Mobile apps and patient records April 21, 2017

Last October when it emerged that the Prime Minister and Cabinet were using the social messaging tool WhatsApp to communicate with each other[1], the Australian Signals Directorate advised that although the app was not on the approved list for sensitive and classified communications, they had no concerns about the use of it for ‘routine communications’[2].

WhatsApp, Facebook Messenger and other dedicated applications are also reportedly being used in the health sector as a way for doctors to communicate more efficiently with other health professionals about their patients, including the sharing of patient photographs. These apps provide better functionality for patient care than pagers and telephones.

To address privacy issues, some of the apps use end-to-end encryption (so that only the sender and receiver can read them), cloud pass through technology (so that no data is stored on the application’s servers),  password and pin protection, and inactivity lockouts.

However as with any new technology there are risks and recordkeeping issues that need to be addressed. If the apps are being used to provide patient care in public hospitals then the messages and photographs meet the definition of a public record under the State Records Act 1998, and public offices need to ensure that any official patient records that are created are captured and retained for the mandatory minimum retention periods under the retention and disposal authorities issued by State Archives and Records NSW.

For patient records the minimum retention periods range from 7 to 15 years after last attendance and in the case of minors until the age of 25 years is reached. It’s unlikely that any mobile application can retain records for this length of time, although some of the mobile applications offer an archiving functionality, where users can download “archived” messages or health information, which can then be saved in the recordkeeping system or appropriate business system. Other applications feature a built-in alert or notification functionality which prompts users to make a record.

Some apps have more worrying features such as the automatic deletion of messages after a certain period of time that could easily result in records of patient care being destroyed. (This is a good example of the misplaced belief that privacy can only be assured by destruction rather than the implementation of access restrictions and security).

How do we address the existence of patient-related information in a doctor’s mobile phone? One way to handle this is to have clear policies and procedures in place about the use of mobile devices for patient care to ensure privacy and recordkeeping issues are being ‘triaged’ and managed, and to ensure the relevant messages are captured in the patient record.

The mobile applications also need to be assessed to see how records can be exported and whether they can be integrated easily with existing business systems. This can be tricky given multiple patients could be the subject of one message.

For more information on managing mobile messages, please click here.

For detailed information on retention of patient/client records, please check GDA17.

As always, if you have any queries or if you need help, please don’t hesitate to contact us at or alternatively you can ring us at 82572900.


Image credit:



Leave a Reply

You must be logged in to post a comment.