Emailing With Patients? Make Sure You Have a Security Policy in Place
Sure email is a great way to keep in touch; it's convenient, fast, accessible and documented. In fact, email is so simple it's easy to forget certain precautions you might take if you were communicating with a client via written communication or on the phone. And now that more and more patients are internet savvy, more and more patients are demanding their physicians answer emails. This trend is bound to only increase.
A main concern with the increase of email communications is that oftentimes people are much more casual in their email communications and the formalities put in place to protect patient confidentiality in the office may be forgotten or ignored. Just such an example happened to a client of mine when the boyfriend of a patient (who had accompanied the patient to several office visits and was known by the practitioner) sent an email in the middle of the night to the vigilant practitioner who checked it, believed there to be an emergent situation requiring disclosure of a sensitive medication. The patient, who had been in a medical facility against her will, submitted a complaint against the practitioner after the fact for an unauthorized disclosure, as the boyfriend was not listed on her HIPAA consent form for authorized access as a third party. (The patient was moderately famous and the boyfriend, while seemingly well intentioned, leaked the medication to the media inadvertently.) Sanctions were taken against the practitioner after the Office of Civil Rights (the government agency responsible for receiving and administering such complaints) found the situation not to be emergent and that access was not authorized.
The above is one example of why it is imperative to make sure that as your patients demand greater access to you and your practice via the internet, you and your practice respond by implementing greater precautions to protect your practice from the potential additional safety breaches from incorporating advanced technologies. Be sure to adopt (as required under the HITECH Act) administrative, physical and technical safeguards for your Security Policy to protect all electronic information and that you and your staff are properly trained in implementing those policies. Also, be sure to communicate to your patients what interactions and content is appropriate with the office on the internet and make sure to clearly define who has access to what patient information by requiring your patients to authorize in writing access to their records by any third party.
If you would like assistance with your Security Policy contact me to discuss. A Security Policy is also included with purchase of HIPAA policies or the Compliance Program available at:
