Development of a “Cellphone Stewardship Framework”: Legal,Regulatory,and Ethical Issues

Abstract

Introduction:

Use of mobile devices within the health care sector has become commonplace in most developed countries, and increasingly common in developing countries. Such technological innovations have outpaced the necessary awareness and understanding of the spectrum of issues that ensure appropriate use of these innovations. The term “stewardship” has been defined and is applied to the appropriate care and use of cellphones by health care providers.

Aim:

To examine cellphone stewardship issues, and develop a simple framework by which to categorize these issues, using clinical WhatsApp^® (WhatsApp Inc., Menlo Park, CA) use as the exemplar.

Methods:

Nine electronic databases were searched (January 2019) for articles on WhatsApp in clinical service. Inclusion criteria were article was in English, reported on WhatsApp use or potential use in clinical practice, and identified cellphone stewardship issues.

Results:

Of 590 articles related to WhatsApp use in clinical practice, 167 potentially addressed some form of stewardship issue. After further review of full-text articles, 13 met the inclusion criteria, addressing specific issues related to cellphone stewardship, as defined. Articles were from nine countries (six developing and seven developed economies). Cellphone stewardship issues were abstracted and categorized into legal, regulatory, and ethical aspects, leading to development of the Cellphone Stewardship Framework for Health Care Providers (CSF-HCP).

Conclusion:

The CSF-HCP facilitates informed and structured debate around this topic, and encourages application of the term “cellphone stewardship” to describe and encompass the diverse legal, regulatory, and ethical issues requiring debate, resolution, and routine practice to ensure appropriate use of cellphones, and other mobile devices, by health care practitioners.

Introduction

Technologically the advent and advancement of mobile devices has been extremely rapid. Society has seen base cellphones give way to feature phones and these morph into smartphones within a little more than a decade. It is difficult to predict what new development the future may hold—after all the holographic phone (“holophone”) is already here and “smellphones” were devised several years ago.^1,2 Regardless of the precise technology or application, it is clear that when used within the health care setting, it is necessary to maintain the same standards of care expected within traditional health care when using mobile devices. Here the term stewardship has been applied in this context.

Stewardship can be described most simply as the careful and responsible management of something entrusted to one's care. Health care providers (HCPs) can possess or have access to some of a person's most sensitive information. The expectation is that HCPs will safely handle that health-related data accordingly—it has been entrusted to them for safekeeping and appropriate use.

Traditionally large organizations such as hospitals have a “Data Steward” (e.g., Data Protection Officer) to address these issues. Data Stewards know how the data are collected, maintained, and used, and they are assigned responsibility for the management and fitness of all data stored within an organization. Such organizations expect their Data Stewards to be expert in data processing, data policies, data guidelines, and compliance with organizational, national, even international, policy and regulatory obligations. This is simply not feasible for frontline HCPs (doctors, nurses, and allied health professionals) whose expertise and focus lie in clinical care, not data management.

Exacerbating the circumstance is the growing use of mobile devices within health care globally both for the public and HCPs.^3,4 Most common among these devices is the cellular telephone and, among HCPs, is the smartphone. Increasingly these are used to create (take clinical photographs), access (retrieve e-records), communicate (exchange data between HCPs), and/or store (subscriber identification module [SIM] cards) sensitive health care-related data and information such as photographs and consultations.^4,5 Given this, data stewardship responsibility has effectively devolved—each HCP has become a trusted steward of data on their personal mobile devices. They must practice safe “cellphone stewardship.”

As noted, “stewardship” is the careful and responsible management of something entrusted to one's care. Of primary concern here is not so much the device, although that is relevant since it can be shared, lost, stolen, or damaged, but rather the content that may pass through or be placed on the device through various modes of connectivity. Of specific concern is transmission or storage of sensitive health-related data pertaining to one or more patients. Within traditional health care clinicians are bound by laws, regulations, and ethical norms to ensure the safekeeping of those data and any knowledge they provide about a patient's condition, and their applicability to cellphone users may be underappreciated.

