Yes, you need to be cautious and set up a secure system. But liability risks are much less than many doctors fear, say experts.
Yes, you need to be cautious and set up a secure system. But liability risks are much less than many doctors fear, say experts.
About 10 percent of physicians go online regularly with their patients. And so far, there have been few if any malpractice suits involving physician-patient e-mail. So how much should you worry if you're already exchanging e-mail with your patients or plan to start soon?
E-mail carries no more liability risk than phone calls or faxes do, says Helen Woodfall, vice president of Doctors Insurance Reciprocal, a malpractice insurer in Glen Allen, VA. Attorney and malpractice expert Lee J. Johnson of Mount Kisco, NY, agrees. Just as e-mail could go to the wrong person, she notes, faxes could go to the wrong office, or voice messages could be picked up by someone other than the patient. Other observers point out how easy it is to listen in on a phone conversation.
FP Gil L. Solomon of Glendale, CA, who e-mails with some of his patients, says that the possibility of sending an e-mail to the wrong person is no greater than that of many other errors that commonly occur in medical offices. "One of our patients got a reminder in the mail that was meant for another patient," he recalls. "Somebody had misaddressed the envelope."
Malpractice attorney James Lewis Griffith Sr. of Philadelphia advises against exchanging e-mail with patients, but he's also against using snail mail, telephone, or fax for anything other than "routine matters like appointment scheduling." He's concerned not only that e-mail will fall into the wrong hands but also that important communications won't be received.
Other experts say the problem with e-mail lies in how it's used. "Physicians are eager to use e-mail to enhance patient satisfaction and to shorten the time it takes to get back to patients," notes Woodfall. "But because of their enthusiasm, they're not applying the same degree of caution to this new technology that they've learned to use in paper and telephone communications.
"We've discouraged doctors from contacting patients through telephone answering machines and fax machines and sending postcards with lab results. Most of them know better than to leave a voice mail message on an answering machine saying, 'Your pregnancy test or HIV test was positive or negative.' " The same sort of judgments, she says, should be applied to e-mail.
Some physicians agree. "My approach to e-mail is that I presume it's a public document," says geriatrician Robert Keet, president of Western Medical Associates, a medical group in Santa Cruz, CA. "If somebody asks me, 'How do you take Claritin?,' I'll write back, 'You take one a day.' It would be no big concern if somebody knows this patient is on an antihistamine. But if somebody writes in and says, 'I think I have AIDS,' I'd call and talk about that. So it's just a matter of judgment."
To address liability risks in this area, over a dozen medical societies and more than 30 malpractice carriers have formed the eRisk Working Group for Healthcare with Medem, an Internet company founded by the AMA and medical specialty societies. Last January, this consortium released guidelines for communicating with patients online (www.medem.com/corporate/corporate_erisk.cfm ).The guidelines recommend that you establish a written policy for your staff regarding online patient interaction, and that you notify patients of your policies for online communications. For instance, you might say you reserve the right not to exchange e-mail with patients who abuse the service, and that you won't diagnose patients without seeing them first.
The document also advises doctors to use a secure messaging service that:
Encrypts all communications in transit to prevent "snooping" attacks.
Permits patient communication only with providers who have accepted the patient's request for online communication.
Allows providers to selectively block communications from certain patients.
Restricts forwarding of messages to other providers regarding specific medical conditions.
Prevents forwarding of messages to standard e-mail systems.
Provides a means for organizations to control staff access to specific categories of messages.
Provides senders with reliable means of knowing whether their messages have been delivered.
Among the types of transactions that the working group deems appropriate to conduct online are appointment requests, prescription renewals, "general" questions, billing queries, and clinical questions regarding a condition for which a patient has been seen in person in the prior six months.
Not all physicians who exchange e-mail with patients limit themselves to these categories. For instance, FP Joseph E. Scherger, dean of the College of Medicine at Florida State University in Tallahassee, uses e-mail to help patients who have minor acute conditions, to do online follow-ups to chronic and preventive care, and to conduct some mental health counseling. Asked about the potential liability of trying to diagnose someone with, say, flu-like symptoms by e-mail, he replies, "We do it over the phone all the time. Every weekend, the doc on call will get 30 to 50 acute calls per day."
