Protect E-Mail for Sake Of Medicolegal Liability


SAN FRANCISCO — Give e-mail correspondence with patients the same care and attention you'd give to paper records, faxes, or phone calls in order to minimize medicolegal liability, advises Dr. Jeffrey L. Brown of the Cornell University Medical School in New York.

Physicians should be reasonably certain that the person requesting information by e-mail is authorized to receive it, just as would be done with phone calls, Dr. Brown said at the annual meeting of the American Academy of Pediatrics.

At a minimum, your e-mail system should include an automated response to any e-mails received from patients, acknowledging that an e-mail message has been received and saying that you will respond within a set period of time, such as 24 or 48 hours, said Dr. Brown, who is also in private practice in Rye Brook, N.Y. He has no association with companies that market e-mail systems or services.

The automated response should alert patients that confidentiality cannot always be assured in e-mail correspondence, and that you cannot respond to urgent questions posed by e-mail. Patients should contact your office by phone for urgent matters.

The response also should inform patients that if they do not get a reply from you to any e-mail message within a reasonable period of time— “usually 48 hours,” Dr. Brown said—the patient should call your office to ask whether you received the e-mail. If you are away from the office when patients e-mail, the automated response should let them know that, and give the date of your return.

In the other direction, e-mails sent by physicians must be compliant with the Health Insurance Portability and Accountability Act (HIPAA). As with faxes, conventional e-mails must protect the confidentiality of sensitive information such as Social Security numbers, medical identification numbers, laboratory results, diagnoses, medications, and more.

To ensure confidentiality in e-mails, use an encrypted message system, Dr. Brown advised. Solo practitioners or small practices may want to do an Internet search for the term “encrypting e-mail systems” to find a list of encryption providers, he said. Typically, an outgoing e-mail would be sent to the provider, encrypted, and returned to the physician's system before going out to a patient.

Or, physicians may want to look into the Academy's partnership with Medem (

Confidential e-mail from physicians should contain a warning disclaimer similar to those used on fax transmissions. A typical disclaimer says the following: “Important notice: This e-mail contains confidential and privileged information. It is intended only for the individual or entity to whom it is addressed. If you are not the intended recipient, or if you have received this transmission in error, you are hereby instructed to notify the sender and to erase its content and all attachments immediately. Copying, disseminating, or otherwise utilizing any of its content is unlawful and strictly prohibited.” Other versions of disclaimers should be available from your attorney.

Treat e-mail messages like other patient correspondence, and file them appropriately, he added. Before erasing e-mail, save the patient's original e-mail and your response as hard copies in the patient's chart or electronically if you use electronic charts. Take precautions to protect confidential information on laptop computers and hard drives, as you would for other medical records. Use encryption software or change passwords frequently to prevent unauthorized access. Erase all confidential information from hard drives before disposing of them.

“Even if you do all the right things, there is still a possibility that you will be subject to suits,” Dr. Brown said. “In the end, the best defense against legal action is practicing good medicine.”

Rx for Security: E-Mail Don'ts

Dr. Brown has the following trouble-avoiding tips:

▸ Do not use your personal e-mail address to answer patient e-mails.

▸ Do not answer a new patient's e-mailed medical questions without first establishing a formal relationship. “You have no idea who they are and what their problems are.”

▸ Do not forward a patient's e-mail correspondence or address to a third party without first getting the patient's consent.

▸ Do not use an indiscrete topic in the heading of your response. “Don't write, 'Your pregnancy test is positive' in the subject line.” Instead, use the same strategies you'd use when leaving a voice mail on a patient's answering machine. “Say, 'I have your lab work,' or something like that.”

▸ Do not leave e-mail messages on a computer screen where they can be read by others.

Source: Dr. Jeffrey L. Brown

Next Article: