Let’s imagine a case, based on reality but essentially a thought experiment. You are working in the ED resus area when you receive a young unconscious patient from the paramedics. They had been found alone in an alleyway in the late evening. There were no witnesses to what happened and you really don’t know what’s going on. Your patient is unconscious with a GCS of 6 (E1, V1, M4) and dilated pupils. Their pulse is 47 with a blood pressure of 97/51. You can find no evidence of external injury and no obvious reason why your patient is unconscious. Your working diagnosis is that this is probably a tox case, but you can’t be sure.
As you prepare for an RSI and CT Brain, you get on with maintaining the airway, obtaining IV access and getting bloods off to the analyser.
But who is this patient? You have no ID and no information on them. Wouldn’t it be helpful if we knew who they were? If we did then perhaps we could have a look on our hospital database to check on past admissions, medicines, and of course if they are critically ill we should consider contacting their family. So, as you are prepping for the clinical management of the patient your team goes through the patient’s pockets looking for clues. They might find a bag of drugs, a suicide note, an alert bracelet, all sorts of useful information that could guide your clinical management of the patient, but there is nothing obvious there. All you find is a train ticket from Leeds to Virchester and an iPhone 6.
There’s nothing much to go on… or is there? That mobile phone must have information on it. Perhaps there is something useful, and so you touch the screen and swipe right to look on the lock screen. Down there on the bottom left there should be emergency information that can be accessed by anyone. It will also display your weight from the health app (blushes), together with name, height and any specific medical info you’ve put such as medications, allergies and blood groups. Sadly, your patient has not filled it in and so you still don’t know anything about your patient. That is until one of your nurses suggests that we unlock the phone with the patient’s thumbprint.
If you don’t already know then this is eminently possible. By holding the patient’s thumb to the phone you should be able to access the contents and go looking for… well, what exactly? I suppose we could probably find out who they were by looking at their text messages and perhaps even by phoning a contact based on their recent call history. You might look to see if they have their home number listed, or maybe someone called ‘mum’ or ‘ICE’. Suffice to say that the little phone in your pocket probably contains a wealth of information that can identify you, your friends and family, your habits, desires and preferences.
So, should you do it? Should you hold that phone to your patient’s thumb and log into their phone right there in the resus room?
This is a real question that I was asked recently with a similar case, and to be honest I did not know the answer. On the one hand it’s always useful to know who your patient is, on the other it feels like a huge invasion of privacy and a break of confidentiality. We needed to know more, so the next day I started a poll on Twitter. You can see the results below.
Unconscious pt arrives in ED
Has iPhone – can you use their thumb to unlock (without consent) for info?
— Simon Carley (@EMManchester) February 20, 2016
So we clearly don’t know. Of the 735 people who answered the poll (which I conducted without ethical approval btw) the majority of people thought that it was fine with many comments suggesting that it was no different to going through the patient’s pockets. A minority thought it was absolutely not the right thing to do and about a third said it depends (we’ll come back to this). The bottom line is that there is no consensus and so I can only presume that practice varies across the UK and the world.
So, can we do this?
Practically – yes. Legally, I’m not so sure. I asked a friend (Oli May – husband of Nat) who knows about these things and got the following back. Now neither Oli or myself are lawyers and this is not legal advice but let’s have a think about how this could play out in the UK.
from Oli May
The key relevant legislation for me is s1 of the Computer Misuse Act 1990. While this pre-dates smartphones, and there has been some discussion recently about whether it should be updated to specifically cover them, the CPS argues that subsequent case interpretation is viewed as capable of covering a smartphone. In fact one legal blogger has heard of argumnents that it might even cover internet-enabled fridges!
The offence of unauthorised access only requires three components:
The person interacts with the computer to obtain access to a program or information
That it is unauthorised access;
That the person doing it knows that it’s unauthorised.
So this fits your scenario by definition. It carries a potential custodial sentence and a fine.
As what is being described is a criminal offence, there needs to be either (1) a defence/protection from liability defined in law that is available to a doctor to use (e.g. the sort of thing that you might find in the Mental Capacity Act), or a (2) power conferred upon them by some other part of law to carry out this action.
