WhatsApp in Clinical Practice—The Challenges of Record Keeping and Storage. A Scoping Review

The use of WhatsApp in health care has increased, especially since the COVID-19 pandemic, but there is a need to safeguard electronic patient information when incorporating it into a medical record, be it electronic or paper based. The aim of this study was to review the literature on how clinicians who use WhatsApp in clinical practice keep medical records of the content of WhatsApp messages and how they store WhatsApp messages and/or attachments. A scoping review of nine databases sought evidence of record keeping or data storage related to use of WhatsApp in clinical practice up to 31 December 2020. Sixteen of 346 papers met study criteria. Most clinicians were aware that they must comply with statutory reporting requirements in keeping medical records of all electronic communications. However, this study showed a general lack of awareness or concern about flaunting existing privacy and security legislation. No clear mechanisms for record keeping or data storage of WhatsApp content were provided. In the absence of clear guidelines, problematic practices and workarounds have been created, increasing legal, regulatory and ethical concerns. There is a need to raise awareness of the problems clinicians face in meeting these obligations and to urgently provide viable guidance.


Introduction
The use of instant messaging applications, and in particular WhatsApp, to share patient information between clinicians is becoming increasingly common [1][2][3]. An earlier review noted that most WhatsApp use in clinical services was in the developing world [4]. For example, studies from Malaysia, South Africa, and Brazil show that WhatsApp use is common (with 74%, 87%, and 97% of clinicians, respectively, using WhatsApp [5][6][7]), including for second opinions or sharing of patient information. Its use in the developed world is now also common [1,2,8], and has grown further during the COVID-19 pandemic, with searches of PubMed on WhatsApp showing a marked increase in papers: 2018-94; 2019-126; 2020-312; 2021 (to 30 August 2021)-323.
Record keeping and storage of medical records are a legal requirement in many countries [9], and as early as 1999, the World Medical Association (WMA) had made clinicians aware of the need to maintain clinical records of telemedicine consultations [10], reiterated in 2018 together with legal and ethical obligations to protect sensitive patient data [11]. The absence of clear guidelines when using social media apps such as WhatsApp [9] has created problematic practices and workarounds particularly for issues of record keeping and data storage, and only serves to increase legal, regulatory and ethical concerns for patient privacy and the safeguarding of protected health information.
with full text, Health Source Nursing/academic edition, Index to legal periodicals, Psy-cARTICLES, PsycINFO and MEDLINE.
The search terms used varied according to database (Table 1). After duplicates were removed, titles and abstracts of the remaining resources were reviewed by all authors against inclusion and exclusion criteria, with resolution of any disagreements by consensus. Inclusion criteria were that the paper was in English, reported on WhatsApp in clinical use, and addressed record keeping or storage of WhatsApp messages and attachments. Book chapters, conference proceedings that were not full-length papers, and papers on the use of WhatsApp for behaviour change, education, appointment reminders or medication adherence were excluded. Full-text papers of the resources meeting the criteria were obtained and reviewed by all authors against the inclusion and exclusion criteria until final selection, with consensus. The information was charted in an Excel spreadsheet, and included record keeping and storage steps, country in which the study took place, and the medical discipline involved, and were then categorised by all authors.
The methods of record keeping and/or storage were grouped into five categories.  The methods of record keeping and/or storage were grouped into five categories.

Group A. Prescribed Action-Electronic
Two papers reported transfer of data from mobile phones to electronic versions of patient notes or departmental records. Transfer was performed manually to a password protected database [21], or to a departmental secure computer [22], also presumably manually. One paper formally reported deleting messages off mobile phones after transfer [21], but this was only inferred from the descriptions in the other paper [22].

Group B. Prescribed Action-Paper Based
Three papers reported 'downloading' of a hard copy/script for record keeping before deleting data from 'participant devices' after a defined period of time [27][28][29], but the method was not described.

