Introduction

The use of social media platforms such as WhatsApp, Twitter, Instagram, TikTok and Facebook has grown significantly over the years. Both younger and older patients are now largely familiar and comfortable with digital communication and often appreciate the ease and speed of communicating in this way.

The pandemic also increased our reliance on remote communication platforms at a time when face-to-face contact was limited. Most people now have access to a personal mobile device, and it's therefore unsurprising that patients may expect, and want, to use social media platforms and associated private messaging facilities to communicate with their dental professional.

The GDC accepts that social networking sites and other forms of social media are effective ways of communicating on both a personal and professional level. It also acknowledges that social media has blurred the boundaries between public and private life. In its guidance on using social media, the GDC emphasises that the standards expected of dental professionals remain the same whether communication takes place face-to-face or via a social media platform.

DDU advice

It's important to be aware of potential risks and pitfalls of communicating with patients on social media, and our golden rules of social media article over on our main site provides some helpful guidance on this.

However, the following considerations are also important if you're planning to use direct messaging with patients.

Data protection

The General Data Protection Regulation 2018 (GDPR) makes organisations more accountable for the way they collect, store, use and destroy patients' personal information. Organisations (such as dental practices) have a duty to inform data subjects (patients) about how they process data under their control.

The most common way to provide this information is through a privacy notice, and more information can be found on the Information Commissioners Office (ICO) website.

Because a patient's mobile telephone number is personal data, it's important the workplace tells patients what it will be used for. For example, a practice's privacy notice might include using patient's mobile phone numbers for sending appointment reminders. Text messages are now quite commonly used by practices for this purpose, and provided the patient has consented, this type of communication can be a useful and convenient business tool.

Using a patient's mobile phone number for anything other than what's listed in the practice's privacy notice could potentially breach its data protection policies, and possibly lead to a patient complaint or action being taken by the ICO.

We therefore advise the following points to make sure you don't fall foul of the rules.

• Check the workplace's privacy notice before a patient's contact information is used, to ensure that patient has consented to their personal information being used for the purpose(s) you are planning.
• Check your workplace's data protection policies and procedures to confirm your activities are approved by the data controller (who is responsible for making sure the practice is compliant with GDPR).
• Check your associate/employment agreement, as some include clauses to comply with the workplace's information governance, confidentiality and data protection policies. The registered data controller is entitled to set whatever information governance, confidentiality and data protection policies they see fit - and provided those policies are lawful, you are contractually obliged to comply.

Patient data should never be stored on a personal mobile device. The security of personal information may not be guaranteed where public networks are used, and personal devices can also get stolen or lost.

If you hold patient personal data yourself on a device you control, you should be registered with the ICO as a data controller. You would need to have your own privacy policy that you make available to patients, plus policies for data processing and security, retention and destruction.

Professional boundaries

Aside from any contractual obligations, it's essential you adhere to professional standards when directly messaging patients.

The GDC says, "You must maintain appropriate boundaries in the relationships you have with patients." By indicating a willingness to communicate on personal platforms rather than through traditional channels, you may blur the boundaries of your professional relationship. And if you provide your personal contact details to a patient, there is a risk that your intentions might be misunderstood.

Although it may initially be convenient to communicate with patients via direct messaging, a simple conversation about appointment availability (for example) could develop into a clinical enquiry - or even escalate into a complaint.

Giving clinical advice

Under GDPR, health information is classified as 'special category data' and can only be processed if certain conditions are met - there's information on the ICO website and Schedule 1 of the Data Protection Act 2018. Special category data requires extra protection, and it is not appropriate for direct messages to contain health information unless this is in place.

The propriety of providing clinical advice via direct messaging must also be considered, as a professional duty of care is owed to a patient whether advice is given face-to-face or remotely. Direct messaging might impose constraints on your ability to provide appropriate advice and communicate effectively.

You might also need to take into account the patient's location, as providing dental treatment across jurisdictional boundaries may lead to allegations of the illegal practice of dentistry, and complications might arise if a patient where to bring legal action against a provider.

Summary

The evolution and integration of technology into professional practice undoubtedly offers new opportunities to deliver innovative services to patients.

However, the appropriateness of direct messaging with patients must be carefully considered, with full regard to professional standards, regulations, and laws. Professional boundaries, record keeping, confidentiality, data protection and jurisdictional issues are some of the things that must be weighed before direct patient messaging begins.

It is also important to remember that disclosing direct messages may be necessary if a complaint, claim, or regulatory matter arises.

Workplace communication platforms may offer a secure and GDPR compliant alternative, where records of patient communications can be more seamlessly integrated into the appropriate systems and the risk of professional boundaries becoming blurred is reduced.

Want to know more?

We offer practice presentations to GROUPCARE members on a wide range of dento-legal topics, including data protection and confidentiality. Find out more here.