Medical malpractice and risk specialist Martin Swann highlights the legal, regulatory and insurance problems that can arise from the misuse of clinical photographs
Clinical photographs are essential to the practice of medical aesthetics. As patients are seeking a change to their appearance, it is absolutely essential to record in detail their appearance prior to the procedure, immediately afterwards, and at each follow-up appointment while the patient is recovering. These clinical photographs form part of the patient’s medical records, and are therefore regarded as ‘data’. Thus, these photos must be securely retained for a minimum period of time (at least seven years, and in some cases, longer).1
Such photographs can and should be used in the treatment and review of that particular patient. However, aesthetic practitioners often use these photographs for other purposes, such as:
No aesthetic practitioner would knowingly misuse photographs of their patients. However, the legal and regulatory context for the use of patient images, which is discussed below, is complex. Therefore, many aesthetic practitioners will, in fact, be breaching their legal duties to their patients and incurring regulatory and insurance problems for themselves. So, what are the pitfalls and how can aesthetic practitioners avoid them?
It is vital to remember that any data, including photographs, should only be used or processed for the purpose it was provided for.
All aesthetic practitioners are subject to the Data Protection Act 1998.2 From May 2018 they will also be obliged to comply with the General Data Protection Regulation (GDPR).3 Under GDPR, ‘health data’ is a special category of personal data.4 The data protection laws do, of course, allow this sort of data – in this instance the photograph – to be ‘processed’4 for medical purposes, otherwise it would become impossible for practitioners to use or share photographs for the purposes of treating that particular patient. Processing refers to any operation which is performed on personal data.4
As an example, in the absence of any express agreement to the contrary (as opposed to implied), if the data was only ‘provided’ by the patient for the purposes of their personal treatment, then clinical photos should not be used for any other purposes; this is unless you have your patient’s express consent (for example, by having your patient sign a form listing all the uses to which their health data will be put). It is crucial for aesthetic practitioners to understand that even if they are using a patient’s photograph for entirely laudable purposes such as education, if they do not have the patient’s consent to use their photograph for that purpose, they are potentially breaching data protection laws.3,5
The patient must also be told about the purpose of the data collection, or photographs, in advance of the data being processed, and whether it will be transferred to third parties such as other practitioners involved in the patient’s care, or training providers. Where a patient consents to their data (such as a photograph) being used for purposes other than their clinical care (such as the photograph being used to train other clinicians), in order for the practitioner to be able to rely on that consent it must be explicit, specific, freely given and clearly recorded.6,7 In addition, it must be as easy for patients to withdraw consent as it is to give it,7 so careful consideration should be given to the wording of consent forms regarding use of photos. GDPR Article 7 requires that, ‘The request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.’7
In addition, the Data Protection Act (and also the GDPR) makes it essential to store patient photographs safely and securely.8
Many aesthetic practitioners take digital photographs using a stand-alone digital camera or the camera on a device such as a smartphone or tablet. The practical consequence of this is that copies of that digital photograph can end up in a number of different places, including online ‘cloud’ storage accounts if the device’s settings allow it. However, the law requires that each copy of that photograph is safe from unauthorised access.8 It is not enough to make sure that the patient’s formal medical file is stored securely (whether in hard copy or electronic format). Any copies of the photograph left on the camera device’s memory, transferred to another device such as a laptop, or uploaded to the cloud, must also be kept just as securely (such as by ensuring that all the hardware or accounts are encrypted).
Failure to comply with these regulations could have very serious consequences.
Aesthetic practitioners should be registered with the Information Commissioner’s Office (ICO),9 the UK’s independent regulatory office for data protection and electronic communications and anyone holding data should be registered with the ICO by law.10
In cases where there is a breach of data protection which poses a ‘high risk’ to patients, the practitioner will have to notify the ICO within 72 hours of the detection of the breach,9 as well as notifying the patient themselves. GDPR will also bring in significantly higher penalties for data breaches – a maximum fine of 4% of global annual turnover or €20 million (whichever greater) for the most serious of infringements.11
Aesthetic practitioners have always had a duty to strictly maintain patient confidentiality in all medical records, including clinical patient photographs. While this is the case for all photos, it is even more vital when the patient is identifiable from the photograph alone. Therefore, using or sharing patient photographs for any purpose other than the treatment of that particular patient, without express consent from that patient, would be a clear breach of the practitioner’s professional duty to that patient. Serious cases could result in an investigation by the practitioner’s regulator, given that a data breach could also be a breach of the practitioner’s professional conduct obligations in respect of patient confidentiality.
If an aesthetic practitioner has inadvertently breached their legal or regulatory duties by inadvertently misusing a patient photograph, or failing to keep them safe from unauthorised access, then they could face a claim from the patient based on breaches of the data protection laws.
In such a situation, the aesthetic practitioner might expect that the claim would be covered under their medical indemnity insurance arrangements. But this will not always be the case. Many such policies contain exclusions that mean that claims arising from data protection breaches are not covered.
Therefore, aesthetic practitioners should check with their insurance broker whether the medical indemnity policy includes cover for patient data breaches. This is especially important if the practitioner ever uses patient photographs for purposes other than treating the patients, such as teaching or training obligations, or if it will be desirable to publish photos of patients online for publicity purposes. They should discuss this expressly with their broker so that they can help ensure that their cover will meet that particular aesthetic practitioner’s needs.
It may be somewhat counter-intuitive to think of patient photographs as ‘data’, but the data protection legislation makes it clear that it most certainly is. In addition, patient photographs are part of a patient’s medical records in exactly the same way as their medical history form,12 and therefore patient confidentiality considerations apply.
To protect yourself from legal and regulatory difficulties, all aesthetic practitioners need to give careful thought to whether to use patient photographs for purposes other than treating that particular patient. If so, then they need to ensure that they create written consent forms that expressly records all uses for the photograph, and put in place proper procedures to make sure that photographs are never inadvertently used or shared without the patient’s consent. Aesthetic practitioners also need to speak to their indemnity providers or insurance brokers to ensure that their indemnity or insurance arrangements would respond in the event of a complaint or claim based on alleged data protection breaches.
Martin Swann will be presenting at the Aesthetics Conference and Exhibition (ACE) 2018 on April 27.
Disclosure: Martin Swann is the divisional director of Enhance Insurance.