Group C. Prescribed Action-Uncertain Electronic or Paper Based
Four papers reported keeping records, but it was not clear from descriptions if this was done electronically or was paper based [24,31,32,35]. Three of these papers formally reported deleting messages off mobile phones [24,32,35]. In a burn service, all communications were removed once the clinical scenario had been addressed, and the importance of record keeping and storage was noted, but no details were provided on how this was done [35]. Ellanti et al. reported that data were deleted from each participant's mobile phone after a 6 month period and although no mention was made of formal storage or record keeping, this was inferred from the descriptions in the paper [32].
Neogi and Panda reported keeping records of all patients physically (either analogue or digital) at the 'referred hospital' and periodically deleting all 'archived data' [24]. Another paper reported photographing a screenshot for saving in the medical record, but it

Group A. Prescribed Action-Electronic
Two papers reported transfer of data from mobile phones to electronic versions of patient notes or departmental records. Transfer was performed manually to a password protected database [21], or to a departmental secure computer [22], also presumably manually. One paper formally reported deleting messages off mobile phones after transfer [21], but this was only inferred from the descriptions in the other paper [22].

Group B. Prescribed Action-Paper Based
Three papers reported 'downloading' of a hard copy/script for record keeping before deleting data from 'participant devices' after a defined period of time [27][28][29], but the method was not described.

Group C. Prescribed Action-Uncertain Electronic or Paper Based
Four papers reported keeping records, but it was not clear from descriptions if this was done electronically or was paper based [24,31,32,35]. Three of these papers formally reported deleting messages off mobile phones [24,32,35]. In a burn service, all communications were removed once the clinical scenario had been addressed, and the importance of record keeping and storage was noted, but no details were provided on how this was done [35]. Ellanti et al. reported that data were deleted from each participant's mobile phone after a 6 month period and although no mention was made of formal storage or record keeping, this was inferred from the descriptions in the paper [32].
Neogi and Panda reported keeping records of all patients physically (either analogue or digital) at the 'referred hospital' and periodically deleting all 'archived data' [24]. Another paper reported photographing a screenshot for saving in the medical record, but it was not clear if and how the screenshots were stored, but it seems unlikely they were printed as it was reported that WhatsApp conversations could not be printed [31].

Group D. Inaction-ePHI Remains on Mobile Phones
Some felt that information stored on the users' mobile phone constituted a medical record [5,25,33,34]. Benefits of this were: a record of communication for audit and training purposes [5,27] and a digital record for future reference such that "lost X-rays are a thing of the past" [25]. In a dermatology service, some messages were stored on the specialists' mobile phones [23].

Group E. Uncertain
Two papers mentioned but did not report evidence of record keeping or storage of WhatsApp message content [26,30]. Dungarwalla et al. acknowledged that records constituted a pillar of good clinical practice and governance but reported difficulties with transferring consults to patient records when using the departmental mobile phone [26]. Williams and Kovarik reported the inability to save data centrally or integrate WhatsApp consultations into a patient's medical record [30]. Of note was that in four retrospective studies, information was accessed from WhatsApp messages stored on the users' mobile phones [22,26,33,34] with no mention of subsequent deletion of messages.

