Data concerns when texting patients

TEXT messaging patients has become almost routine in healthcare today. Even the GMC now recognises that texting "can be convenient and supports effective communication between doctors and patients". However, robust processes are still needed to monitor and control both message content and intent, as well as protect patient confidentiality.

Enactment of the General Data Protection Regulation (GDPR) has raised concern among doctors, dentists and hospital administrators about what exactly is permissible to send to patients by text. Text messages are transmitted on public phone networks and are therefore potentially insecure. They can also be read by unintended others. A clinician may not be responsible for a message once received by a patient but it is useful to remind and encourage patients to ensure their phones and devices are only accessible by individuals with permission to view their personal sensitive information.

Before examining specific GDPR considerations, it is important to re-enforce that care should be taken with any text messages that contain sensitive clinical information. This may relate to the type of information being transmitted (e.g. a specific clinic appointment or mention of a condition) but it also requires consideration as to what may happen if the information is misused. Some clinical information by nature is especially sensitive, such as issues relating to sexual or mental health, and in any case all health information is classified as "special category data" under GDPR, which demands even greater security measures to be in place.

The Information Commissioner’s Office (ICO) has produced guidance that health professionals should consider and follow in the provision of a text messaging service to patients. Specific advice can also be obtained by phoning the ICO advice line on 0303 123 1113.

The starting point for data controllers is to identify a lawful basis under GDPR for the processing of all personal information, as well as the "special category condition" for health information. Once established it should be set out in a privacy notice and publicised widely within the organisation, on its website and social media pages, as appropriate. An organisation intending to use text messaging to contact patients must clearly set this out in its privacy notice in a "granular" and "meaningful" way. This means clarifying the specific purposes for which you intend to contact patients and not deviating outside those communicated parameters.

If the above process is followed, there is no additional requirement under GDPR to obtain individual patient consent to send patient-specific text messages. However, the ICO confirms that obtaining such consent would still be regarded as "good practice", and this is more aligned to current regulator guidance from the GDC and GMC.

Looking at some specific advice requests that MDDUS has received since the introduction of GDPR can hopefully provide clarity on complex issues that might be open to testing and interpretation.

• Is it acceptable for a medical or dental practice to send appointment reminders and other patient-specific information, such as a chronic disease recall alert? The answer here is 'yes', as long as the message is patient specific and a "reminder" rather than "promoting a service" which may come under the category of direct marketing, where explicit consent from the patient would be required (see below). A results notification would also be legitimate but only the fact that a result is now available. Transmission of actual test results by text and other specific clinical information is possible but the practice would have to identify a specific "special category condition" for processing and communicate their intention under a published privacy notice or statement. The ICO also emphasises that attaining individual patient consent to send actual test results would be "good practice", paying particular attention to accuracy, security, and taking reasonable steps to ensure that mobile numbers are kept up to date. Otherwise a foreseeable data breach could occur.

• Can "service update" messages be texted to all practice patients? This could include, for example, "the clinic will be closed for training next Tuesday afternoon" or "the practice will now be open until 7pm on weekday evenings". Although not patient-specific, such texts would be viewed as service update messages and therefore permissible. The intention is to inform patients about important service changes or updates to prevent inconvenience and maintain the smooth operation of the service. While specific patient consent would not be required, the ICO advise that a descriptor of such types of communication should also be included in your privacy notice.

• What is considered direct marketing under GDPR? This is defined as the "promotion of a service, whether for profit or not". Marketing can be seen as anything that is promoting "aims and ideals to a large audience", and under GDPR will require explicit opt-in consent by recipients. Some examples of what could be construed as direct marketing include:

• Setting up and advertising a new diabetes clinic for all patients on the practice database with this diagnosis.
• Promoting a travel clinic to provide holiday/travel advice and vaccinations.
• A dental practice texting the patient list to promote a "teeth-whitening offer during January".

It is again also important to remember your professional obligations when it comes to protecting patient confidentiality and to review appropriate guidance, including the GMC’s Confidentiality: good practice in handling patient information and the GDC’s Focus on Standards - Maintain and protect patients’ information.

ACTION

• Carefully consider the text message content. The need to protect confidentiality is foremost when texting patients.
• Possession of a patient’s mobile number does not provide open-ended consent. Ensure you have a process for checking that personal details are up-to-date and correct and that the patient consents to specific communication being received to this number.
• Communicate your intentions and purposes for sending text messages to patients via your organisational privacy notice.
• Consider the purpose of your messaging on an individual basis. Could it be construed as direct marketing?

Alan Frame is a risk adviser at MDDUS