• Advice that patient identifiable data should not be shared on messaging services relaxed
  • Instant message needs to protect patient confidentiality but can have “clinical utility”, new guidance says.
  • ICO has contacted NHS England to understand how the guidance has “evolved”

NHS England has opened the door to sharing patients’ medical records via instant messaging apps, such as WhatsApp, after previously stating it was not permitted.

The national commissioning body said last year that patient identifiable information should not be sent over instant messaging services such as WhatsApp.

But the latest guidance, published in February, instead states NHS organisations should only “minimise the amount of patient identifiable data you communicate via instant messaging”.

While there remained “serious data protection concerns surrounding the use of these systems”, instant messages were described as a “useful tool, particularly in an emergency context”.

The guidance said: “A proportionate approach is therefore needed. Clinicians need to balance these risks against the purpose for which they wish to use instant messaging.

“Instant messaging can have clinical utility. But remember that the law places obligations on organisations to protect patient confidentiality and you, as a clinician, may also have to defend yourself against regulatory investigation if you have not taken sufficient steps to safeguard confidentiality.”

When contacted by HSJ this week, NHS England said the guidance, marked as the final version, had not gone through the correct sign-off processes and had since been withdrawn.

However, HSJ understands it is unlikely to substantially change.

An Information Commissioner’s Office spokeswoman said the ICO had been helping NHS England develop guidelines for instant messaging but had not been involved in this latest version.

“We have made contact with the NHS to understand more about how it has evolved.”

Other advice for clinicians using instant messaging included:

  • Improve security for your device, including a password and two-step verification
  • Use separate groups for sharing clinical and operational information
  • Only use standalone apps if your organisation has no alternative
  • Do not use instant messaging as a substitute for clinical records
  • Only use messaging apps with advanced encryption
  • Losing a personal device with clinical data stored in its messaging app could have “professional ramifications”

The role of WhatsApp, which is owned by Facebook, and other instant messaging apps in the NHS has been subject to ongoing debate.

Research published last year suggested most UK clinicians already use WhatsApp for work, including to share patient identifiable data, raising concerns about data security and patient confidentiality. 

Dr Felix Jackson, founder of the health specific instant messaging company medCrowd, said the new guidance was an inadequate response to the risk posed to patient data by general messaging apps.

“Not only does this latest guidance confusingly suggest that sharing patient data is OK using these apps - when this is clearly in breach of data protection laws - it also puts a huge added burden on clinicians’ shoulders.”

In a response provided the information governance alliance, which includes NHS England, DHSC, NHS Digital and Public Health England said: ”We are currently preparing guidance to enable NHS organisations to implement policies balancing the potential risks to privacy against improvements in patient safety when using instant messaging technologies.”

The story was updated on 2 March to include comments from the information governance alliance.