Discussion
While the use of WhatsApp is becoming increasingly common [6,7], there are few papers reporting record keeping and storage of sensitive patient health information contained in WhatsApp messages and attachments. Only 16 papers mentioned keeping records and/or storing of data transmitted using WhatsApp. Further, there is no clear evidence from the reviewed literature as to how, when using WhatsApp, patient information can routinely be transferred to, or incorporated into, a print or electronic medical record to permit record keeping and storage. Surprisingly, there were no reports of copies of WhatsApp messages being sent by email for record keeping or subsequent entry into an electronic medical record, a feature available within WhatsApp.
The absence of clear guidelines on record keeping and data storage has, as previously noted [9], created problematic practices and workarounds that only serve to increase legal, regulatory and ethical concern for patient privacy and the safeguarding of protected health information. For example, there was a general sense of concern about sensitive patient data being shared and stored on mobile phones, but those papers reporting deletion of messages on users' phones did not report the message being deleted from the sender's phone after completion of the case or other specified time period. Patient privacy is at risk when sensitive data are stored on mobile phones, and such practice is common. The problem is not confined to the use of instant messaging but also pertains to clinical photographs. Of 300 French plastic surgeons, 50% stored clinical photographs on their smartphones, whilst in Australia, 46% of dermatologists surveyed stored images on smartphones with limited security measures [36]. In a Canadian survey of plastic surgery residents and physicians, 57% stored such images on their mobile phones, with 73% of these storing clinical images among their personal photos [36].
Furthermore, a mobile phone may be lost or stolen, or content may be inadvertently shared. A survey of plastic surgeons reported 26% of respondents had accidentally revealed a clinical image to family or friends [37]. A safeguard to minimise this type of risk such as password protection was reported in one paper [22]. The term mobile phone "stewardship" has been defined and is applied to the appropriate care and use of mobile phones by health care workers. Good mobile phone stewardship practice recommends that messages are deleted off both the sender's and receiver's mobile phones [19].
Some authors were more mindful of concerns of breaching patient confidentiality but were less forthcoming in declaring their storage practices and even used the data stored on mobile phones for retrospective studies of WhatsApp use [22,26,33,34]. In addition, clinicians used WhatsApp despite recognising non-compliance with privacy laws [1] and/or contravention of organisational policies [38]. The reasons proposed were a lack of training in compliance with regulations [2] and the need for guidelines [39]. There is a general lack of awareness or concern about flaunting existing privacy and security legislation, regulations or guidelines [1,2,36] because the benefits to the patient and physicians outweigh the difficulty of compliance.
Ideally, every institution and medical practice should have an IT Governance Policy or Rules and standard operating procedures for the use of instant messaging, which would include record keeping and data storage. The reality is that in the developed world, the literature indicates that they are being ignored; and in the developing world, few medical practices and institutions have IT Governance Policies. No paper reported WhatsApp use in compliance with an IT Governance Policy. Johnston et al. reported special dispensation was given by the hospital's information compliance department for the use of WhatsApp, provided that patient identifiable data were not shared, hardcopy records of the messages were kept, and WhatsApp messages were deleted from the phones at the end of each week [27].
Different approaches to record keeping and storage are possible ( Figure 2). The figure shows the basic options for transferring WhatsApp chats (and/or attachments) to print or electronic formats capable of long-term storage, each of which was reported in the identified literature. These options provide potential solutions. on mobile phones for retrospective studies of WhatsApp use [22,26,33,34]. In addition, clinicians used WhatsApp despite recognising non-compliance with privacy laws [1] and/or contravention of organisational policies [38]. The reasons proposed were a lack of training in compliance with regulations [2] and the need for guidelines [39]. There is a general lack of awareness or concern about flaunting existing privacy and security legislation, regulations or guidelines [1,2,36] because the benefits to the patient and physicians outweigh the difficulty of compliance.
Ideally, every institution and medical practice should have an IT Governance Policy or Rules and standard operating procedures for the use of instant messaging, which would include record keeping and data storage. The reality is that in the developed world, the literature indicates that they are being ignored; and in the developing world, few medical practices and institutions have IT Governance Policies. No paper reported WhatsApp use in compliance with an IT Governance Policy. Johnston et al. reported special dispensation was given by the hospital's information compliance department for the use of WhatsApp, provided that patient identifiable data were not shared, hardcopy records of the messages were kept, and WhatsApp messages were deleted from the phones at the end of each week [27].
Different approaches to record keeping and storage are possible ( Figure 2). The figure shows the basic options for transferring WhatsApp chats (and/or attachments) to print or electronic formats capable of long-term storage, each of which was reported in the identified literature. These options provide potential solutions. The problematic practices and workarounds noted earlier relate to safeguarding of protected health information, in particular retention of original messaging, long-term storage, encryption, extra-jurisdictional record keeping and storage, consent for subsequent use, and anonymisation. The problematic practices and workarounds noted earlier relate to safeguarding of protected health information, in particular retention of original messaging, long-term storage, encryption, extra-jurisdictional record keeping and storage, consent for subsequent use, and anonymisation.

