Why did we make medCrowd compliant?*

4th August 2017 by Jessica Thilaganathan

There have been many discussions in recent weeks around the use of WhatsApp in the NHS and the risks non-compliant technology pose to confidential patient data.

So what makes technology compliant for use in the NHS?

If a technology is compliant to be used in the NHS then it must meet all the NHS England's Information Governance requirements and all applicable UK laws. This means that it is developed to the right standard for use by any health and care worker in the UK, if approved by the worker's care provider.

What happens if the technology does not meet these standards?

If non-compliant technology is used and data that is not completely anonymised is shared then a breach of data protection laws could occur. The Information Commissioner’s Office (ICO) “considers data to be anonymised if it does not itself identify any individual, and if it is unlikely to allow any individual to be identified through its combination with other data. Simply removing the patient’s name, age, address or other personal identifiers is unlikely to be enough to anonymise information to this standard.” Even if clinicians and other health and care workers believe they have ensured the information shared doesn’t identify patients, they could still be in breach by using initials or information which could be used alongside other sources to identify someone.

For example if an image of a patient scan is shared on WhatsApp that image will be stored on WhatsApp’s US servers which could be in preach of the UK Data Protection Act if the image was shared without explicit patient consent to do so.

How is medCrowd compliant?

medCrowd is compliant with the NHS Commercial Third Party Information Governance requirements (68% satisfactory, giving Level 2 compliance with v14), HIPAA, UK Data Protection Act and the European General Data Protection Regulation with ISO 27001 certification in progress.
Whilst it’s important to offer NHS staff technology to communicate with each other, using commonly available apps pose risks to patient confidentiality. Apps like medCrowd must be used in order to ensure staff can communicate in a fast, effective, compliant and secure way.