The Liabilility of Emailing Your Patients

We know there are a lot of you out there who have resisted moving to an EHR solution.  However, you want to be able to take advantage of technology to communicate via email to your patients.  Can you do this, and should you?

emailing-patient

Doctor securely emailing their patient

Well, unfortunately this is not an easy question to answer.  We here at MyMedicalMalpracticInsurance.com believe that you should use an EHR system with a secure email portal if you are going to do it…..but wanted to offer suggestions to those physicians that don’t want the hassle and cost of implementing an EHR system but want to use email to communicate. We should also mention that a lot of EHR systems do not offer email, they offer patient portals that allow your patients to securely log in.

We first need to cover some basic definitions we’re going to talk about:

Business Associate Agreement: Under the U.S. Health Insurance Portability and Accountability Act of 1996, a HIPAA business associate agreement (BAA) is a contract between a HIPAA covered entity and a HIPAA business associate (BA)

Encryption: is the process of encoding messages (or information) in such a way that eavesdroppers or hackers cannot read it, but that authorized parties can.

HIPAA Compliant:  the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

Discoverability For Trial: In U.S. law, discovery is the pre-trial phase in a lawsuit in which each party, through the law of civil procedure, can obtain evidence from the opposing party by means of discovery devices including requests for answers to interrogatories, requests for production of documents, requests for admissions and depositions.

Protected Health Information: (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history.

The first thing you want to do is make sure the email system/company has a Business Associate Agreement in place for you to sign.  This agreement essentially outlines the permitted and required uses of protected health information by the email provider. What this means is that the email provider does not access your data. This ensures that the privacy and security of your email is completely private, protected, and confidential. Usually during an audit, a Business Associate Contract from a reputable email provider should satisfy the Department of Health and Human Services.

The next thing you want to ensure is that the data being sent back and forth is encrypted.  We think the best way to handle this is not to send an email directly to your patient.  Instead, you use a third party tool to send the message, the tool then sends a link to the patient.  The patient must than go to the tool of your choice, enter in their secure login credentials to get the “email”.  Yes, this isn’t real emailing in the sense, but it’s much safer than sending a direct email.  General emailing is one of the most least secure ways of communicating.

This should really go without saying, but you must make sure the service you are using is HIPPA compliant.  Since you are paying for this service, let them deal with the hassles of ensuring full HIPPA compliance.

Encryption deals with HIPPA related issues, but what about discoverability for trial?  This is a current gray area that is still being worked out in the courts.  We will update this blog post when we know more.

The last major point we’d like to share is how the data is stored?  Is it on a shared server?  What type of hosting facility is it stored in?  These types of questions should be asked because of PHI.

One other issue to be touched upon is how will the emails be archived?  You want to make sure a court case doesn’t come down to a he said, she said.  Make sure the company you go with archives these emails.  We archive our emails for 7 years.  Maybe you should do it longer……

We do have to toss out a disclaimer that this post is for informational purposes only.  Please contact an attorney if you have any questions.

How do you deal with emailing patients?  What services have you found that work the best?  We’d love to hear from you!

 

This entry was posted in Insurance, Risk Management on by .