Retention of Original Messaging
Few reports noted any concern or need for retention of original text messages or attachments, e.g., for audit purposes, although some did consider retention on their mobile devices as long-term 'storage' for clinical purposes [5,25,33,34]. Certainly, the literature implies, and a scan of the web shows, storage options exist through 'back-up' and cloud storage for WhatsApp chats and attachments. However, these will be fraught with their own security and confidentiality issues, and their longevity is uncertain. Many countries require electronic medical records be kept for several years after the death of a patient, but just how long would a commercial entity such as WhatsApp be able, or willing, to guarantee retention?

Long-Term Storage
As workarounds, there are a number of options to print out WhatsApp chats or convert them to pdf documents, which would allow both 'print' and 'electronic' (email; upload) transfer to medical records, offering storage options. However, any transmission of a pdf file (e.g., via email or over a network) would also require compliance with security and confidentiality requirements.

Encryption
Since 31 March 2016, messages between WhatsApp users have been protected with an end-to-end encryption protocol so that third parties, including WhatsApp and Facebook, cannot read them; the messages can only be decrypted by the recipient's mobile phone [40]. All types of WhatsApp messages (chats, group chats, images, videos, voice messages, files) and WhatsApp calls, and any associated sensitive patient information, are protected by this end-to-end encryption, yet use of WhatsApp remains non-compliant with GDPR and HIPAA [12,13]. Furthermore, content may still be vulnerable if used for other purposes before being encrypted or after being decrypted using WhatsApp.

Extra-Jurisdictional Record Keeping and Storage
Increasingly, countries are introducing laws about extra-jurisdictional storage of health data. For example, the GDPR does not allow the storage of sensitive data of EU citizens on servers located outside the geographic area of the European Community [46]. Thus, WhatsApp messages are transmitted (and potentially stored for up to 30 days awaiting delivery) via servers located in the US, which may not comply with a particular country's data protection regulations [26,45]. There has been concern about WhatsApp accessing and sharing information on users' phones, however, this concern may be moot. The information gathered by WhatsApp and stored in the US on their servers is not ePHI, but contact information and possibly images if backed up to the cloud by the user. By downloading and using WhatsApp all users have knowingly or unwittingly consented to allow Facebook to access and download the telephonic contact details stored on their mobile phone. WhatsApp does share contact details with their parent company, Facebook, but it is important to emphasise that WhatsApp only stores users' contact details, for which consent has been given when first downloading the app. When clinicians are sending messages to each other, WhatsApp is not able to access the patient's contact details. Should a patient and clinician communicate directly with one another the patient's contact details will already have been accessed by WhatsApp.
WhatsApp's current and updated privacy policy allows Facebook to process additional user data that it collects from WhatsApp and importantly does not permit users, except within the EU, to opt out of accepting this policy. This "take it or leave it" privacy policy has caused concern in a number of countries, who are trying to negotiate an exemption from the policy [47].

Consent
Legislation in many countries require patient information be used only for the purposes for which consent was originally given, a common ethical principle. Thus, it may be a legal or ethical requirement that a patient give specific written informed consent before sensitive patient information is shared with another health professional or chat group of health professionals. Only one of the reviewed papers mentioned the need for keeping a record of informed consent (for example submitting a photograph of the signed  [24,31] even if only verbal [22,35].
A recent review of consent practices when using WhatsApp found only 18 papers that reported obtaining either written or verbal consent for sharing information and/or images [48]. At one academic hospital, 97% of doctors surveyed did not obtain consent for sharing patient information by instant messaging [49]. Medico-legal providers recommend documenting consent in the patient's notes when sharing images on mobile phones [1].

