‘Really doctor, can’t you just email it to me? I can’t take a day off work to come and pick it up.’
You check the patient’s file and the address looks to be a shared email address for ‘thesmiths’. You are not sure whether it’s still current. Can you email the report?
Your patients may be asking for email communication as it is often much easier and more convenient for them. But doctors worry about whether they can send information via email — particularly in light of the recent focus on data protection and privacy.
Some may believe they can’t reply to non-encrypted emails as this would put them in breach of privacy laws. In fact, the Privacy Act does not prescribe how a healthcare organisation should communicate health information to patients or third parties.
Any method of communication may be used as long as the organisation takes reasonable steps to protect the information transmitted and the privacy of the patient.
So what are ‘reasonable steps’?
Guidance on what steps would be considered reasonable for a practice to take can be found in the Office of the Australian Information Commissioner’s (OAIC) Guide to Securing Personal Information.
The OAIC does not insist on encryption as a minimum standard in all cases. Rather, practices need to “develop procedures to manage the transmission of personal information via email”, recognising that email is not a secure form of communication.
The commission does recommend that you consider the type of information to be sent and whether it is appropriate to send via unsecured email, or whether it needs to be secured, for example, with a password.
The RACGP’s Guiding Principles on Using Email in General Practice outlines various steps that can be used to manage email communication. The following can help you avoid the risk of a privacy breach when using email:
- Use secure messaging or encryption where available. While this is not a requirement it is still seen as the best option if available.
- Inform patients who request information by email about the risks associated with unencrypted email and confirm they still wish to have the information sent in that way.
- Have a clear policy and ensure staff know what they can and cannot send by email.
- Ideally send sensitive or personal information in a password protected file. You need a protocol for providing the passwords (for example, phone the patient with the password).
- Record the patient’s consent to use of email in their clinical file.
- Ask the patient to email the practice and reply to that email. This reduces the risk of incorrectly typing in an email address. It also ensures you know which email address the patient wants you to use.
- Use a privacy disclaimer on all emails for unintended recipients.
- Save all emails relating to patients in their clinical records.
Documenting and communicating your approach
You should have a policy that addresses what sort of information will be sent by email and the method used, whether emails will be encrypted or not and in what circumstances.
If there are circumstances where it is necessary to avoid email communication, this should also be set out in the policy.
What about when patients email requesting advice?
This is another area of concern for many GPs. It is appropriate to decline to have clinical discussions with patients by email and instead to respond with a request they make an appointment to discuss any questions or concerns.
You do not need to allow 24-hour access via email. However, you do need to explain this in your practice policies.
It is also advisable to have an auto-reply warning people of the risks and providing an emergency contact.
As with any communication, you should have a process for ensuring incoming emails are passed on to the appropriate person, actioned and documented in the patient’s clinical record.
- You can use email to communicate with patients – as long as you seek and document the patient’s consent.
- Make sure you have a practice policy that outlines processes to avoid data breaches.
- Consider appropriate means of communication depending on the urgency, sensitivity and risk in each case.
- If you publish an email address on your website, make sure you communicate clearly how it is monitored and what to do in case of an emergency.
View our resources to help you prepare and respond to possible data breaches.
For more medico-legal information and support, visit our website or email our Medico-legal Advisory Service (MLAS) at: email@example.com or call 1800 128 268 for expert advice, 24/7 in emergencies.
A version of this article was published on 30 July 2018 in Medical Observer.