SAN FRANCISCO — Give e-mail correspondence with patients the same care and attention you'd give to paper records, faxes, or phone calls to minimize medicolegal liability, Dr. Jeffrey L. Brown said.
Physicians should be reasonably certain that the person requesting information by e-mail is authorized to receive it, just as would be done with phone calls, he said at the annual meeting of the American Academy of Pediatrics.
Your e-mail system should include an automated response to any e-mails received from patients, acknowledging that an e-mail message has been received and saying that you will respond within a set period of time, such as 24 or 48 hours, said Dr. Brown, of Cornell University, New York, and in private practice in Rye Brook, N.Y. He has no association with companies that market e-mail systems or services.
The automated response should alert patients that confidentiality cannot always be assured in e-mail correspondence, and that you cannot respond to urgent questions posed by e-mail. Patients should contact your office by phone for urgent matters.
The response also should inform patients that if they do not get your reply to any e-mail message within a reasonable period of time—“usually 48 hours,” Dr. Brown said—the patient should call your office because you may not have received the e-mail. If you are away from the office when patients e-mail, the automated response should give the date of your return.
In the other direction, e-mails sent by physicians must be compliant with the Health Insurance Portability and Accountability Act (HIPAA). As with faxes, conventional e-mails must protect the confidentiality of sensitive information such as Social Security numbers, medical identification numbers, laboratory results, diagnoses, medications, and more.
To ensure confidentiality in e-mails, use an encrypted message system, Dr. Brown advised. Solo practitioners or small practices may want to do an Internet search for the term “encrypting e-mail systems” to find a list of encryption providers, he said. Typically, an outgoing e-mail would be sent to the provider, encrypted, and returned to the physician's system before going out to a patient.
Confidential e-mail from physicians should contain a warning disclaimer similar to those used on fax transmissions. A typical disclaimer says the following: “This e-mail contains confidential and privileged information. It is intended only for the individual or entity to whom it is addressed. If you are not the intended recipient, or if you have received this transmission in error, you are hereby instructed to notify the sender and to erase its content and all attachments immediately. Copying, disseminating, or otherwise utilizing any of its content is unlawful and strictly prohibited.”
Treat e-mail messages like other patient correspondence, and file them appropriately, he added. Before erasing e-mail, save the patient's original e-mail and your response as hard copies in the patient's chart or electronically if you use electronic charts. Take precautions to protect confidential information on laptop computers and hard drives, as you would for other records. Use encryption software or change passwords frequently to prevent unauthorized access. Erase all confidential information from hard drives before disposing of them.
Other suggestions include not using your personal e-mail address to answer patient e-mails, not answering a new patient's e-mailed medical questions without first establishing a formal relationship, and not using an indiscreet topic in the heading of your response. “Don't write, 'Your pregnancy test is positive' in the subject line,” he said. “Say, 'I have your lab work,' or something like that.
“Even if you do all the right things, there is still a possibility that you will be subject to suits,” Dr. Brown said. “In the end, the best defense against legal action is practicing good medicine.”