As e-Health (encompassing health informatics, telehealth, e-commerce, and e-learning) became common, various medicolegal regulations were devised. These have largely taken the form of privacy guidelines related to “electronic” exchange, privacy, and security of health information of patients (protected health information [PHI]) in both public and private settings around the globe.^6

–9 As of 2017, 120 countries had enacted data privacy laws, and at least 30 more countries had official bills for such laws in various stages of progress.¹⁰ They require health care institutions, clinicians, and others to follow appropriate administrative, physical, and technical safeguards. In general, such laws require consent to collect, use, or disclose an individual's personal information; provide the right for an individual to access their personal information and to challenge its accuracy; restrict use only to the purposes for which it was originally collected (other use, if permitted, requires additional consent); and require the data be protected by appropriate safeguards. Their goal is to ensure and protect the confidentiality, privacy, integrity, and accessibility of PHI contained within electronic databases (e.g., electronic health records, electronic medical records, personal health records, and others). This obligation now extends, in principle if not yet in official documents, to personal mobile devices that clinicians may use in their clinical practice.

As a consequence, health care-related “cellphone stewardship” can be defined as “the careful and responsible management of sensitive protected health information entrusted to one's care that passes through or resides on any cellphone device used by a HCP (e.g., doctor, nurse, and allied health care worker), and which includes the safekeeping and handling of the device itself.” The literature makes frequent reference to three types of medicolegal guidance—legal, regulatory, and ethical, which guided examination of the literature.¹¹

Having defined Cellphone Stewardship, and with a preliminary understanding of issues that pertain to stewardship (e.g., governance, record keeping, storage, and security) and types of guidance, this article describes specific insight regarding cellphone stewardship issues gained from a structured literature search. WhatsApp^® (WhatsApp Inc., Menlo Park, CA) was used as the exemplar for three reasons: First it is widely used by physicians within health care,¹¹ second with >2 billion active users per month it is the most commonly used instant messaging (IM) app globally,¹² and third it was not designed specifically for health care. Issues were extracted and then categorized into three recognized types of guidance (legal, regulatory, and ethical) to create a Cellphone Stewardship Framework for Health Care Providers (CSF-HCP). Thereafter, each type is described in detail to inform and encourage clarity. The ultimate goal is to inform debate, adjust current and future legal, regulatory, and ethical tools (implementation mechanisms), and influence practice to ensure appropriate use of cellphones in the health sector.

Methods

Applying WhatsApp use within health care as the exemplar, and after defining Cellphone Stewardship, it was possible to search the literature concerning WhatsApp use within health care for specific Cellphone Stewardship issues. In January 2019, nine databases were searched for articles on WhatsApp use in clinical practice: PubMed, Scopus, Science Direct, and six databases within EbscoHost—CINAHL with full text, Health Source Nursing/academic edition, Index to legal periodicals, PsycARTICLES, PsycINFO, and MEDLINE. The search term used for PubMed was “WhatsApp” [All fields] and for the other databases ((“WhatsApp”) AND (“telemedicine” OR “telehealth” OR “eHealth” OR “e-Health” OR “mhealth” OR “m-Health”)) All fields. The search strategies differed because PubMed is restricted to biomedical-related resources.

Inclusion criteria were article was in English, reported on WhatsApp use in clinical services or its potential for clinical use, and addressed legal, regulatory, or ethical issues (and, therefore, potentially cellphone stewardship issues). Remaining articles were then further reviewed for insight regarding specific cellphone stewardship issues (e.g., governance, record keeping, storage, and security) and insight abstracted. Book chapters, conference proceedings that were not full-length articles, and articles on the use of WhatsApp for behavior change, education, appointment reminders, or medication adherence were excluded. All decisions on inclusion and exclusion were made by consensus of all authors.

Results

A total of 590 unique records related to WhatsApp use in clinical practice of which 167 articles addressed some form of legal, regulatory, or ethical issue. After further review of full-text articles, based on a preliminary understanding of issues that pertain to stewardship (e.g., governance, record keeping, storage, and security), 13 articles identified specific issues directly related to cellphone stewardship, as defined (Fig. 1). From these articles the following cellphone stewardship issues were identified.

