responsibility could reasonably be seen to apply both to individual physicians as well as the various bodies and organizations that represent them.
Physicians also have an ethical obligation to recognize their limitations and the extent of the services they are able to provide. During a pandemic, physicians may be asked to assume roles or responsibilities with which they are not comfortable, nor prepared. Paragraph 15 of the CMA Code of Ethics reminds physicians to "Recognize your limitations and, when indicated, recommend or seek additional opinions or services".
However, physicians have moral rights as well as obligations. The concept of personal autonomy allows physicians some discretion in determining where, how and when they will practice medicine. They also have an obligation to safeguard their own health. As stated in paragraph 10 of the CMA Code of Ethics, physicians should "Promote and maintain your own health and well-being".
The SARS epidemic has served to reopen the ethical debate. Health care practitioners have been forced to reconsider their obligations during a pandemic, including whether they must provide care to all those in need regardless of the level of personal risk. As well, they have been re-examining the obligation of governments and others to provide reciprocal services to physicians, and the relationship between these obligations.
B. Reciprocal obligations towards physicians
While there has been much debate historically (and especially more recently) about the ethical obligations of physicians towards their patients and society in general, the consideration of reciprocal obligations towards physicians is a relatively recent phenomenon.
During the SARS epidemic, a large number of Canadian physicians unselfishly volunteered to assist their colleagues in trying to bring the epidemic under control. They did so, in many cases, in spite of significant personal risk, and with very little information about the nature of the illness, particularly early in the course of the outbreak. Retrospective analysis has cast significant doubt and concern on the amount of support and assistance provided to physicians during the crisis. Communication and infrastructure support was poor at best. Equipment was often lacking and not always up to standard when it was available. Psychological support and counselling was not readily available at the point of care, nor was financial compensation for those who missed work due to illness or quarantine. Although the Ontario government did provide retrospective compensation for many physicians whose practices were affected by the outbreak, the issue was addressed late, and not at all in some cases.
It is clear that Canadian physicians have learned greatly from this experience. The likelihood of individuals again volunteering "blindly" has been reduced to the point where it may never happen again. There are expectations that certain conditions and obligations will be met in order to optimize patient care and outcomes and to protect health care workers and their families.
Because physicians and other health care providers will be expected to put themselves directly in harm's way, and to bear a disproportionate burden of the personal hardships associated with a pandemic, the argument has been made that society has a reciprocal obligation to support and compensate these individuals.
According to the University of Toronto Joint Centre for Bioethics report We stand on guard for thee, "(The substantive value of) reciprocity requires that society support those who face a disproportionate burden in protecting the public good, and take steps to minimize burdens as much as possible. Measures to protect the public good are likely to impose a disproportionate burden on health care workers, patients and their families."
Therefore, in order to provide adequate care for patients, the reciprocal obligation to physicians requires providing some or all of the following:
Prior to a pandemic
- Physicians and the organizations that represent them should be more involved in planning and decision making at the local, national and international levels. In turn, physicians and the organizations that represent them have an obligation to participate as well.
- Physicians should be made aware of a clear plan for resource utilization, including:
- how physicians will be relieved of duties after a certain time;
- clearly defined roles and expectations, especially for those practicing outside of their area of expertise;
- vaccination/treatment plans - will physicians (and their families) have preferential access based on the need to keep caregivers healthy and on the job;
- triage plans, including how the triage model might be altered and plans to inform the public of such.
- Physicians should have access to the best equipment needed and should be able to undergo extra training in its use if required.
- Politicians and leaders should provide reassurances that satisfy physicians that they will not be "conscripted" by legislation.
During a pandemic
- Physicians should have access to up-to-date, real time information.
- Physicians should be kept informed about developments in Canada and globally.
- Communication channels should be opened with other countries (e.g. Canada should participate in WHO initiatives to identify the threats before they arrive on our doorstep).
- Resources should be provided for backup and relief of physicians and health care workers.
- Arrangements should be made for timely provision of necessary equipment in an ongoing fashion.
- Physicians should be compensated for lost clinical earnings and to cover expenses such as lost wages, lost group earnings, overhead, medical care, medications, rehabilitative therapy and other relevant expenses in case of quarantine, clinic cancellations or illness (recognizing that determining exactly when or where an infection was acquired may be difficult).
- Families should receive financial compensation in the case of a physician family member who dies as a result of providing care during a pandemic.
- In the event that physicians may be called upon in a pandemic to practice outside of their area of expertise or outside their jurisdiction, they should to contact their professional liability protection provider for information on their eligibility for protection in these circumstances.
- Interprovincial or national licensing programs should be developed to provide physicians with back-up and relief and ensure experts can move from place to place in a timely fashion without undue burden.
