Email Communication can Pose Risks
Q. Some patients have requested that my office use email to communicate with them. Does this present a problem?
It depends. Physicians always have an obligation to protect patients’ personal health information (PHI), regardless of the mode of communication. And while email and text messaging are convenient, these methods of e-communication can be compromised.
One of the major risks of using modern technology to communicate personal health information is that it could be inadvertently disclosed to someone who should not have it. This can happen in a variety of ways:
- Wi-Fi networks and telemedicine communications can be unsecure (particularly free Wi-Fi networks in public places);
- Emails can be sent to the wrong recipient or otherwise intercepted;
- Unauthorized readers can access computer files;
- Mobile devices can be lost or stolen; and
- Erased hard drives or USBs can contain private information.
If a patient does not have secure, encrypted platforms for email or text messaging, then the physician’s office should generally limit communications to information that does not include identifiable personal health information, such as reminders or scheduling.
We recognize, however, that it is becoming more common for physicians to receive unsolicited emails from patients. In managing these communications, and assuming that the patient is using unencrypted technology, the CPSO’s Protecting Personal Health Information policy requires physicians to consider whether it is reasonable to communicate with patients through unencrypted e-communication. The factors the policy asks physicians to take into account are:
- The degree of sensitivity of the PHI being communicated;
- The volume of information and frequency of e-communication (the one-off email may be fine, but frequent communications through unsecured platforms could be problematic);
- The purpose of the transmission (i.e., a scheduling reminder versus a sensitive test result);
- Patient expectations (e.g., patient preference);
- The availability (or lack thereof) of alternative methods of communication; and
- Any emergency or other urgent circumstances (if the matter is time-sensitive, for example, the safety concern may outweigh the privacy obligation).
Where you determine that it is reasonable to use unencrypted e-communication, you must obtain the patient’s express consent, which includes providing information about the risks and limitations of using unencrypted e-communication (see below). It is not sufficient to rely on implied consent based on the fact that the patient initiated the e-communication, since the patient may not be (fully) informed of the risks of communicating PHI over unsecure email. Be sure to also document that express consent was obtained.
Where you determine in the circumstances that it is not reasonable to communicate through unencrypted e-communication, consider suggesting that the patient use a more secure method.
When obtaining the patient’s express consent to use unencrypted e-communication, physicians must inform the patient about:
- How this kind of e-communication will be used;
- The type of information that will be communicated;
- How the e-communication will be processed; and
- The limitations and risks of using unencrypted e-communication.
The purpose of this column is to address practice management issues that have a wide applicability across the profession. If you have any questions or topic suggestions for this column, please email them to [email protected].