Anonymisation
Some have considered the use of WhatsApp to be permissible if sensitive patient details were not disclosed [26], and possible workarounds to comply with privacy and data security requirements were also suggested, primarily de-identification of patient information [50] and anonymisation [32]. However, this leads to an untenable conflict between 'de-identification' of messages and transfer to some form of 'record' and highlights the futility of such attempts. There is a spectrum of how anonymised personal health data may be, for example, use of medical record numbers or bed numbers [32], but truly anonymous (or anonymised) data are unacceptable in a clinical setting, where repeated confirmation of identity is the norm. Consider a clinician receiving anonymised data; how could any identifiable record be created from such anonymised data? Retaining the integrity of patient identity is crucial to safe health care delivery, and anonymisation is the antithesis. Merging of electronic (and paper) health records can and does occur but only under strict guidelines that require commonality of key identifiers. Once de-identified, merging is forever precluded.
The need for a WhatsApp-like instant messaging app for the health care sector has been identified [45]. Other instant messaging applications that meet HIPAA and/or GDPR requirements are available: Siilo, Hospify, Simple Practice, Oncall Health, Tiger connect, Trillian and MedX (for Australian registered doctors) [1,46]. In the UK, although Hospify is approved by the NHS, the use of WhatsApp and Telegram has recently been sanctioned "where there is no practical alternative and the benefits outweigh the risks" [51]. Each has strengths and weaknesses.
Study limitations are that while nine databases were searched, the grey literature was not searched (e.g., Google Scholar). Additionally, searches were restricted to the English language.

Summary
Only 16 of 346 papers reporting the use of WhatsApp in clinical practice addressed either record keeping or data storage. Most clinicians were aware that they must comply with statutory reporting requirements in keeping medical records of all electronic communications. For example, it was reported that records "constitute a pillar of good clinical practice and governance" [26] and that there was a need "for proper documentation in the medical record of valuable data and the content of consultations and treatment plans" [29]. Yet, it is clear that clinicians are failing to meet many legal, ethical, and good practice requirements. The reasons seem clear: on the one hand, WhatsApp is ubiquitous, freely available, easy to use, convenient, and meets clinicians' needs. On the other hand, there is no comprehensive, consistent, and comprehensible guidance found in the literature [9] on the acceptable use of WhatsApp, nor how to transfer WhatsApp communications to a print or electronic patient record to allow satisfactory record keeping and storage [9].
There also remain untested limits to existing legislation. For example, the GDPR contains sections limiting the application of other restrictive sections when communications are for "preventive or occupational medicine, . . . medical diagnosis, the provision of health or social care or treatment, . . . ", and when the data "are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies . . . " [52]. Could current concern be greater than required?
WhatsApp is also regularly upgraded and a number of concerns about data security related to message encryption, data transmission and data storage on external servers reported in earlier papers have been resolved. Of current concern is information contained in users' contact lists, names, addresses and phone numbers being collected and used by Facebook. By downloading and using WhatsApp all users have knowingly or unwittingly consented to this, but the people whose information is being shared do not know with whom their information will be shared and how it will be used. This contravenes most existing data protection laws and regulations. The situation remains fluid and in the EU users can opt out of data sharing. A shortcoming of reported literature is the lack of clear statement about which WhatsApp application is being used. For example, WhatsApp for Business should not be used for health care as decrypted messages can be stored on external servers [12]. WhatsApp meets HIPAA requirements for data security during transmission; however, if information is stored on the phone, it becomes non-compliant as the app is not password protected, and the audit trail cannot be ensured as the user can delete the message [13].
Overall, the literature is confusing due to misinterpretation, misinformation, and constant updates to software versions and security protocols, and the introduction of new legislation. Users need to be made aware of the potential implications of the options they choose for record keeping and data and image storage, which may not be appropriate from a legal, regulatory, or ethical standpoint. Combinations and permutations of transmission for record keeping and storage are many. In general, unless specific choices have been made within WhatsApp or a user's mobile phone to upload or back-up text messages, use of WhatsApp for general communication is secure. However, currently, there are no simple 'GDPR/HIPAA proof' solutions to record keeping or storage of WhatsApp content.

Conclusions
The findings of this study are telling. Despite the widespread use of WhatsApp, clinicians are either failing in their legal, regulatory, ethical, and clinical responsibility to keep records of WhatsApp consults, or are not reporting that they do so, nor how they do so. The literature does not report any clear "best practices" for record keeping or the secure storage of patient information obtained using WhatsApp. There is a need to raise awareness of the problems clinicians face in meeting these obligations and to urgently provide viable guidance.

