A patient wants to engage with his or her physician via email without going through the secure channel of a portal. Is this allowed, and should physicians consider it?
According to the HIPAA Privacy Rule, physicians and patients can exchange unsecured emails as long as patients are aware of and accept any potential privacy and security risks.
“It’s critically important that healthcare providers, payers and their technology partners design and implement systems that serve patients’ needs first and foremost,” says David C. Harlow, JD, MPH, principal at The Harlow Group, LLC, a healthcare law and consulting firm. “This includes respecting the patient’s right to choose ease of use over high security.”
However, obtaining patient consent is critical, says Harlow. Physicians can ask patients to physically sign intake paperwork stating the physician may contact them via unsecured email or text messages. They can also ask patients for their consent over the phone or via a secure message through the portal. Electronic signatures are sufficient, provided they meet federal and uniform state laws, he adds.
Harlow encourages physicians to take a thoughtful approach to unsecured communications.
“Given the sensitivity of the information being shared—and the potential for negative consequences if the information is intercepted or misdirected—it makes sense to go above and beyond the bare minimum requirements of clicking an ‘I agree’ box on a screen,” he says. For example, physicians could require patients to type their name or initials to signify consent. “Taking that extra step makes it more likely that a patient actually reads the consent,” he adds.
However, it’s important to set boundaries.“Texting creates an expectation of instantaneous response, and that’s really hard for practices and individual physicians to maintain,” says Jan Oldenburg, FHIMSS, chief executive officer of Participatory Health Consulting, a company that helps physicians use digital health technology to engage patients.
Consider using an automated reply letting patients know that the practice will respond within 48 hours and that they should call 911 in the event of an emergency, she adds. These same strategies are appropriate in establishing response standards for secure messaging.