Nevertheless, Lee Johnson cautions against diagnosing patients without seeing them: "Just as you should never diagnose or prescribe over the phone, or renew a prescription for something that requires a physical exam, you shouldn't do it over e-mail."
Contrary to popular myth, the biggest online privacy risks have nothing to do with messages being intercepted. What you have to watch out for, say experts, are security problems in the medical office and in the patient's home or workplace.
"In most companies, your e-mail is not private; the company legally has the right to read it," says Dale W. Miller, director of consulting services for Irongate, a security consulting firm in San Rafael, CA. "So if the patient's boss happens to see some sensitive information, the employee might be at risk." There also could be unauthorized access by the people who set up and maintain a company's computer system or by outside repair people.
There are privacy risks when you e-mail to a patient's home, because there might be things the patient doesn't want his family members to know, notes Johnson. Examples include "spouses finding out spouses have AIDS or children finding out they're adopted." So advise the patient to restrict access to his home computer.
Since you can't foresee every circumstance that could lead to a breach of privacy, some experts advise getting patients to sign an agreement absolving you of responsibility before you send them e-mail. "You should have the patient sign a release form saying, 'I've asked your office to communicate with me by e-mail. I accept responsibility and I hold you harmless in the event that any of these communications are read by anyone other than myself,' " says Griffith.
You should also consider using a secure messaging system. Not only will this improve your legal position under malpractice laws, but it may satisfy the still-incomplete information security regulations of HIPAA. (Health care providers have until 2003 to comply with HIPAA's data privacy sections, which are already in effect. The information security rules won't be ready before the end of 2001 and will be implemented two years later.)
"HIPAA says if you're going to use e-mail with patients, you'll have to encrypt the messages to guard against inadvertent breaches and interception of the data," notes Jill Callahan Dennis, head of Health Risk Advantage, a Parker, CO, consulting firm, and author of a recent book on the privacy and confidentiality of health care information.
One approach Dennis suggests for small physician practices is to download encryption software like Pretty Good Privacy. Although not "bulletproof," she says, this kind of security system would meet current HIPAA requirements. (Commercial users like doctors can purchase the program at estore.nai.com for $121, which includes one year of telephone support. Your patients and other noncommercial users can download it for free from several sources, including web.mit.edu/network/pgp.html.)
If you use PGP or some other off-the-shelf product, both your computer and your patient's computer must have the same encryption software. "You should instruct the patient: 'I use PGP. You can download it off the Net, too, and then we can agree on a password,' " says Dennis.
Alternatively, you can subscribe to a secure messaging service such as those offered by Healinx, MDhub, Medem, and Medscape (see "Secure messaging services are a mixed bag"). All of these companies enable physicians and patients to exchange messages on a secure Web site. The message is encrypted when it's sent, and the recipientwho may be alerted to the existence of the message by standard e-mailneeds a logon and password to decrypt it. Since the message never leaves the server of the Web site, it can't be intercepted. And the system will let you know whether anyone has altered or tampered with an e-mail.
Encryption increases your ability to identify the sender of a message. But since logons and passwords can be stolen or given away, some experts believe both physicians and patients should have digital IDs that verify who they are. The AMA and the California Medical Association are both issuing digital certificates to doctors, but so far there's not much you can do with them.
Up to now, it has been difficult to import digital certificates into standard e-mail programs. The AMA's technology partner, VeriSign, aims to leap that barrier soon when it introduces a new tool that will allow the AMA Internet ID to be used with any e-mail program at the touch of a button. However, few software applications that recognize the digital certificate have been written. Also, patients are considered unlikely to use digital IDs.
The ability to document physician-patient communications in e-mail is a double-edged sword with regard to malpractice liability. On one hand, say attorneys and risk managers, it's good to document all of your contacts with patients. On the other hand, if you make an error in an e-mail, ranging from a typo to a piece of poor advice, it could come back to bite you.
Patients may also misunderstand what you wrote, notes FP Gil Solomon. "Let's say you've got 15 e-mails to get off before you go home at the end of the day, and you write something in a hurry and send it without reviewing it," he says. "If you send a patient an e-mail about elevated liver function right before the weekend, the patient could fret about cirrhosis all weekend. He e-mails you back, but it's your work e-mail and you won't look at it until Monday. Now the patient is anxious, whereas if you'd done it on the phone, he would have been reassured."