Conflicts of Interest:
The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article. Reported on both record keeping and storage. Temporarily stored messages on the phone for 1 week. Downloaded and kept a hard copy record but did not explain how? Benefits were a record of communication for training purposes. Reported on both record keeping and storage. Temporarily stored messages on the phone for 1 week before deleting messages off mobile phones. Downloaded and kept a hard copy record, but did not describe how? Applied the same protocol as Johnston et al.
Experience and practices governing the usage of WhatsApp for mobile health purposes in a national cohort of practicing otolaryngologists.
Reported on both record keeping and storage by 'downloading' of a hard copy/script for record keeping before deleting data from 'participant devices' after a defined period but the method was not described. Group C. Prescribed Action-Uncertain electronic or paper based Wani et al. [31] 2013

Saudi Arabia
Plastic and reconstructive surgery.
An assessment of the efficacy of smartphone and its WhatsApp application as a communication method amongst the staff of plastic and reconstructive surgery section at tertiary care health facility. WhatsApp was used for various aspects of patient management.
Reported keeping records, but it was not clear from descriptions if this was done electronically or was paper based. The chat conversations were photographed as screenshots for saving in the medical record, but it was not clear if and how the screenshots were stored, but it seems unlikely they were printed as it was reported that WhatsApp conversations could not be printed.
Analysis of WhatsApp communication between non-consultant members of an orthopaedic team over a six-month period. A specific "orthopaedic group" was created on WhatsApp, which included all the non-consultant orthopaedic team.
Reported only on record keeping. Reported deleting messages off mobile phones after a 6 month period and although no mention was made of formal storage or record keeping this was inferred from the descriptions in the paper.
Reviewed use of WhatsApp to facilitate paediatric burn injury consultations to a regional burn centre. A retrospective review of all WhatsApp consultations over an 18 month period. Assessed the impact in terms of reductions in admissions and clinic visits, a cost analysis plus analysis of feedback from those health practitioners regularly using the service.
Evidence of storage only.
Reported keeping records, but it was not clear if it was done electronically or was paper based. Reported deleting messages off mobile phones. The importance of record keeping, and storage was noted, but no details were provided on how this was done.  Investigation of the use of WhatsApp among oral and maxillofacial surgery junior trainees at a level one trauma centre in London. Additionally included a review of existing studies.
Mentioned but did not report evidence of record keeping or storage. A retrospective study where information was accessed from WhatsApp messages stored on the users' mobile phones with no mention of subsequent deletion of messages. Stated that "records constitute a pillar of good clinical practice and governance", but reported difficulties with transferring consults to patient records when using the departmental mobile phone. Describe the methods of charting data from the included sources of evidence (e.g., calibrated forms or forms that have been tested by the team before their use, and whether data charting was done independently or in duplicate) and any processes for obtaining and confirming data from investigators. Describe sources of funding for the included sources of evidence, as well as sources of funding for the scoping review. Describe the role of the funders of the scoping review. P19 JBI = Joanna Briggs Institute; PRISMA-ScR = Preferred Reporting Items for Systematic reviews and Meta-Analyses extension for Scoping Reviews. * Where sources of evidence (see second footnote) are compiled from, such as bibliographic databases, social media platforms, and Web sites. † A more inclusive/heterogeneous term used to account for the different types of evidence or data sources (e.g., quantitative and/or qualitative research, expert opinion, and policy documents) that may be eligible in a scoping review as opposed to only studies. This is not to be confused with information sources (see first footnote). ‡ The frameworks by Arksey and O'Malley (6) and Levac and colleagues (7) and the JBI guidance (4,5) refer to the process of data extraction in a scoping review as data charting. § The process of systematically examining research evidence to assess its validity, results, and relevance before using it to inform a decision. This term is used for items 12 and 19 instead of "risk of bias" (which is more applicable to systematic reviews of interventions) to include and acknowledge the various sources of evidence that may be used in a scoping review (e.g., quantitative and/or qualitative research, expert opinion, and policy document