Lawful E- Medical Communications by Physicians
JONATHAN BICK, JD, LLM is of counsel to Brach, Eichler, Rosenberg, Silver, Bernstein, Hammer & Gladstone of Roseland and is an adjunct professor of Internet law at Pace Law School and Rutgers Law School. He is the author of 101l Things You Need To Know about Internet Law, which was published by Random House in 2000.
Banks and retail firms have proven that Internet technology can both greatly reduce errors and increase productivity. Physicians are learning this lesson, too. However, unlike the banking and retail industries, which have successfully mastered using the Internet while complying with legal standards for privacy, many physicians have not.
This deficiency may prove costly to those physicians who fail to comply. The reason is simple. E-mails are files for Health Insurance Portability and Accountability Act (HIPAA) purposes. Most physicians have a HIPAA-related legal obligation to implement reasonable e-mail procedures. Those failing to do so face fines.
Today, many patient-physician e-mails contain material that exposes physicians to legal difficulties. To use e-mail communications lawfully, physicians must consider how to comply with special e-medical privacy matters. Otherwise, in addition to HIPAA-related sanctions, physicians will face such causes of action as breach of confidentiality, invasion of privacy, breach of contract, and breach of fiduciary relationship, if they are considered to have unreasonably publicized medical information.
Physicians have found that medical errors can be reduced when the Internet is used to send electronic medical records and information. It has been shown that the Internet can improve the speed and accuracy of transmission of patient medical data. While physicians continue to rely on personal and telephone contacts to practice medicine, they are increasingly using e-mail to communicate with patients, insurers, and colleagues.
Physicians who use e-mail must comply with federal and state statutes that set forth both direct and indirect e-mail limitations, and while, for the most part, state constitutional provisions protect against governmental intrusion into an individual's privacy, specific state statutes do provide for individuals to take legal action against other-than-governmental intrusion. For example, the HIPAA Data Transaction Rule poses both direct and indirect limitations on a physician's use of the Internet. Similarly, the Privacy Act of 1974 (5 u.s.c. 552a ) and the Freedom of Information Act (FOIA; codified at 5 u.s.c. 552 ) limits e-mail use by physicians, as well. In particular, these statutes do so by detailing protection requirements for medical records at Medicare and Medicaid programs maintained by a federal agency, insurance companies acting as intermediaries for the Medicare program, and hospitals maintaining medical records under a government agency contract.
State statutes also limit physicians' e-mail use. Consider N.Y. Civil Rights Law 50-52 (McKinney 1998), which protects various individual privacy rights and provides private rights of action, all of which restrict a physician's e-mail use. Another example is N.Y. Pub. Health Law 280S-c(S)(f) (McKinney 1998), which provides for the confidentiality of hospital patients' medical records when e-mails are used.
The content of an e-mail sent from a physician to a patient passes through many third-party computers before it is received by the patient. Each of these third party computers store a copy of the e-mail message. These messages may be readily retrieved by unauthorized third parties unless the physician prevents this from happening. Physicians have a legal obligation to take affirmative action to prevent such unauthorized access. As detailed below _ suchaction is easily described and is generally not costly to implement.
The American Medical Informatics Association established guidelines for physician-patient interaction via e-mail in 1998.' These guidelines address proper protocol for physicians to follow in e-mail communication with patients.
It is recommended that physicians do not use e-mail for urgent matters and that they obtain informed consent from their patients before using email to communicate with them. Physicians should not forward patient-identifiable information to third parties without patient permission. The guidelines also suggest keeping a backup of all email communications.
In New Jersey_ as in most states_ the scope of
"medical records" includes all records kept in the usual course of the practice of the health care provider. It is_ therefore_ necessary that any document uniquely concerned with a patient’s care become a part of a patient’s permanent medical record in order to prevent legal difficulties. Thus_ physicians should take steps to integrate e-mail communications between patients and providers into their record keeping process.
Physicians with electronic patient files can simply send a copy of the patient e-mail to the electronic file at the same time that it is sent to the patient. Physicians who use traditional filing systems can comply with this legal requirement by having all physician e-mails automatically printed and placed within the patients_ files.
