Data security

Photo from patient on Whatsapp - or how to store patient's medical data legally




Olga Dabrowska

Doctor, Johny got such a rash at night. What could it be?
Doctor, I have such a red eye and broken vessels in the middle. I'm sending a photo to preview. What can I do?

Photos from patients are a quick and effective way for doctors to communicate important information about a patient's condition remotely in addition to in-person visits. 

This form of contact is used by 80% of doctors in Poland, and the most preferred channel right after SMS is commercial instant messaging, such as Whatsapp or Messenger1.

In this article, you will learn how to handle medical data sent to your phone from a patient.

I get pictures from patients on my phone. How do I deal with them? 

A photo of a patient or a photo of test results is health data, a special type of personal data to which a heightened level of protection should be applied. A doctor who receives a file from a patient on his or her phone - on the basis of which he or she makes a diagnosis or provides another service - is obliged to properly store it in the medical record (as required by the Law of November 6, 2008 on Patient Rights and Patient Ombudsman and the Law of April 28, 2011 on the Health Information System). How to do this step by step?

1.Avoid saving photos and files from patients directly on your private phone. 

A photo received from a patient should go into the patient's medical record (e.g., the patient's chart in the practice management system) or into a dedicated medical messenger. Saving a patient's photo in a commercial channel (e.g., Whatsapp, Messenger), may violate the obligation to properly store medical records or health data. Once you save a photo to a patient's medical record or medical messenger, delete it from the commercial messenger/e-mail channel. 

2.Control access to patient images and files.

Avoid using tools (email, Whatsapp, Messenger) that are easily accessed by unauthorized people. Restrict access to your phone's galleries to external apps (i.e. Facebook, Whatsapp, Messenger, Google). 

3.Use a secure channel to receive and save images from the patient. 

Choose a secure channel for exchanging messages and files with patients, such as medical instant messaging, where you can be in contact with the patient just like on the channels you are familiar with (Whatsapp, Messenger, email), but at the same time make sure that all conversations and files are securely stored. 

4.Educate your patients. 

Talk to patients about the security of their data and redirect conversations about their health to a secure channel. 

Why is Whatsapp/Messenger or private email not a safe place for me to receive a picture from a patient? 

  1. Whatsapp, Messenger or private email only use so-called transport encryption, meaning that messages are encrypted on the way between stations (e.g. between the message sender and the server). On the Messenger server, on the other hand, the messages are available again as unencrypted text and photos. Photos of patients stored on Whatsapp/Messenger/mail or on the doctor's phone remain vulnerable to external threats.
  2. Whatsapp/Messenger/private email servers do not meet requirements for storing medical records. 
  3. Users are not verified, and if the doctor's phone number/email is changed or mistaken, patient data can end up in the wrong hands. 

How does the Doctor.One medical communicator keep my patients' medical data safe?  

Doctor.One's medical messenger is designed for the secure exchange of messages and files between doctor and patient, and between doctor and doctor. How does the application keep health data secure? 

  1. In accordance with the RODO, all necessary information obligations are fulfilled towards patients who join Doctor.One, and the necessary consents for data processing are received through the application.
  2. Patient images and files are encrypted and stored securely in the app, so the doctor is adhering to his obligation to adequately secure the data, as required by the provisions of the RODO. 
  3. With biometric or PIN login, only the doctor has access to the application. 
  4. Each doctor and patient is vetted to ensure that no information, messages or files end up in unwanted hands and are only available to the doctor who has their patient under their care. 

This article was prepared in cooperation with Olga Dabrowska, a lawyer specializing in data protection law, medical law and IT law.

Article prepared in collaboration with:


Olga Dabrowska

Take the first step today

Regain control over patient communication

Create an account and transfer patients to Doctor.One in 3 minutes!