Computer Consult: E-risk management

July 11, 2003

Boilerplate policies and warnings may not make fun reading, but they'll help keep you and your Web site out of court.

 

Computer Consult

By Cheryl L. Toth

E-risk management

 

• Warn that Web site medical info doesn't equal medical advice.

• Get informed consent from patients who send you messages via your site.

• Post a general privacy policy in addition to what HIPAA requires.

If you have a practice Web site, you want it to catch patients, just like a spider web catches flies. You don't want it to catch lawsuits.

Yet you could find yourself in court over something as innocuous as an online article about diabetes, or an e-mail from a patient with abdominal pain.

Fortunately, such suits are rare, but you still need to protect yourself. You can reduce the risk of getting sued by posting the right legal policies and disclaimers on your Web site. Adding such boilerplate is just as important as deciding where to put a navigational button, or choosing a typeface.

Create a medical disclaimer. A sick patient often gets sicker when he tries to manage a problem by himself without seeing you first. What if a do-it-yourselfer acts on medical information on your Web site and then sues you when self-help backfires?

"You should have a disclaimer stating that patient education material should not be considered actual medical advice," says health care computer consultant Margret Amatayakul in Schaumburg, IL. "Make it clear that patients and other visitors are using the information at their own risk, and that they should schedule an appointment with a physician before they make a treatment decision."

Most disclaimers are a few sentences to a few paragraphs long. Look at other practice Web sites for examples. The Web site for the Kneibert Clinic ( www.kneibertclinic.com) in Poplar Bluff, MO, cautions patients with these words: "Content provided on this website is for general informational or educational use only and is not intended to be used as medical advice in specific situations. See your doctor regularly."

Once you draft a disclaimer, ask an attorney to review it. Run it by your liability carrier, too.

Reduce e-mail risk. If your Web site allows patients to send messages, you need an informed consent policy. Patients must understand the risks of communicating with you electronically, such as a third-party intercepting a message, or the message not getting through, says Jennifer Bever, a consultant with KarenZupko & Associates in Chicago. "It's the same principle as getting informed consent before a surgical procedure," she says.

You should not only post an informed consent policy on your Web site, but also require patients to read and sign it before they begin to send messages, recommends Amatayakul.

"The statement should cover such topics as who has access to patient e-mails, where messages go once they're printed, what are expected response times, and most important, what topics are appropriate for e-mail vs a face-to-face visit," she says. "Patients should be told that if they're facing an emergency, like a baby with a high fever, they should make a doctor's appointment or go directly to the ER instead of asking for advice via e-mail."

One industry standard for informed con- sent comes from the eRisk Working Group for Healthcare, a consortium that includes the AMA, other national medical societies, and liability carriers that represent more than 70 percent of insured physicians. You can access a copy of its "eRisk" guidelines at www.medem.com/corporate/corporate_erisk.cfm.

If you choose not to encrypt your messages, your informed consent statement should state that information will be transmitted over the public Internet, which increases the risk that the wrong eyes will see it, says Robert Tennant, a senior policy advisor for the Medical Group Management Association.

Post a Web site privacy policy. No, not your HIPAA privacy policy. More on that later. If you have a Web site that lets patients communicate with you online, you must address privacy issues that go beyond the scope of HIPAA.

Consider, for example, the kind of information that patients might send you electronically. The HIPAA privacy standard covers a person's "protected health information," or PHI. That's anything that relates to his health, the care he receives, or payment for care, and identifies the person in the process.

Most patient information flowing into your Web site probably will be PHI, says Ama-tayakul. But some may fall into a gray area, she says. What if a person shopping for a doctor asks if you'd welcome a gay patient such as himself? "To be on the safe side, you ought to have a policy stating that you won't share any personal information about a Web site visitor unless the person okays it," says Amatayakul.

Your Web site privacy policy should also cover other issues peculiar to cyberspace:

• Does your site have a chat room or message board where patients compare notes on how they deal with various illnesses? If so, "your policy had better caution patients that whatever they post in these forums becomes public information," says Jennifer Bever.

• Your site probably has links to other sites. Make it clear that you have no control over these sites' privacy policies, which could differ from yours.

• Don't overlook your Web site's "cookies." They're files that automatically download onto a visitor's computer so when he pays another call, your Web site can identify him. If you use cookies, say so.

To cover all the bases, consult the Privacy Resource Guide found at the Web site of TRUSTe ( www.truste.org), a nonprofit group that promotes privacy on the Internet. The free guide walks you through the creation of a policy and includes a sample you can customize. KarenZupko & Associates also offers a free policy sample on its site ( www.karenzupko.com). Again, have an attorney eyeball whatever you draft.

Include your HIPAA privacy notice. HIPAA requires you to have patients read and sign a form called a "Notice of Privacy Practices." This details how you use and disclose patient information—whether it's in a paper chart, inside a computer, or spoken in the hallway—as well as the patient's privacy rights, among other things. If you have a Web site, HIPAA requires you to post the form there.

Where should you put the notice? Jennifer Bever suggests incorporating it into your online registration process. Post the notice as a PDF file and ask patients to print it out, sign it, and bring it to the office when they see the doctor. If you don't offer online registration, provide an easy-to-find link to the PDF file on your site's home page. Include a link to Adobe Systems (www.adobe.com ) so patients can download a free version of Adobe Acrobat, if necessary, to read the PDF file.

 

Cheryl L. Toth is a Tucson-based writer and former practice management consultant. Computer Consult is edited by Senior Editor Robert Lowes.

 

Cheryl Toth. Computer Consult: E-risk management. Medical Economics Jul. 11, 2003;80:31.