Doctor working on laptop

Email communication with patients: privacy and patient safety

Patients are increasingly expecting their doctors to communicate via email as it is often easier and more convenient for them. This factsheet reviews issues to consider when using email relating to privacy, communication and patient safety.

Monday, 29 April 2024

Quick guide

  • Healthcare organisations can use email to communicate with patients – as long as they take reasonable steps to ensure patient privacy. 
  • Always seek and document the patient’s consent before sending their personal information using email. 
  • Implement clear practice policies to help avoid privacy and patient safety breaches. 

Can you use email to communicate with patients?

Many practices and doctors worry about whether they can send information by email or whether emails need to be encrypted.  

Privacy legislation does not prescribe how you or any healthcare organisation should send health information to patients or third parties. Any method of communication can be used as long as you take reasonable steps to protect the privacy of the patient and the security of their health information. So, yes, you can use email to communicate with your patients and third parties.  

Satisfying your privacy obligations – reasonable steps

The Office of the Australian Information Commissioner (‘OAIC’ – which includes Australia’s Privacy Commissioner) has outlined the steps it considers reasonable for organisations to take when communicating by email in its Guide to Securing Personal Information. In line with this guide, we recommend considering the following: 

Email encryption is ideal but not essential 

Using encryption is the safest way to send an email and you should use it wherever possible.  

However, the OAIC does not insist that healthcare organisations use encryption as a minimum standard in all cases. Rather, you need to “develop procedures to manage the transmission of personal information via email”, recognising that email is not necessarily a secure form of communication.  

You do need to consider the type of information you are sending and whether it is appropriate to send by unsecured email.  Depending on the sensitivity of the information you may need to take additional steps to protect it by attaching the information as a PDF document with a password. How you provide the appropriate password to the patient is another consideration, but options could include a separate email, an SMS or something elected by the patient and stored in your system. 

Have a clear policy 

Just because it is easy to send an email does not mean it is appropriate. For this reason, you need to develop practice policies about the appropriate use of email to communicate with patients. All staff need to be clear about what they can and cannot send by email, and the steps they need to take if they are using email. 

Even if your practice does not correspond by or encourage email, you may still receive email from patients, so it is important that your policies address how email communications will be managed.  For example, if patients send you clinical images by email ensure you have a mechanism for adding them to the patient’s records. For more information on this issue Avant factsheet – clinical images.  

Make sure you have patient consent 

You may need to send information by email, for example as part of a telehealth consultation, or in response to a patient request. In this case, if you are not using encrypted email, advise the patient about the risks associated with using unencrypted email and confirm they still wish to have the information sent in that way.  

Ideally, you would get patient consent in writing. If that is not practical, make sure you get the patient’s verbal consent and document it in their clinical record. 

However, if you have any concerns about sending specific information to a patient or to a third party at any time, confirm the details and patient consent before sending.  

Check the address before pressing send 

The OAIC consistently reports that personal information being emailed to the wrong recipient is the most common cause of human error privacy breaches.   

Another cause of error is auto-complete – where software programs default to recently or frequently used addresses.  

Other sources of error could involve misheard or mistyped email addresses, or accidentally using ‘reply all’. 

Patients may have more than one email address. They may not want information sent to a work or shared email for example, so make sure you check which address they want you to use. 

Useful tip to avoid email address errors 

To avoid email errors, you could ask the patient to email you requesting the information and giving consent to reply using email. This serves both as a record of the patient’s consent and confirmation of their preferred email address. 

Password protect sensitive information 

Your policy needs to address whether and how you will send particular types of information, for example results, prescriptions, or referrals.  

You do need to consider the type of information you are sending and whether it is appropriate to send by unsecured email. Depending on the sensitivity of the information you may need to take additional steps to protect it by attaching the information as a PDF document with a password. How you provide the appropriate password to the patient is another consideration, but options could include a separate email, an SMS or something elected by the patient and stored in your system. 

Use a privacy disclaimer 

It is useful to have a privacy disclaimer on all emails leaving the practice as an additional protection. 

Save emails in medical records

As with any communication, your process needs to ensure incoming emails are passed onto the appropriate person and actioned. Ensure incoming and outgoing emails are saved in the patient’s clinical record and managed in accordance with record-keeping requirements.  

Take care when opening incoming emails including clicking on links and opening attachments.  

For more information please see Avant’s factsheet: Storing, retaining and disposing of medical records

Is email ever inappropriate?

Even if your patient consents to communication by email, there may be circumstances in which you are not comfortable emailing them information. The information may be particularly sensitive or detailed or need a complex explanation. It is always appropriate to exercise your clinical judgement to decline to send such information by email. You may consider a face-to-face or telehealth consultation is necessary.  

We would consider it inappropriate to deliver any bad news to a patient via electronic means. 

You may also find that a patient responds to an email with further questions. Try to avoid back-and-forth conversations over email.  There is a risk that these will turn into a chain of correspondence, and you may find yourself providing medical advice without a proper consultation. In these situations, it is appropriate to decline to respond further via email and ask the patient to make an appointment. 

Ensure email communication with your patient is only provided in accordance with your indemnity insurance policy, and ensure you comply with the Medical Board of Australia’s Guidelines – Telehealth consultations with patients, as there may be requirements such as having had a previous spoken consultation.  

Email link on your website

If your practice website allows emails to be sent to the practice via the website email link, make sure an employee is responsible for monitoring any emails sent this way. You can use keywords to block certain emails.  For example, you could use a keyword filter such as ‘test’ that will result in the email being blocked and a message would be sent to the sender asking them to contact the practice to make an appointment.  

Consider patient safety

Time-sensitive information 

You can send time sensitive information by email, but you do need some safeguards in place to be sure the information has been received and actioned. You might ask the patient to acknowledge receipt of any email communication either by a generated ‘read receipt’ or a manual return email, depending on the sensitivity. Confirmation of the receipt of the information by the patient should also be saved to the file. Have processes in place to follow up the patient if the patient does not contact you in response to the email.  

Urgent after-hours emails 

Practices are not required to check email addresses 24 hours a day. However, you do need to be clear about how the account is being monitored, particularly if you publish the address anywhere, such as on your website. You could outline when email will be responded to and include an autoreply advising whether the address is being monitored and providing an appropriate emergency contact. 

Additional resources

Office of the Australian Information Commissioner - Guide to securing personal information 

 Royal Australian College of General Practitioners - Using email in general practice 

Avant - Email communication policy checklist

More information

For medico-legal advice, please contact us on nca@avant.org.au or call 1800 128 268, 24/7 in emergencies.

Disclaimers

This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

 

Topic

Other resources

More ways we can help you

Indemnity insurance
Health insurance
Practice solutions
Finance
Legal services
Life & income protection
To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation Avant acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their Elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Financial Services is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.


The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.