Fig. 1.

PRISMA diagram of search results. PRISMA, Preferred Reporting Items for Systematic Reviews and Meta-Analyses.

Aspects related to security were commonly raised. Eight articles identified the lack of need for a username or password (including biometrics) to open and use WhatsApp, and issues of unauthorized access to data on unattended, exchanged, lost, shared, or hacked cellphones.^{13

–20} Others went further, indicating the cellphone itself should be password protected.^16,18,21 The facility for remote deletion or wiping of data was also noted, to be employed in the event of loss or theft of a device.^18,21 Deletion of data after completion of a consultation and transfer to medical records was advised,^16,18,21,22 although one article warned that data transfer was often not performed leading to incomplete patient records.¹⁵ Beyond data protection, ethical issues of consent and confidentiality of data were noted, with the need for availability of training, and monitoring of the evolutionary use of cellphones by a proposed international governing body to regulate and predict impact.²³ To address the many issues described earlier, one article noted the desirability of Health Ministries creating a new mobile app similar to WhatsApp.²⁴ The possibility of sending information from a cellphone to an incorrect recipient was also raised.¹⁴ Another ethical consideration was use of information (specifically photographs) beyond the original purpose for which consent was originally given,¹⁴ if indeed consent was obtained at all.¹⁶ Underappreciated software issues were also noted, such as WhatsApp automatically saving photographs to the recipient's smartphone photo library unless the feature is inactivated.¹⁷

Aspects not directly linked, but related to cellphone use, were also raised. For example, the obligation of health care organizations to establish roles, responsibilities, and comply with and enforce policies or laws related to data protection was noted.²⁵ Similarly, the storage of data before, during, or after transmission on insecure servers, often inappropriately located or backed up overseas, was mentioned.^16,17 Also, the matter of photographs forming an important part of the patient record from a legal perspective was highlighted.¹⁸

The 13 articles came from 9 countries. According to the International Monetary Fund six from emerging and developing economies (Mexico,¹³ Turkey,²⁴ and South Africa^15,18,21,22) and seven from developed economies (Australia,¹⁶ Canada,²⁵ Ireland,²³ Israel,²⁰ Italy,¹⁹ and the United Kingdom^14,17). All were published between 2016 and 2018.

Discussion

A defined and structured framework and terminology is necessary for planning, describing, reviewing, and appraising issues related to cellphone stewardship, and for building or updating policy, process, and procedure that enables the appropriate use of cellphones within health care settings. This study describes evidence-based development of such a framework.

Framework Development

Principle of enforceability

Within humankind's social structure there are rules of conduct that limit individual and collective actions, and impose sanctions when actions fall outside of accepted bounds. Depending upon the level of transgression punitive measures of some form, along a scale of increasing penalty, are imposed. The source of such force, whether real or perceived, forms the base of the CSF (Fig. 2). The most severe are legal sanctions that have the force of law, including settlements, fines, incarceration, or loss of licensure. Regulatory sanctions may be imposed by health-related entities (Minister of Health; health care facility such as a hospital or clinic) or health profession entities (medical society; nursing association), including dismissal, or retraction or refusal of membership. The least severe, at least in principle, are ethical sanctions where society may consider an action inappropriate or unacceptable and impose social ostracizing or labeling as punishment.

Fig. 2.

The health care provider cellphone stewardship framework: Categorization of the continuum of factors, cellphone stewardship issues, and implementation mechanisms that impact appropriate cellphone practice within the health care field.

Categorization of issues

Although not always confluent, the literature makes frequent reference to three types of guidance—legal, regulatory, and ethical.^{11,26

–30} Governance, a common noun, was also mentioned (usually as an overarching term related to “management” of countries and organizations) but was considered less appropriate than the term regulatory, a descriptive adjective, which aligned with the other adjectives legal and ethical. Accepting the frequent use and familiarity of these three terms generally, and within the health care field specifically, “legal,” “regulatory,” and “ethical” were adopted as the base categories within the CSF-HCP (Fig. 2). Their use helped simplify and focus further consideration.

