with HIPAA, as well as on the sending and receiving
devices. 10 Many hospital employees may be cognizant
of this vulnerability and consequently avoid sending text messages containing traditional personal
health information, such as patient name and date
of birth. However, sending photographs via text is a
newer issue, one with more associated uncertainties.
When reviewing Option 3, the discussion detailed in
Option 1—what constitutes PII—should be carefully
considered. If a physician’s definition of PII is limited to
the face, tattoos, or birthmarks in clinical photographs,
the risk may be determined as minimal when sending
unidentifiable clinical photographs over less secure
modes of transmission. Conversely, if a physician has
a broader definition of PII, they may be obligated to
send clinical photos through a more secure hospital
e-mail address to better protect the data.
Although a protected e-mail account does provide
added security, personal mobile devices have their
own inherent security issues. Personal mobile devices
have become increasingly prominent in the medical
workplace and are popular due to their ease of use and
portability. However, their portability means they can
easily be lost or stolen. 11 An unauthorized user may
then access the device’s stored data (including saved
photographs and text messages). Many phones lack
the technology to encrypt data, a necessary step that
allows the user to securely transmit sensitive patient
information. 12 Even if a device has encryption capabilities, its secured digital memory card may be unable
to encrypt the device’s stored, and potentially sensitive, data.
Modern personal mobile devices, particularly
smartphones, have virtually the same capabilities as
a desktop computer. Most of these mobile devices lack
the security measures that are standard on all hospital
computers. Personal mobile devices are protected by
weak numerical passwords, do not offer firewall protection or antivirus software, and have the option to
transmit data through non-secure wireless networks. 11
In contrast, hospital desktop computers operate solely
through an institution’s server and its secure network.
An institution’s information technology (IT) department makes multiple efforts to protect personal health
information, including setting computer lock-out
times, changing passwords, overseeing and limiting
user access to certain files, detecting changes made to
stored data, and monitoring secure wireless and wired
net works. 13 IT departments have far less access to and
control over employees’ personal devices. The variety
of brands, operating systems, and service providers
for mobile devices creates an even greater challenge
in developing standard security measures.
Much work still needs to be done in terms of securing and regulating mobile devices for clinical use.
For the foreseeable future, the owner of the device is
trusted to safeguard patients’ sensitive health information, including clinical photographs. Physicians must
use these devices prudently and remain informed of
the technological shortcomings.
Option 4: The resident tells the PRS that he or she
is uncertain regarding the risks associated with
photographing the patient and does not want
to cause any unintended harm to the patient,
hospital, or himself.
The resident who follows Option 4 understands the
technology concerns discussed in Option 3 and decides
to err on the side of caution. The physician recognizes
the limitations of a personal mobile device and decides
that the potential harm to the patient’s privacy and
confidentiality overrides other considerations.
Option 4 leads to a possible knowledge discrepancy and a conflict between two physicians. Imagine
that the consulting PRS is an older physician who is
less familiar with smartphone technology than the
fifth-year resident. Given this disparity, who should
be responsible for protecting the patient’s privacy and
confidentiality? Is it an equally shared responsibility,
or is the resident more accountable because of his or
her advanced acumen with smartphone technology?
To explore this issue, consider the everyday hospital practice of ordering a consult. Consults are often