Can’t just email it?
All emails should be documented in the patient’s clinical record and stored appropriately.
Sally left a voicemail asking for a copy of her prescription for her next trip, in case she lost her glasses. She doesn’t have time to come, can you send her an e-mail? Lawyer RUANNE BRELL explains what to consider before pressing “send”.
Electronic communication has become even more essential for healthcare during COVID-19 related isolations and lockdowns. However, there is still some confusion among practitioners about how to communicate via email without infringing on patient privacy.
Communication by e-mail requires reasonable measures to protect confidentiality
Medical information is considered sensitive information under the Privacy Act, but that does not mean that email communication is prohibited. In fact, healthcare organizations can communicate with or about patients using unencrypted email, as long as they take “reasonable steps” to protect the information being transmitted and patient privacy.
The Australian Information Commissioner’s Office (OAIC) Guide to Securing Personal Information provides guidance on what steps are considered reasonable.
Practices should develop clear policies and procedures for using email and ensure staff understand them.
Is it appropriate to send an email?
Always ask yourself if email is appropriate for the situation and the information you are communicating.
For example, if you need to deliver bad news to a patient or communicate complex or difficult information, this will usually require a face-to-face discussion.
You can send urgent information by e-mail, but make sure you have a process to verify that it has been received.
Since email is not a secure form of communication, it will be inappropriate for certain types of information or under certain circumstances. This applies even if the information itself seems relatively innocuous, such as an optical prescription, so use your judgment and knowledge of the patient’s situation to determine if email is appropriate.
Inadvertent disclosure of personal information such as a home address to the wrong recipient would breach privacy and could potentially cause harm.
Confirm patient consent
Also check that the patient understands that email is not secure and confirm that they still want the information sent this way. Keep a copy of their consent if they give it in writing. Or if the patient consents verbally, document this in the clinical record.
Check the address
Private information emailed to the wrong recipient accounted for nearly 18% of breaches reported to OAIC during the last reporting period (June to December 2021).
Always make sure:
• what address does the patient want you to use? Patients may not want health information sent to a work or shared address
• That you typed the correct address – pay special attention to auto-complete errors which could cause the software to complete a recently or frequently used address instead of the one you started typing.
Ideally, contact the patient and ask them to email their request to you. You can reply to this address, which both ensures that you are using the correct address and confirms their consent.
Protect sensitive information
Your policy should also indicate whether clinical or sensitive information should only be sent as an attachment, or sometimes in a password-protected file. You need a protocol for providing the passwords (for example, phone the patient with the password).
It is always best to ensure that there is no sensitive information in the body of the email.
Use a confidentiality clause
Although you want to avoid sending emails to unintended recipients, it’s always helpful to include a privacy disclaimer as an extra layer of protection.
Document and communicate your approach
Make sure someone in the firm is responsible for handling incoming emails appropriately and in a timely manner. All emails should also be documented in the patient’s clinical record and stored appropriately. Your policy should also outline how to handle and store clinical images sent by email.
If you have an email address on your website, make it very clear how and when that address is monitored.
You may need to add a disclaimer that patients should not use email if they need an urgent response and provide another appropriate emergency contact. This information could also be included in an automatic response for emails sent to this address.
Disclaimer: This article is intended to provide general feedback and information. It does not constitute legal or medical advice. You should seek the advice of an attorney or other professional before relying on any content and make appropriate clinical decisions based on individual circumstances.
ABOUT THE AUTHOR: Ruanne Brell is Senior Legal Counsel on Avant’s Advocacy, Education and Research team and has nearly 20 years of experience in health and medical law.
It’s time for practice managers to work their magic
Assessing a patient’s fitness to drive
The risks of office staff performing clinical tasks