Cellphone stewardship issues

The results from this study have shown that a host of issues and associated terms (often redundantly similar) have been applied within the literature to describe factors that impact proper stewardship of cellphones and associated PHI, both for WhatsApp and m-health generally. These include: access, authentication, authorization, concordance, confidentiality, continuity of care, consent, data integrity, data protection, data security, data transfer, data transmission, data storage, data wiping, doctor–patient relationship, encryption, governance, guidelines, image quality, jurisdiction, law, legal, licensure, medical record, password, patient record, patient satisfaction, photographs, policy, privacy, quality of care, record keeping, regulations, remote deletion, responsibility, software updates, standards—and cellphone stewardship (Fig. 2). Given this spectrum, and benefit from clarity of terms, the need for a simple categorization scheme and framework was affirmed.

Implementation mechanisms

Complicating this categorization are implementation mechanisms (Fig. 2) by which any specific result can be achieved. For example, encryption, policy, remote wiping, or standards are not specific cellphone stewardship issues themselves, but are mechanisms or tools by which action can be taken to address a legal, regulatory, or ethical issue. For example, data security during transmission (mechanism: encryption) or storage (mechanisms: encryption; data wiping), requiring confidentiality of data (mechanism: policy), and setting of an expected level of attainment (mechanism: standard). These mechanisms generally function at one or more of the policy, procedure, or practice levels. Thus, a policy may state a certain requirement, which is embodied within a procedure, and becomes common practice. Conversely, a certain action may occur as “common practice” (e.g., clinical use of WhatsApp) but need not be embodied within either a procedure or policy. Also of concern is applicability of some mechanisms, which can be cellphone and app specific. For example, in regard to WhatsApp and depending on the operating system of the cellphone, remote wiping may not remove pictures from a cellphone's gallery (or similar storage area) unless they have previously been specifically linked to a message in the app software.

Commentary

What differentiates legal from regulatory from ethical issues? They can be considered to lie along a continuum, with legal at one extreme, ethical at the other, and regulatory between (arrow, Fig. 2). Being a continuum, this implies overlap.

Overall, legal factors can be considered those that refer to actions that are based on, concerned with, or permitted/restricted by law or similar judicial tools of a sovereign country and regulate the actions of the citizenry. Regulatory factors refer to those policies, regulations, guidelines, and other specifications that, typically, health-related or profession-specific entities impose, and to which impacted individuals are expected to adhere or comply with. Ethical factors in the larger societal context refer to acceptable actions or principles of behavior that demonstrate respect for key moral principles, but specifically within medicine they refer to autonomy (freedom of choice), justice (equity), beneficence (do good), and nonmaleficence (do no harm).

Clarity around what is meant by each term can be lacking, and can also be confusing given the redundancy of terms and continuum overlap. For example, “regulations” can have a legal interpretation, but are also frequently referred to in business and governance settings where they have no force of law; therefore, “regulations” appear in both categories—legal and regulatory. Similarly, a health-profession organization (e.g., medical society) may have stated expectations around professional ethics, but they themselves form part of an organization's (sometimes legally binding) “regulations” or “guidelines,” and, therefore, specific aspects such as confidentiality are dealt with under the category “ethical” and licensure under “legal.”

The internet and cellphone networks enable e-Health to be practiced across domestic and international boundaries. This interjurisdictional practice is increasing, driven by practical need and growing commonality of approaches to PHI, although without formal compacts or other approaches the practice can have risk. Although no action is risk free, practice of good Cellphone Stewardship, guided by this framework, will help minimize risk to an acceptable level. But the CSF-HCP must also evolve over time. The expectation is that others will adopt the framework and, within their sphere of expertise, improve it by adding, debating, and resolving new or existing issues, thereby serving to inform the framework and its application still further in an evidence-based manner over time. For example, using WhatApp as the sole exemplar may have restricted the number and type of issues identified, opening the opportunity for application of the framework to other apps used within health care and subsequent modification to increase the framework's breadth of application.

