Physicians/Healthcare Blog

HEALTH CARE PROVIDERS AND EMAILS – THOUGHTS ABOUT BEST PRACTICES

Posted January 25, 2010

Author: John Alan Lewis

“There are three steps in the revelation of any truth: first, it is ridiculed; in the second, resisted; in the third, it is considered self-evident.”  Schopenhauer

It seems self-evident that new payment methods which encourage the adoption of telemedicine and telehealth by health care providers into their practices will emerge.  This will certainly be true in the area of electronic communications via the internet.  In January of 2004 AMA created a reimbursement code for online patient consultations.  Besides the incentives given, those providers under the HITECH Act who satisfy the “meaningful use” requirements concerning electronic health records and health information technology, private insurers such as Aetna, Cigna, WellPoint and now United Health are adopting policies in some states to reimburse physicians for e-mail communications with their patients.  It now appears fairly certain that the health reform legislation, whatever its final form takes, will continue to encourage providers to adopt telehealth and electronic health records into their practices.  While physicians are encouraged to recognize the “self-evident” and take steps to incorporate electronic communication into their practices, the first thing each physician should do is adopt a comprehensive policy that includes best practices for provider-patient email.  The adoption of this policy is the first step before beginning ANY patient communication using electronic means.  Among other things, the HIPAA Security Rule[1] must be followed regardless of what you may have heard from vendors or other third parties.

Before communicating with patients via email, a health care provider should pay particular attention to the HIPAA Security Rule’s Technical Standards[2].  The violation of HIPAA Security Rule can lead to civil as well as criminal sanctions.  The civil penalties may include a fine of $100 per violation up to $25,000 per year[3].  The criminal penalties provide for the assessment of monetary fines ($50,000 to $250,000 in fines) and incarceration (up to ten years in prison)[4].  The technical standards policy for their practice needs to address/incorporate the following:

• Encryption:  Email communications from a provider to a patient should be encrypted utilizing updated encryption security technology.  (The attached is from the Security Rule’s technical standards.)
• Informed Consent:  The provider needs a written informed consent from each patient with whom the provider intends to communicate by email.  We have developed a proto-type form for this purpose. Whether you choose to adopt our form or others, the informed consent form must authorize the provider to communicate with the patient by email and should inform the patient of the following:
• While reasonable efforts will be made by the provider to maintain the confidentiality of email communications, the provider cannot guarantee that these communications will not be intercepted, misdirected, or undelivered;
• Email communications from the patient to the provider should be limited to those that pertain to the patient’s care and treatment;
• The patient should be made to understand that email to the provider in emergency situations are not appropriate.  In such a situation, the patient should contact emergency medical services;
• The provider should identify in advance to the patient the email address the provider will use to communicate with the patient and the patient should only respond to email communications from the provider that come from that email address; and
• Should the patient not adhere to the requirements of the informed consent form, the provider can terminate email communications with the patient.
• Retention:  All email communications between a provider and his/her patients should be transferred to the patient’s medical record (electronic or otherwise) within a reasonable period of time and produced in response to an appropriate authorization for release of the patient’s medical record.  It is critical that a subsequent treating provider be able to review a patient’s medical record and understand the current state of the patient’s overall health.  The email communications between the previous treating provider and the patient are a necessary component of that understanding.
• Auto-Reply Message:  A provider should set-up an auto-reply message on their email system stating that (1) patient email communications will be responded to in a specified time period (i.e. next business day); and (2) if you are a patient experiencing an emergency situation to immediately contact emergency medical services.
• Confidentiality Notice:  All email from a provider to a patient should include a standard confidentiality notice informing the recipient of the email that the email message is confidential and is intended only for the individual to whom it is addressed.  The notice should also state that if the individual has received the email in error to immediately notify the provider and to delete the message from any hard drive, disk, or other means of electronic storage.
• Email Use Restrictions:  The following restrictions should be observed by any provider who communicates with a patient via email:
• email should only contain the minimum necessary amount of protected health information;
• email should be written in clear and complete sentences without acronyms or abbreviations;
• any email to a patient that is misdirected must be documented on the patient’s accounting of disclosures;
• unless an individual is designated as the patient’s personal representative, a provider should only email the patient; and
• if a provider believes that a patient will by reason of the subject matter, not understand an email communication or if it appears to the provider that the patient did not understand a previous email communication, the provider should no longer communicate with the patient via email regarding such subject matter, but rather should attempt to contact the patient via telephone.

A provider’s patient email policy must include other members of the provider’s staff as well such as mid-level providers and nurses.  It is my belief that no other members of the provider’s staff should have access to this system or be permitted to use it for any reason other than periodically updating or maintaining the system’s technical standards and capabilities.

In subsequent postings I will discuss breach notification rules and then begin digging into the meaningful use requirements recently established by the HIT Policy Committee.

---

[1] 45 C.F.R Part 160 and Part 164, Subparts A and C.

[2] 42 C.F.R § 164.312 (see attached as Exhibit A).

[3] 45 C.F R. § 160.404

[4] 42 U.S.C. § 1320d-6

« BACK