Patient e-Data Law
New Jersey Law Journal March 25, 2002
Copyright 2002 NLP IP Company - American Lawyer Media
March 25, 2002
HEADLINE: Securing Patient Health E-Data
BYLINE: By JonathanBick
As health-care providers embrace the Internet to reduce medical error, they must make sure not to unreasonably publicize patient medical information to avoid facing such causes of action as breach of confidentiality, invasion of privacy and breach of contract.
Medical errors can be reduced when the Internet is used to communicate electronic medical records and information. Currently health-care providers are using the Internet to maintain and disseminate patient information and to distribute recent medical findings and guidelines.
Providers are using electronic medical records that contain all the data normally found on paper medical charts. Because they are in electronic form, the data can be accessed via a secure Internet connection by any authorized user, even by multiple users at the same time. These records are found at portals, that is, special Internet sites for hospital employees or clinicians who practice at a particular health-care facility. The Internet can give patients and health-care providers easy access to the information, allowing each to make corrections. And while providers continue to rely on personal or telephone contacts to practice medicine, they are also using e-mail and other forms of electronic communication to interact with patients, insurers and colleagues.
The problem, however, is that providers have yet to sufficiently focus
on preventing legal difficulties that arise when employing the Internet.
The Institute of Medicine defines practice guidelines as systematically developed statements of recommendation for patient care management to assist the practitioner and patient when making decisions about appropriate health care for specific clinical circumstances (see 23 J.L Med. & Ethics 49).
In most state courts, a practice guideline may be introduced by a party as evidence of the specific legal standard of medical care required by the facts of the particular case. But many health-care providers have not integrated the Internet into their practice guidelines.
When health-care providers use the Internet for patient communications, they must comply with a number of federal and state statutes. The Privacy Act of 1974 (5 U.S.C. 552a (1998)) and the Freedom of Information Act (codified at 5 U.S.C. 552 (1998)) limit e-mail use by health-care providers.
In particular, these statutes prescribe protections for electronic medical records at Medicare and Medicaid programs maintained by a federal agency, at insurance companies acting as intermediaries for the Medicare program and at hospitals maintaining medical records under a government agency contract.
Practice guidelines prepared by health-care provider associations have
traditionally been recognized by the courts as a standard by which health-care
providers' actions have been judged. The conservancy, privacy and confidentiality
of electronic medical records are no exception.
E-mail provides instantaneous delivery of information and does not require that the recipient be present. Unfortunately, e-mail is more susceptible to interception than traditional methods of communication. In addition, e-mail can be forwarded to unintended or unknown recipients and can be printed out, copied and circulated manually.
Moreover, the content of an e-mail passes through many computers from the time it is sent to the time it is received, each of which stores a copy of the message. These messages may be readily retrieved by unauthorized third parties. Health-care providers have a legal obligation to take affirmative action to prevent such unauthorized access.
To assist physicians eager to begin e-mail dialogues with their patients, the American Medical Informatics Association established guidelines for physician-patient interaction via e-mail in 1998 (see Beverley Kane & Daniel Z. Sands, "Guidelines For The Clinical Use Of Electronic Mail With Patients," 5 J. Am. Med. Informatics Ass'n 104, 106-08 (1998)). These guidelines address issues of proper protocol for physician engagement in e-mail communication with patients.
In brief, the guidelines recommended that physicians do not use e-mail for urgent matters. Physicians should obtain informed consent from patients before e-mail communication is used. Physicians should not forward patient-identifiable information to third parties without patient permission.
The e-mail computer system retains an electronic translation of the message and can restore the message even after an individual user deletes it. Deleting an e-mail merely removes the message from the screen. The message remains on the sender's hard drive, and the record of the e-mail is not deleted. As a result, deleted e-mails can easily result in a violation of a patient's privacy.
It is widely agreed that any document about a health-care interaction must become a part of a patient's permanent medical record to prevent legal difficulties. In New Jersey as in most states, the scope of medical records includes all records kept in the usual course of the practice of the health-care provider. Thus, providers should take steps to integrate e-mail communications into the record-keeping process. Failure to document e-mail communications can lead to serious injury and malpractice claims.
Informed consent for release of medical information has likewise become
a standard feature of modern medical practice. The use of e-mail for
communications of medical matters between a health-care provider and
a patient should be integrated into such releases. To further insulate
providers from privacy-related tort suits, providers should tell the
patient how e-mails are handled in the office and hospital settings,
who generally has access to the records and how hard or easy it is for
others to obtain the information.
The potential for unlawfully mishandling patient data is the foremost limitation of a health-care provider's use of the Internet. In particular, this limitation revolves around the abuse of personal information in a deceptive and misleading fashion. Such mishandling of patient data can gave rise to remedial proceedings under most state consumer protection laws.
For example, New Jersey could take action against providers who shared personal medical data with third parties (private practice medical groups) without disclosure to, or the consent of, affected patients, thereby violating state consumer protection laws.
In 1996, the Health Insurance Portability and Accountability Act directed the Department of Health and Human Services to adopt regulations providing for the protection of personal medical records and information from disclosure without the affirmative consent of the affected individual. HIPPA thus required health-care providers to secure an individual's consent before using the Internet to communicate medical information.
It should be noted that until 1996, the affirmative personal right to privacy in one's medical affairs did not comprehensively exist. However, patient privacy protection issues have slowly moved onto the center stage of the legislative and regulatory arena. And one focal point of this change has been how health-care providers handle electronic patient records.
Health-care provider associations should provide education initiatives for their members regarding medical record privacy and health information security that explicitly address Internet communications between providers and patients. They should also develop legally appropriate guidelines for Internet communication systems and the preservation of patient-physician relationships.
Health-care associations might suggest that all health-care provider e-mails be copied to a patient's electronic file to address conservancy issues. To address privacy issues, they might suggest that e-mail from providers to patients be sent as attachments that require a password to open rather than as a message in the body of an e-mail. In addition, they might suggest limiting access to e-mail files to address confidentiality legal issues.
As part of an informed e-mail consent process, patients should be apprised of the privacy implications and inherent risks of e-mail communication.
Health-care provider managers should provide their employees notice and training with respect to electronic records. Employee handbooks and annual training sessions should be employed to ensure that the action of a rogue employee does not result in adverse legal consequences for the provider.
In sum, existing law imposes a duty on health-care providers to secure patient health e-data through defined and enforced office practices. Providers are required to insulate their patients' e-health data, including e-mail communications, from public view.
In any case, health-care providers should contact their malpractice insurers and specifically ask them to define the acceptable parameters of e-mail consultation practice that will be covered under their insurance contracts.