A host of other related issues may arise and require resolution. For instance, as m-health-mediated public health surveillance activities increase, location data will be stored on cellphones; what are the legal, regulatory, or ethical issues related to capturing location data? What of sending unsolicited health-related educational texts to a segment of the population (adolescents; geriatrics) for public health measures—does that invade personal privacy? How do old laws apply to new technologies or new applications of existing technologies? Legislation is intended to protect the public, but what if “stale-dated” laws serve instead to prevent the public from accessing appropriate and life-saving health care from clinicians (such as WhatsApp-based online e-consultations). Since ethical codes of conduct or regulatory frameworks are likely to be reviewed and updated more regularly than legal guidance, can HCPs comfortably rely upon guidance at one level (legal, regulatory, or ethical) being accepted at another level?

A recent review of WhatsApp failed to identify any established or published obligatory guidelines specifically for the use of WhatsApp or IM, highlighting the urgent need for such direction.³¹ In the interim, the CSF-HCP can be used to inform both HCPs and those developing guidelines by raising awareness of, and need for action regarding, such issues as passwords, biometrics, sharing, remote wiping, management of photographs, and record keeping in relation to cellphone use.

Conclusion

The CSF-HCP provides a simple device to support structured and informed debate that will help frame the composition and construction of future legal, regulatory, and ethical tools (e.g., laws, guidelines, and social norms) and influence appropriate use of cellphones in the health care sector. The framework also serves to provide immediate awareness for HCPs using cellphones in their practice. Ideally the framework will remain flexible and be modified over time to include additional issues (within the three categories described) or solutions (within the implementation mechanisms) to encompass currently unknown or unappreciated aspects of cellphone stewardship and technology application, thereby retaining utility into the future.

Footnotes

Authors' Contributions

M.M., R.E.S., and C.M. conceptualized the need to undertake the study. M.M. performed the literature search, and all authors approved inclusion of articles by consensus. R.E.S. gathered additional data and wrote the first draft of the article; all authors revised subsequent drafts, providing substantial intellectual input, and approved the final version for submission.

Disclosure Statement

No competing financial interests exist.

Funding Information

Research reported in this publication was supported by the Fogarty International Center of the National Institutes of Health under award number D43TW007004-13. The content is solely the responsibility of the authors and does not necessarily represent the official views of the National Institutes of Health.

References

Jones

Samsung might be developing a phone that projects holograms (just like Star Wars). Gizmodo. December 18, 2018. Available at https://www.gizmodo.com.au/2018/12/samsung-might-be-developing-a-phone-that-projects-holograms-just-like-star-wars (last accessed February 13, 2020 ).

Monks

Forget text messaging, the ‘oPhone’ lets you send smells. CNN Business. March 17, 2014. Available at https://www.cnn.com/2014/03/17/tech/innovation/the-ophone-phone-lets-you-send-smells/index.htmlaccessed13February2020 (last accessed February 13, 2020 ).

Cummings

, Borycki

, Roehrer

. Issues and considerations for healthcare consumers using mobile applications. Stud Health Technol Inform, 2013; 183:227–231.

Silva

, Rodrigues

, de la Torre Díez

, et al. Mobile-health: A review of current state in 2015. J Biomed Inform, 2015; 56:265–272.

Nettrour

, Burch

, Bal

. Patients, pictures, and privacy: Managing clinical photographs in the smartphone era. Arthroplast Today, 2019; 5:57–60.

Health Insurance Portability and Accountability Act of 1996 (HIPAA). Public Law 104–191. USA. Enacted August 21, 1996.

The Personal Information Protection and Electronic Documents Act (PIPEDA). Canada. Royal Assent. April 13, 2000.

General Data Protection Regulation (EU) 2016/679 (GDPR). European Union. Enacted May 25, 2018.

Protection of Personal

Information

, Act 4 of 2013 (POPI). South Africa. Assented to November 19, 2013.

10.