So my question is, what legal powers or defences exist for doctors here? I don’t know of any nor whether the CMA would be relevant here.
Further, if there is no power or defence, and if the doctor takes hold of and manipulates the patient’s finger/thumb in order to access the smartphone, this could be seen to open the doctor to a further challenge given that this is a criminal offence and therefore not acceptable physical contact with a patient. If it is an offence, then it isn’t in the best interests of the patient.
Would a doctor be prosecuted, in your scenario? In theory this is possible if a defence/protection from liability or a power does not exist, but the greater risk it would seem to me is civil litigation by the patient concerned; information security and privacy is a hot issue (see current controversy between the FBI and Apple).
So, to round this off, if I was standing in your ED while you contemplated the scenario, I’d suggest you ask yourself: Do you have a power or defence/protection from liability to do that? If not, or if you don’t know, is it really necessary – do you need that information, and have you exhausted all other avenues to get that information? Are you then prepared to take this risk?
So this is really interesting. The key message here for me is that this is not the same as going through someone’s pockets and that if we do access the phone then someone may argue that we are committing an offence. Now, as clinicians we all know that prevention is better than cure and so it looks to me as though we really should not be casually wandering into our patient’s phone.
Any other complexities?
Just one. On the iPhone if you have notifications enabled on accounts like Instagram, text messages, whattsapp, Tinder, Grindr, (Ed – you’ve only put those in to check people are reading) then they will be accessible by scrolling down from the top of the screen without a passcode. I have no idea whether accessing them could constitute an offence. You could argue that this is still an interaction to obtain information and therefore appears to break the rules.
Is there a defence of necessity?
Again, I’m no lawyer but I can imagine an analogy with principles of confidentiality. We try to maintain our patient’s confidentiality unless there are vital reasons not to do so. There are number of circumstances where we can break confidentiality for the protection of the patient or public, and the test for this is understandably high (see GMC site here for UK examples). The question we need to ask is whether there are any circumstances in the resus room where we might need to obtain phone information.
What would that information look like? Firstly, it would have to be time critical. If we can wait for the Police to arrive in order to help identify (interestingly they have hand held fingerprint recognition devices these days) our patient then we should leave it to them, they are good at that sort of thing and will be similarly motivated to find out who the patient is through their legal authority. Secondly, we would have to be looking for information that would make a difference to the way in which we are going to treat our patient at that moment in time. It may be very important later on to contact family if we discover our patient to be critically unwell or even dying, but right at that initial moment in time in the resus room you must ask yourself ‘what do I need to know, and how would accessing the phone answer that’.
I think this is why we had 30% of people saying it depends in our Twitter survey. Maybe they can think of a scenario where we need to know right there and then, and before the police arrive. I’m struggling to think of such a scenario, but it may exist.
What happened with our patient?
It was a really interesting question raised in resus. We thought about accessing the patient’s phone but asked ourselves the question ‘Do we need to do this now, and if so why?’. As a team we could not think of doing anything different at that moment and so we did not access their phone (they were fine btw).
The Bottom Line
Unless I hear otherwise in the form of a legally qualified opinion I won’t be breaking into my patients’ phones unless a scenario arises where I can honestly say that I need to know information on that phone right there and then. In that case I would be able to clearly articulate 1. What I was looking for. 2. Why I need that information right now. That’s my test, and I think Swami agrees with this.
@EMManchester can? Yes. Should? Yes. If even sliver of info that may save pt I'd do it + face consequences later knowing I did best for pt
— Anand Swaminathan (@EMSwami) February 26, 2016
As ever, we’d love to hear your thoughts on this, and if there is anyone out there who has the definitive UK legal answer please send us a message so that we can share it widely. If you have an international perspective then please share that too.
Check out the comments below and especially from Charles H. There is an alternative route to accessing identification and contact information if the phone has Siri enabled, and if contacts have been saved with tags (such as mother/father etc.)
Watch this video to find out how and why.
PS. Check your phone. Have you filled in YOUR details? Check your family and friends too…..
Before you go please don’t forget to…