Doctor-Patient E-mail in Practice:
Policies and Procedures
Here are some policies and
procedures that physicians should consider when using e-mail with their
patients:
Outline permissible uses
With an array of legal problems
that can arise, some attorneys recommend that their doctor clients use
e-mail with patients only on an extremely limited basis. For example,
administrative uses such as scheduling appointments or sending test
results are “pretty low-risk and straightforward,” says
Saliha Khaja Greff, who practices health law with Caplan and Earnest in
Boulder, Colo. Melissa Jackson, an attorney with Blackwell Sanders Peper
Martin in St. Louis, says she advises clients to limit e-mail with
patients to strictly administrative uses. “We provide fairly
conservative advice to our doctors,” she says. “While e-mail
is a good tool, I would not really get into the medical information at
all.” But others say e-mailing patients about their care –
including giving basic medical advice – is becoming an inevitable
part of doing business in some parts of the country, and what really
matters is how you go about it.
While some physicians will use
e-mail purely for administrative purposes, other doctors might allow
patients to ask general questions about their upcoming treatments or
procedures or to ask for a prescription refill, says Lancaster, Pa.,
attorney Jim Saxton. Or “a patient might send an e-mail to a nurse
educator to review the risks and requirements after surgery,” says
Saxton, who represents medical professionals and hospitals and has
written books about proactive risk management. And some clients may
allow patients to actually ask medical questions about symptoms and
illnesses. But there is one thing all attorneys and physicians agree on:
If a question is “time sensitive or medically urgent, it should
never be sent through electronic communication,” says Dr. Daniel
Sands, an internist at Beth Israel Deaconess Hospital in Boston and the
Senior Medical Informatics Director of the Internet Business Solutions
Group at Cisco Systems.
The length of time since the
patient last saw the doctor for treatment should also be taken into
account. “If the physician last saw the patient a year ago, I
would advise a client not to issue a diagnosis over e-mail,” says
Greff. “The same symptoms can mimic any number of
illnesses.” Whatever a physician practice decides, a written
e-mail policy will make clear to patients what they can expect.
Physicians should have patients “sign an informed consent form on
their use of Internet or e-mail services, which includes the permissible
uses,” recommends Greff. “Unless you say it to the patient,
you’re setting yourself up for legal trouble.” Such a policy
might indicate that patients should call if they haven’t heard
back in two business days about a non-urgent matter, Sands says. That
“creates a lack of expectation for an immediate response,”
says Atlanta attorney Barry Herrin, who handles HIPAA and health care
compliance at Smith Moore.
Implement a system
One of the most important things
physicians can do is make sure they keep the limitations of technology
in mind. Doctors “can’t be afraid to say, ‘This
doesn’t feel right, you have to come in’ or
‘Let’s talk on the phone,’” says Sands, who has
written patient-doctor electronic communication guidelines for a number
of organizations. “Just because a message comes in electronically
doesn’t mean you have to handle it electronically.” Saxton
agrees. “Anything that would need a clinical exam still does. When
in doubt, you have to see the patient.” “E-mail should also
be avoided when it comes to complicated test results. “If the
results are serious, the physician should call directly,” suggests
Maureen Mondor, vice president of risk management at ProMutual Group in
Boston.
And just like phone messages, any
e-mail correspondence must make its way into the patient’s medical
record, whether in electronic format or printed out. It also helps to
have a mechanism to make sure any e-mails that are sent to a patient
actually make it into his or her inbox, such as an automatice return
receipt function. In addition, doctors could “tee up their e-mail
server to send back a message that says in an immediate response,
‘If you think you’re having an emergency situation, go to
the ER or call 911,’” suggests Herrin. Any doctor who is
going to communicate with his or her patient by e-mail must make sure no
medical information is sent to a work e-mail account. “We strongly
discourage any system that sends protected health information to an
e-mail account controlled by an employer,” says Boston attorney
David Szabo, cochair of the healthcare group at Nutter McClennen &
Fish. “Your employer owns your computer and hard drive and you
have no privacy rights against your employer.”
It should also be clear who from
the office is e-mailing the patient at any given time. To protect
patient privacy, Greff suggests that doctors shouldn’t have
“e-mails to patients accessible to everyone in the office.”
Also, “If you choose to have someone else reading your e-mail, you
have to be totally transparent about what's happening, says Sands.
“You don’t want someone saying he is Dr. Sands when he is
not.” He notes that it is a HIPAA violation to log in with someone
else’s name and password. If a physician won’t have access
to email for a defined period of time, lawyers recommend that he or she
have an automated out-of-office message.
Guard privacy/security of patient
health information
One way to make e-mail
communication with patients more secure is for physicians to use
software to encrypt the e-mail they send. Sands says that individuals
can use software as simple as Microsoft Outlook to encrypt outgoing
e-mail. ZixCorp, where Sands used to work, provides encryption systems
for larger institutions and groups. While encrypting e-mail is a good
idea, it’s not required by HIPAA, says Herrin. “Under HIPAA,
you don’t have to encrypt your e-mail as long as you address the
security concerns you have in your risk management profile,” he
says. Sands suggests that "If you want to use regular unencrypted
e-mail, you should have a policy that says why you’re not using
encrypted e-mail. “Another option is to have all e-mail sent
through a secure communication portal. With a set up like that,
“you log into a secure website and send your communication. When a
doctor or patient has a message, he gets an e-mail saying ‘You
have a message waiting for you on the site,’ and it stays on this
secure server,” says Sands.
Relay Health, an Emeryville,
Calif.-based company, provides such a system. According to the
company’s chief operating officer, Ken Tarkoff, one of the best
features is that the system is set up and controlled by the doctor and
the patient, and they can disconnect at any time. Also, it allows the
doctor to make sure he or she doesn’t “receive medical
messages from a non-established patient,” says Tarkoff.
In addition, Relay Health ensures that all of its products are
HIPAA-compliant. “We are not a covered entity, but all of our
customers are, so we need to supply something that is
HIPAA-compliant,” says Tarkoff.
Another strategy for ensuring HIPAA
compliance is to get consent from the patient to send the health
information you are sending in the manner you will be sending it.
For example, an agreement might say: “‘When you send
information to us, it’s not going to be encrypted,’”
Herrin suggests. “The key is getting patient permission so they
can make a knowing and voluntary waiver of any privacy rules.” No
matter what electronic system a physician uses, there are certain
sensitive areas that should generally be kept out of e-mail, including
HIV, sexually-transmitted diseases, substance abuse and domestic
violence. Even if it’s not “a problem from a privacy
standpoint [because] it’s secure or encrypted, patients may not be
comfortable discussing it by e-mail,” Sands says. MMLR
– Reni Gertner
This article was originally
published in the Summer 2006 issue of Massachusetts Medical Law
Report.
Next: The
Physician's Corner
|