Greenleaf

. Global data privacy laws 2017: 120 national data privacy laws, including Indonesia and Turkey. Priv Laws Bus Int Rep, 2017; 145:10–13. UNSW Law Research Paper No. 17–45.

11.

Mars

, Scott

. WhatsApp in clinical practice: A literature review. Stud Health Technol Inform. 2016; 231:82–90.

12.

Bucher

WhatsApp, WeChat and Facebook Messenger Apps—Global Messenger Usage, Penetration and Statistics. Available at https://www.messengerpeople.com/global-messenger-usage-statistics (last accessed February 13, 2020 ).

13.

Calleja-Castillo

, Gonzalez-Calderon

. WhatsApp in stroke systems: Current use and regulatory concerns. Front Neurol, 2018; 9:388.

14.

Kamel Boulos

, Giustini

, Wheeler

. Instagram and WhatsApp in health and healthcare: An overview. Future Internet, 2016; 8:37.

15.

Mars

, Scott

. Being spontaneous: The future of telehealth implementation?. Telemed J E Health, 2017; 23:766–772.

16.

Nikolic

, Wickramasinghe

, Claydon-Platt

, et al. The use of communication apps by medical staff in the Australian health care system: Survey study on prevalence and use. JMIR Med Inform, 2018; 6:e9.

17.

Thomas

. Wanted: A WhatsApp alternative for clinicians. BMJ, 2018; 360:k622.

18.

Mars

, Morris

, Scott

. Selfie telemedicine—What are the legal and regulatory issues?. Stud Health Technol Inform, 2018; 254:53–62.

19.

Maugeri

, Graziano

, Arena

, et al. Privacy in modern healthcare communications: The lesson of Alan Turing. World Neurosurg, 2017; 97:735–736.

20.

Siegal

, Dagan

, Wolf

, et al. Medical information exchange: Pattern of global mobile messenger usage among Otolaryngologists. Otolaryngol Head Neck Surg, 2016; 155:753–757.

21.

den Hollander

, Mars

. Smart phones make smart referrals: The use of mobile phone technology in burn care—A retrospective case series. Burns, 2017; 43:190–194.

22.

Martinez

, Rogers

, Numanoglu

, et al. The value of WhatsApp communication in paediatric burn care. Burns, 2018; 44:947–955.

23.

El Hadidy

, Alshafei

, Mortell

, et al. Smartphones in clinical practice: Doctors' experience at two Dublin paediatric teaching hospitals. Irish J Med Sci, 2018; 187:565–573.

24.

Gulacti

, Lok

. Comparison of secure messaging application (WhatsApp) and standard telephone usage for consultations on Length of Stay in the ED. Appl Clin Inform, 2017; 8:742–753.

25.

Carmona

, Alayed

, Al-Ibrahim

, et al. Realizing the potential of real-time clinical collaboration in maternal–fetal and obstetric medicine through WhatsApp. Obstet Med, 2018; 11:83–89.

26.

Dart

, Whipple

, Pasqua

, et al. Legal, regulatory, and ethical issues in telehealth technology. In: Luiselli JK, Fischer AJ, eds. Computer-assisted and web-based innovations in psychology, special education, and health. Academic Press, Amsterdam,, 2016; 339–363.

27.

George

, Whitehouse

, Duquenoy

, eds. eHealth: Legal, Ethical and Governance Challenges. Springer, Berlin/Heidelberg, 2012.

28.

Duquenoy

, ed. Ethical, Legal and Social Issues in Medical Informatics. IGI Global, Hershey, 2008.

29.

Baker

, Bufka

. Preparing for the telehealth world: Navigating legal, regulatory, reimbursement, and ethical issues in an electronic age. Prof Psychol Res Pract, 2011; 42:405–411.

30.

Kunde

, McMeniman

, Parker

. Clinical photography in dermatology: Ethical and medico-legal considerations in the age of digital and smartphone technology. Australas J Dermatol, 2013; 54:192–197.

31.

Mars

, Morris

, Scott

. WhatsApp guidelines—What guidelines? A Literature Review. J Telemed Telecare, 2019; 25:524–529.