- Psychological and emotional counselling and support should be provided in a timely fashion for physicians, their staff and family members.
- Accommodation (i.e. a place to stay) should be provided for physicians who have to travel to another locale to provide care; or who don't want to go home and put their family at risk, when this is applicable, i.e. the epidemiology of the infectious disease causing the pandemic indicates substantially greater risk of acquiring infection in the health care setting than in the community.
- Billing and compensation arrangements should ensure physicians are properly compensated for the services they are providing, including those who may not have an active billing number in the province where the services are being provided.
After a pandemic
- Physicians should receive assistance in restarting their practice (replacing staff, restocking overhead, communicating with patients, and any other costs related to restarting the practice).
- Physicians should receive ongoing psychological support and counselling as required.
C. How are physician obligations and reciprocal obligations related?
Beyond a simple statement of the various obligations, it is clear that there must be some link between these different obligations. This is particularly important since there is now some time to plan for the next pandemic and to ensure that reciprocal obligations can be met prior to its onset. Physicians have always provided care in emergency situations without questioning what they are owed. According to paragraph 18 of the CMA Code of Ethics, physicians should "Provide whatever appropriate assistance you can to any person with an urgent need for medical care".
However, in situations where obligations can be anticipated and met in advance, it is reasonable to expect that they will be addressed. Whereas a physician who encounters an emergency situation at the site of a car crash will act without concern for personal gain or motivation, a physician caring for the same patient in an emergency department will rightly expect the availability of proper equipment and personnel.
In order to ensure proper patient care and physician safety, and to ensure physicians are able to meet their professional obligations and standards, the reciprocal obligations outlined above should be addressed by the appropriate body or organization.
If patient and physician well-being is not optimized by clarifying the obligations of physicians and society prior to the next pandemic, in spite of available time and resources necessary to do so, there are many who would call into question the ethical duty of physicians to provide care. However, the CMA believes that, in the very best and most honourable traditions of the medical profession, its members will provide care and compassion to those in need. We call on governments and society to assist us in optimizing this care for all Canadians.
These Guidelines constitute an implementation tool of seven recommendations and are informed by Guidelines for CMA’s Activities and Relationships with Other Parties (aka CMA’s Corporate Relationships Policy) and CMA’s Advertising and Sponsorship Policy.
These Guidelines apply to the Canadian Medical Association (and not to its subsidiaries). As these are Guidelines, exceptions may be necessary from time to time wherein staff may use their discretion and judgment.
Endorsement is an umbrella term encompassing “policy endorsement”, “sponsorship1” and “branding”.
Policy endorsement includes:
(a) CMA considering upon request, non-pecuniary public approval, which may include the use of
CMA’s name and/or logo, of an organization’s written policy, on an issue that aligns with CMA policy, where there is no immediate expectation of return; or,
(b) CMA adopting the policy of another organization as our policy; or
(c) CMA asking another organization to publicly support our policy.
(a) Criteria: For policy endorsement requests from another organization to endorse their policy2 the following criteria shall be applied:
i) we have a policy on the subject-matter and
ii) we are actively working on advancing that policy position and
iii) the organization has a follow-up action plan associated with its request.
(b) Approval: Where policy exists, approval requires a policy staff member (with portfolio responsibility) and the VP of Medical Professionalism, or the policy staff member (with portfolio responsibility) and the Chief Policy Advisor. Where no policy exists, approval of the Board of Directors is required.
(c) Annual confirmation: Where CMA adopts the policy of another organization3, CMA staff shall confirm annually, or more frequently if circumstances dictate, that the policy has not been altered by the other organization.
(d) Requests: Pursuit of personal endorsement requests are not appropriate. Wherever possible, requests should come from an organization and not an individual.
(a) Where CMA adopts the policy of another organization, the adopted policy shall become CMA policy, and will include a notation on the document as being an adopted policy of [organization].
(b) All adopted policies will be housed in an accessible searchable database.
(c) All requests by organizations for CMA to endorse their policy will be tracked in a central location, along with any response.
1 Sponsorship means, to consider upon request, pecuniary public approval, which may include the use of CMA’s name and/or logo, of an organization’s event (eg., conference), on an issue that is supported by CMA policy or that promotes CMA brand awareness, where there is an immediate expectation of return.
2 That is, part (a) of the definition in Section 2.
3 That is, part (b) of the definition in Section 2.
Principles concerning physician information (CMA policy – approved June 2002)
In an environment in which the capacity to capture, link and transmit information is growing and the need for fuller accountability is being created, the demand for physician information, and the number of people and organizations seeking to collect it, is increasing.
