It is very important for doctors and patients to maintain open lines of communication. In today’s atmosphere, using the phone seems unnecessary for many situations. It has become our natural inclination to email first and telephone second. Email is fast, efficient, allows for quick response and can be done from virtually anywhere there is a phone or computer. However, there are several issues that must be addressed before doctors and patients use e-mail as their correspondence of choice. First and foremost, privacy and HIPAA must be taken into account and email should always be encrypted.
Protected Health Information (PHI) is information that is protected by the rules and regulations of HIPAA. It is permissible to email such information, but there must be safeguards in place. The first step in protecting the practice is displaying disclaimer notices both in the office and on the website. It should read plainly that there are potential risks using non-secure Internet channels. Also indicate that steps are being taken to ensure security, but there is always a possibility that an email can be intercepted by a third party. Therefore, limit the identifying information (date of birth, social security number, etc) included in any messages.
The second step to protecting the practice is to have patient’s sign a consent to receive emails. Most electronic medical record (EMR) systems now have a field for email. Many can also send appointment reminders and other patient correspondence via email. It is important for patients to understand what their email will be used for if an address is provided. The signed consent should be scanned in the chart and kept in the same manner as NPP and HIPAA forms are kept. It is also a good idea to provide the patient with a copy for their records.
If a patient initiates communication via email, it is reasonable for the provider to assume that it is an acceptable form of communication unless they have specifically indicated otherwise. However, if there is concern that the patient does not understand the risks involved with sending PHI via the Internet and on email, then it is in the physician's best interest to educate the patient. After being alerted to possible risks, the patient can then decide if they would like to continue using email.
Precautions should be implemented to prevent a breach through email. There are both simple things and more complex things that can be done. An easy option is to send a “test” email to the provided address to confirm that the recipient is indeed the patient. Once the correct address is confirmed, emails can then be sent encrypted. Today, many EMR systems offer a secure portal for patients to contact their doctor’s office. Encouraging patients to use that for questions and concerns cuts out any concern about unsecured email. Also available on the market are third party email applications that are HIPAA compliant. These require that the email address be entered into their system. For most offices the task of entering all email addresses into a separate system would be overwhelming. Some of these systems work in tandem with the existing EMR system, pulling the addresses out without any extra work on the practice’s part. The last choice is to manually encrypt every email before it goes out, which is often offered by different email providers and is done on an email-by-email basis.
Contact your EMR system, email provider, and health care attorney to best determine the appropriate route for your office. The better you communicate with your patients, the more secure and impressed they will be with level of health care they are receiving. Being smart about sending PHI and educating both yourself and your staff to avoid breaches is vital to protecting your patients and your practice.