Private E-mail Communications Between Physicians and Patients—Identity proofing, Authentication and Encryption
Case study: A plaintiff claims that his physician sent him an e-mail with poor medical advice that led to an adverse medical event. The defendant physician agrees that the e-mail in question provides grossly negligent advice, but claims that she never sent such an e-mail. Unfortunately, the physician had been using her own, personal home e-mail program to communicate with patients without using encryption or authentication software. A costly investigation eventually proved that the e-mail had originated from an unknown third-party spammer who used a technique called “spoofing” to insert the physician’s e-mail address into the "From" field in the e-mail that was sent to the patient.
Although this physician avoided a malpractice suit, she bore the financial burden of a technical investigation to prove the e-mail was not from her. This is only one example of a number of privacy and security issues with physician-patient e-mail. But these problems are avoidable and e-mail can be safely used if the physician can be sure of four things:
- They are using the authentic e-mail address of the patient
- A message received from the patient has actually been sent from their authentic e-mail address
- Each message (sent or received) has not been changed while traversing across the Internet
- Only the physician and the patient are able to read each other’s e-mail messages
E-mail encryption programs and secure messaging programs both provide safeguards that ensure this level of privacy and security needed for physician-patient e-mail. From a legal perspective, these technologies, when combined with appropriate procedures of use, make it very difficult for someone to successfully repudiate (deny sending or receiving) an e-mail in a legal situation. As noted in this case, regular home and business e-mail programs do not typically include such safeguards.
The Texas Medical Board (TMB) specifically requires physicians to “authenticate” patients prior to initiating e-communications, and to only use e-communications with established patients. Although the TMB does not specify how this is to be accomplished, the procedure typically involves “identity proofing” patients during an office visit. Patients physically present themselves to an office staff member who is authorized to register new “users” into the physician’s secure e-mail system. After being registered in the system, the patients will receive the “credentials” that allow them to receive and send messages through that system. The type of e-mail system used by the physician determines the type of “credentials” the office will provide. The credentials may be a password, a biometric feature (i.e. finger print), or a physical device such as a CD, smart card, or thumb drive that contains a password “key”.
After the patient is identity proofed, secure e-mail systems are able to use built-in “authentication” technologies to ensure:
- a message received has actually been sent from the credentialed patient’s mailbox
- a message sent or received has not been changed while it traveled over the Internet
- a message sent can only be received and decoded by the credentialed patient.
Taking care to set up authentic e-mail accounts with identified patients and using an e-mail program (encrypted e-mail or secure messaging) that includes "authentication" technologies are necessary to establish the trust needed when engaging in private medical conversations. In addition, these work flow procedures and technologies will help the physician stay within HIPAA regulations that require encryption when PHI is sent over the Internet.