Physician information, that is, information that includes personal health information about and information that relates or may relate to the professional activity of an identifiable physician or group of physicians, is valuable for a variety of purposes. The legitimacy and importance of these purposes varies a great deal, and therefore the rationale and rules related to the collection, use, access and disclosure of physician information also varies. The Canadian Medical Association (CMA) developed this policy to provide guiding principles to those who collect, use, have access to or disclose physician information. Such people are termed “custodians,” and they should be held publicly accountable. These principles complement and act in concert with the CMA Health Information Privacy Code (1), which holds patient health information sacrosanct.
Physicians have legitimate interests in what information about them is collected, on what authority, by whom and for what purposes it is collected, and what safeguards and controls are in place. These interests include privacy and the right to exercise some control over the information; protection from the possibility that information will cause unwarranted harm, either at the individual or the group level; and assurance that interpretation of the information is accurate and unbiased. These legitimate interests extend to information about physicians that has been rendered in non-identifiable or aggregate format (e.g., to protect against the possibility of individual physicians being identified or of physician groups being unjustly stigmatized). Information in these formats, however, may be less sensitive than information from which an individual physician can be readily identified and, therefore, may warrant less protection.
The purposes for the use of physician information may be more or less compelling. One compelling use is related to the fact that physicians, as members of a self-regulating profession, are professionally accountable to their patients, their profession and society. Physicians support this professional accountability purpose through the legislated mandate of their regulatory colleges. Physicians also recognize the importance of peer review in the context of professional development and maintenance of competence.
The CMA supports the collection, use, access and disclosure of physician information subject to the conditions outlined below.
Purpose(s): The purpose(s) for the collection of physician information, and any other purpose(s) for which physician information may be subsequently used, accessed or disclosed, should be precisely specified at or before the collection. There should be a reasonable expectation that the information will achieve the stated purpose(s). The policy does not prevent the use of information for purposes that were not intended and not reasonably anticipated if principles 3 and 4 of this policy are met.
Consent: As a rule, information should be collected directly from the physician. Subject to principle 4, consent should be sought from the physician for the collection, use, access or disclosure of physician information. The physician should be informed about all intended and anticipated uses, accesses or disclosures of the information.
Conditions for collection, use, access and disclosure: The information should:
be limited to the minimum necessary to carry out the stated purpose(s),
be in the least intrusive format required for the stated purpose(s), and its collection, use, access and disclosure should not infringe on the physician’s duty of confidentiality with respect to that information.
Use of information without consent: There may be justification for the collection, use, access or disclosure of physician information without the physician’s consent if, in addition to the conditions in principle 3 being met, the custodian publicly demonstrates with respect to the purpose(s), generically construed, that:
the stated purpose(s) could not be met or would be seriously compromised if consent were required,
the stated purpose(s) is(are) of sufficient importance that the public interest outweighs to a substantial degree the physician’s right to privacy and right of consent in a free and democratic society, and
that the collection, use, access or disclosure of physician information with respect to the stated purpose(s) always ensures justice and fairness to the physician by being consistent with principle 6 of this policy.
Physician’s access to his or her own information: Physicians have a right to view and ensure, in a timely manner, the accuracy of the information collected about them. This principle does not apply if there is reason to believe that the disclosure to the physician will cause substantial adverse effect to others. The onus is on the custodian to justify a denial of access.
6. Information quality and interpretation: Custodians must take reasonable steps to ensure that the information they collect, use, gain access to or disclose is accurate, complete and correct. Custodians must use valid and reliable collection methods and, as appropriate, involve physicians to interpret the information; these physicians must have practice characteristics and credentials similar to those of the physician whose information is being interpreted.
7. Security: Physical and human safeguards must exist to ensure the integrity and reliability of physician information and to protect against unauthorized collection, use, access or disclosure of physician information.
8. Retention and destruction: Physician information should be retained only for the length of time necessary to fulfill the specified purpose(s), after which time it should be destroyed.
9. Inquiries and complaints: Custodians must have in place a process whereby inquiries and complaints can be received, processed and adjudicated in a fair and timely way. The complaint process, including how to initiate a complaint, must be made known to physicians.
10. Openness and transparency: Custodians must have transparent and explicit record-keeping or database management policies, practices and systems that are open to public scrutiny, including the purpose(s) for the collection, use, access and disclosure of physician information. The existence of any physician information record-keeping systems or database systems must be made known and available upon request to physicians.
11. Accountability: Custodians of physician information must ensure that they have proper authority and mandate to collect, use, gain access to or disclose physician information. Custodians must have policies and procedures in place that give effect to the principles in this document. Custodians must have a designated person who is responsible for monitoring practices and ensuring compliance with the policies and procedures.
(1) Canadian Medical Association. Health Information Privacy Code. CMAJ 1998;159(8):997-1016.