How is the patient consented?
For consultations performed via the FourteenFish system, consent for recording is obtained on your behalf by our system. Because of this, you do not need to get further consent from the patient. The proof that they consented will be recorded in the audit log for the consultation.
For both phone and video consultations, the patient does not need to consent for the consultation to proceed.
Once the consultation has finished, the doctor will then be able to see whether the patient gave consent. If the patient did not consent to recording, no part of the consultation will have been recorded.
When a doctor performs a recorded phone call with a patient, the patient is played a recorded message as soon as they pick up...
Your doctor would like your permission to record this consultation for training and assessment purposes. If you're ok with that, press 1. To carry on without the call being recorded, press 2. For more information please visit fourteenfish.com/recording
Although this is pretty standard practice, some patients may not be familiar with the concept of pressing numbers on a phone keypad to make choices during a phone call. Or they may not know how to activate the keypad on their mobile phone.
If they don't enter 1 or 2 after five seconds then we ask them again, but this time they can say Yes or No to answer the question verbally.
Sorry, we couldn't detect your response. Please say "yes" if you are ok with the call being recorded, or say "no" to carry on without any recording.
We then interpret the response using speech recognition. Because we are not trying to interpret complex sentences with speech recognition, this is quite accurate. If we aren't certain whether the patient said "yes" or "no" then we ask them again.
The patient is sent an SMS with a link that they tap to join the consultation. They are taken to a web page on their mobile device. This asks for the their consent before starting the video consultation. If they don't consent the video is not recorded.
We also re-consent the patient after the video consultation and give them a chance to change their mind. If they consent to recording and then subsequently revoke their consent, the recording will be deleted.
For all video consultations, and for phone consulations where the patient was on a mobile phone, the patient will receive an automated follow-up text message from FourteenFish if they consented to recording. The patient is thanked and given a link to www.fourteenfish.com/recording where they can find out exactly how the recording might be used.
What if the patient consents and later changes their mind?
Patients are advised to get in touch with the GP practice and you should inform the health professional concerned. The health professional can log in to their FourteenFish account and delete the recording.
Who can access the recording?
The health professional can share the video with their supervisor to get educational feedback. For any user of FourteenFish who is accessing the video areas they have to authenticate using Two-Factor authentication (a password and also a verification code which is sent to their mobile).
For GP trainees who submit videos for the RCGP RCA (Remote Consultation Assessment) the video will also be seen by GP examiners (normally two but occasionally additional examiners might be required). Again the examiner will be viewing the consultation on the FourteenFish system and will require two-factor authentication.
Does the recording ever need to be downloaded?
No, at no point does the trainee have the recording saved on their own device, and recordings are always protected using a login (email and password) plus two-factor authentication (SMS to the trainee's mobile phone).
How are patient phone numbers stored?
If the patient consents to recording, we temporarily store the patient's phone number so that we can send them the follow-up message described above after the consultation has finished.
Once they have been sent the follow-up message, we immediately run their phone number through a one-way encryption process called a cryptographic hash. This is a secure process whereby the phone number gets encrypted in a way that is not reversible, meaning that even we can't get the phone number back.
However, this hashing process still allows us to fulfil any requests by patients under GDPR legislation, because if the patient were to tell us their phone number then we could run it through the same one-way encryption process and see if we have any consultations that match the encrypted phone number. When the consultation recording is deleted, we also delete the hash of the phone number.
If the patient does not consent to recording then their phone number, then we also immediately delete their number from our system since we don't need to send them a follow-up message, and there would not be a recording made of the call.
How will the recordings be stored?
The recordings are securely encrypted and stored on servers located in the UK. We use AES-256 encryption which is once of the strongest mechanisms available.
We ensure that all data to and from our system is encrypted using TLS 1.2 which prevents anyone reading or tampering with the data while it is in transit.
FourteenFish is ISO 27001 certified and audited by the British Assessment Bureau on an annual basis. This means that someone impartial and outside of our organisation evaluates our security management procedures.
Area you looking to perform a DPIA (data protection impact assessment)?
We have more information that you are free to copy or adapt our DPIA for practices page.