E-mail

April 01, 2011

Private E-mail Communications Between Physicians and Patients—Identity proofing, Authentication and Encryption

Case study:   A plaintiff claims that his physician sent him an e-mail with poor medical advice that led to an adverse medical event.  The defendant physician agrees that the e-mail in question provides grossly negligent advice, but claims that she never sent such an e-mail.   Unfortunately, the physician had been using her own, personal home e-mail program to communicate with patients without using encryption or authentication software.  A costly investigation eventually proved that the e-mail had originated from an unknown third-party spammer who used a technique called “spoofing” to insert the physician’s e-mail address into the "From" field in the e-mail that was sent to the patient.

Although this physician avoided a malpractice suit, she bore the financial burden of a technical investigation to prove the e-mail was not from her. This is only one example of a number of privacy and security issues with physician-patient e-mail. But these problems are avoidable and e-mail can be safely used if the physician can be sure of four things:

  1. They are using the authentic e-mail address of the patient
  2. A message received from the patient has actually been sent from their authentic e-mail address
  3. Each message (sent or received) has not been changed while traversing across the Internet
  4. Only the physician and the patient are able to read each other’s e-mail messages

E-mail encryption programs and secure messaging programs both provide safeguards that ensure this level of privacy and security needed for physician-patient e-mail.   From a legal perspective, these technologies, when combined with appropriate procedures of use, make it very difficult for someone to successfully repudiate (deny sending or receiving) an e-mail in a legal situation.   As noted in this case, regular home and business e-mail programs do not typically include such safeguards.

The Texas Medical Board (TMB) specifically requires physicians to “authenticate” patients prior to initiating e-communications, and to only use e-communications with established patients.   Although the TMB does not specify how this is to be accomplished, the procedure typically involves “identity proofing” patients during an office visit.   Patients physically present themselves to an office staff member who is authorized to register new “users” into the physician’s secure e-mail system.   After being registered in the system, the patients will receive the “credentials” that allow them to receive and send messages through that system.  The type of e-mail system used by the physician determines the type of “credentials” the office will provide.  The credentials may be a password, a biometric feature (i.e. finger print), or a physical device such as a CD, smart card, or thumb drive that contains a password “key”.

After the patient is identity proofed, secure e-mail systems are able to use built-in “authentication” technologies to ensure:

  • a message received has actually been sent from the credentialed patient’s mailbox
  • a message sent or received has not been changed while it traveled over the Internet
  • a message sent can only be received and decoded by the credentialed patient.

Taking care to set up authentic e-mail accounts with identified patients and using an e-mail program (encrypted e-mail or secure messaging) that includes "authentication" technologies are necessary to establish the trust needed when engaging in private medical conversations.   In addition, these work flow procedures and technologies will help the physician stay within HIPAA regulations that require encryption when PHI is sent over the Internet.

Posted at 05:07 PM in Current Affairs, E-mail, EHR, EHR products, Legal/Compliance, Meaningful Use | | Comments (0) | TrackBack (0)

| | | | | |

November 30, 2010

Physicians Use E-mail With Patients Safely By Avoiding Misuse, Mishandling and Medicolegal Issues

Effective communication is a hallmark of patient satisfaction with their physician as well as with quality outcomes.  It is not surprising that surveys reveal more than 90% of patients desire to e-mail their doctors.  Physicians, however, are tentative about moving forward. In a 2009 survey by the Texas Medical Association, only about 20% of physicians reported the use of e-mail with their patients.

Those of us who do successfully use e-mail with patients know that we must be attentive to the risks involved to use e-mail safely. We also recognize that in order to use this technology efficiently we have to think about our work flow and be smart about redesigning it.  The risks of using e-mail with patients can be categorized into misuse, mishandling and medicolegal issues.

Misuses of physician-patient e-mail include:

  • seeking or providing new diagnoses/treatments
  • using e-mail with new patients with no previous face-to-face encounter
  • communicating on sensitive matters such as HIV, sexually transmitted infections, genetics and mental health
  • using e-mail for urgent or emergent issues
  • writing long, complex messages
  • using e-mail attachments with formats that patient’s computers may not be able open and read
  • forwarding e-mails from patients without their consent
  • advertising or promoting goods and products through e-mail

Mishandling issues with physician-patient e-mail include:

  • problems with e-mail triage or distribution within the office such as failure to adhere to established protocols or meet expected turn-around times for actions/replies
  • physicians using their personal e-mail accounts to send e-mail to patients
  • misunderstandings by patients/office staff regarding over who actually received, sent or replied to messages (authorship issues)

Medicolegal, privacy and security issues include:

  • failure to properly identify patients and verify e-mail addresses
  • privacy breaches
  • security problems with the e-mail system or related computer systems
  • not getting e-mail communications into the patient’s medical record
  • repudiation issues (i.e. patient denies sending or receiving an e-mail)
  • accountability issues
  • legal e-discovery issues
  • medical liability associated with diagnoses/treatment
  • failure to follow Texas Medical Board rules, HIPAA regulations or other on privacy/security regulations

These issues are certainly not insurmountable.  With an awareness and understanding of the rules, regulations and guidelines published by one’s state medical board, HIPAA, professional societies and other professional organizations such as the AMA, a physician can develop a set of policies and procedures to safely and efficiently use e-mail with their patients.  The procedures should include oversight mechanisms, adequate training of staff, adherence to privacy and security regulations, appropriate identification and authentication of each patient who consents to the use of e-mail and patient education to clarify what the physician will allow e-mail to be used for.  Patients should also be educated on how the office will manage e-mail messages and on what the expected turn-around times for replies will be.

Posted at 10:31 PM in E-mail, Legal/Compliance, Safe EMR Use, Work Flow | | Comments (0) | TrackBack (0)

| | | | | |

Categories

Search

Recent Posts

Twitter Updates

    follow me on Twitter

    Archives

    More...

    Enter your email address:

    Delivered by FeedBurner

    Bookmark and Share

    *

    *

    *