Failure to document such e-mail communications can lead to serious injury and malpractice claims. A failure to preserve e-mail-related medical records information might constitute malpractice if a patient is injured by a health care practitioner’s actions that result from erroneous assumptions about the patient's medical record.
Informed consent for release of medical information likewise has become a standard feature of modem medical practice. The use of e-mail for communications of medical matters between a physician and a patient should be integrated into such signed releases. In order to further insulate physicians from privacy-related tort suits_ physicians should tell the patient how e-mails are handled in both their offices and the hospitals. This information should include who generally has access to the records_ and how hard or easy it is for others to obtain the information found in them.
Currently physicians are using e-mail to maintain and disseminate patient information. To do this_ physicians are using e-mail to send electronic medical records that contain all the data normally found on paper medical charts. Because they are in electronic form_ both authorized and unauthorized users can gain access to the data through an Internet connection_ particularly when these emails are lodged at portals (i.e. special Internet sites for hospital employees or clinicians who practice at a particular health care facility).
On the positive side_ this use of e-mail allows additional checks of patients _ records for prescriptions to verify that the drug selected is appropriate for the patient. On the negative side_ this use of email results in electronic patient records that give rise to novel legal problems concerning the conservancy_ privacy_ and confidentiality of those records.
Lodged in physicians_ use of e-mail is the potential for unlawfully mishandling patient data. In particular _ the abuse of personal information in a deceptive and/or misleading fashion. Such mishandling of patient data can give rise to remedial proceedings under most state consumer-protection laws. For instance_ New Jersey could take action against health care providers who have shared personal medical data with third parties_ such as private practice medical groups_ without disclosure to_ or the consent from_ their patients. This would be a violation of state consumer-protection laws.
The increased use of e-mail by the general population and the lack of any specific prohibition against Internet communications by physicians have resulted in an increase in virtual-bedside medical communications. To protect physicians against legal difficulties associated with this trend, health care providers should examine all the legal facets of Internet patient-physician communications and electronic data storage.
Physician associations should consider providing education initiatives for their members about medical record privacy and health information security that explicitly address Internet patient-centered communication with health care professionals. They might also provide physicians with legally appropriate guidelines for Internet communication systems and the preservation of patient-physician relationships.
Practice guidelines prepared by health care provider associations have traditionally been recognized by the courts as a standard by which health care providers' actions have been judged. The conservancy, privacy, and confidentiality of electronic medical records are no exception.
Physician associations might suggest that all health care provider e-mails be copied to a patient's electronic file to address laws concerned with conservancy issues. They might suggest that e-mail from health care providers be sent as attachments that require a password to open rather than in the body of an e-mail in order to address legal privacy issues. They might suggest limiting access to e-mail files to address confidentiality legal issues.
To protect physicians from legal difficulties, they should ensure that patients are informed of the privacy implications and inherent risks of e-mail communication as part of an informed e-mail consent process, which should conclude with a signed, written consent form.
Physicians and patients should recognize that e-mail messages (either in an electronic form or as a paper transcript) must become part of patients' medical records. Physicians should be trained to treat e-mail with the same level of conservancy, privacy, and confidentiality protections afforded to all medical records.
Health care provider managers should provide their employees notice and training with respect to electronic records. Employee handbooks and annual training sessions should be employed to ensure that the action of a rogue employee is not imputed to the employer.
In conclusion, existing law imposes a duty upon physicians to protect their patients' confidences. Physicians are required to insulate their patients' e-health data (including e-mail communications) from public view. To comply with this duty, with respect to patient e-data generally and e-mail specifically, a physician's duty is more than a pro forma awareness. Rather, physicians have a legal obligation to take precautions to secure patient health e-data through both defined and enforced office practices. NJM
1. B. Kane and D.Z. Sands. "Guidelines for the Clinical Use of
Electronic Mail with Patients," J. Am. Med. Informatics Assn,5
(1998): 104, 106-108.