Since anxious patients are more likely to sue, Solomon gives out his e-mail address sparingly. "For some patients who have a good tolerance of possible miscommunication, are used to e-mailing, and are difficult to reach by phone, it might be great. For other patients, a phone call is better."
In contrast, FP Joe Scherger maintains that e-mail enhances communication, and therefore reduces malpractice risk. Scherger, who has served as an expert witness in many trials, advises physicians to save all e-mail related to patient care. "It eliminates that he said/she said question about a phone call, or the need to remember two years later what was said on the phone. Patients have a tendency to blow things out of proportion when they've been harmed. Collecting all their e-mail notes at the time of service is going to help the physician if he's sued."
Attorney Lee Johnson concurs. "You'll end up with better evidence when a lawsuit occurs, because you'll have the paper and the computer files, and in most states, the electronic file will be admissible."
One caveat: If you don't print out e-mail messages for the paper chart, make sure you back up your electronic archives regularly. If you can't produce a relevant e-mail in court, notes James Griffith, the judge might instruct the jury to assume that the message could have been harmful to your case.
Doctors who use e-mail, as well as some experts, say that physicians' security concerns may be overblown. Still, nobody denies that e-mail does entail special liability risks, and that physicians will need secure messaging to satisfy HIPAA. "The regulations are coming, and the liabilities are already there," declares emergency physician Edward Fotsch, CEO of Medem. "It's not the biggest crisis in health care. But it's something that will probably touch the lives of the average physician and the average patient."
Internist Robert Keet worries about the privacy of e-mail, too, but not enough to stop using it with patients. "There are all kinds of potential legal dangers here, and if you want to be very conservative, you'd never e-mail a patient," he says. "But it's a very practical communications method, and I use it with care and try to use common sense. I know other doctors are doing it that way, too."
If you want to go online with your patients but are concerned about security, consider using one of the secure messaging services that allow you to send and receive encrypted messages. You and your patients pick up and deliver messages through your Internet site or page, which is linked to the vendor's Web server. Protected by a firewall, that server is where messages are encoded and decoded.
Here's a rundown on some secure messaging vendors:
Healinx, Alameda, CA (www.healinx.com ). This service is sponsored by employers and health insurers. The 2,300 physicians who currently use Healinx are reimbursed $20 per "Web visit" with health plan members and covered employees. When they go online with nonsponsored patients, the doctors can charge them between $5 and $25 each, splitting the fee with Healinx. Patients use the system to schedule appointments, request referrals and prescription renewals, review their medical profiles, receive individualized health information, and ask their doctors questions. The clinical questions are broken down and submitted to physicians in a structured format.
MDhub, Avon, CT (www.mdhub.com ). Developed by National Physicians DataSource, which publishes The Little Blue Book physician directories, MDhub has created personalized Web pages for 355,000 doctors. Patients can send you secure messages online whether or not you have a computer. All messages are faxed to your office unless you decide to pick them up online, or you can opt to receive them both ways.
MDhub emphasizes administrative functions such as appointments, refills, and referrals, although it allows patients to ask simple clinical questions. The service will seek pharmaceutical sponsors so it can continue to be free.
Medem, San Francisco (www.medem.com ). Owned by the AMA, six specialty societies, and a venture capital firm, Medem is a private company that supplies patient educational materials and builds Web sites for physicians. Of the 25,000 doctors who have Medem Web sites, 5,000 are using the firm's secure messaging service, which was launched earlier this year.
Like all the other services mentioned here, Medem offers a structured form of online communication, with templates for billing queries, appointments, prescription renewals, and clinical questions.
The service is currently free. Next year, Medem plans to enlist commercial sponsors for each specialty. If a doctor doesn't want his service to be sponsored, he'll pay $30 a month.
Medscape, Hillsboro, OR (www.medscape.com ). Medscape's secure messaging service is part of its AboutMyHealth program, which allows physicians to share portions of electronic medical records with patients online.
Fewer than 200 of the 12,000 physicians using Medscape's Logician EMR have tried the new chart-sharing approach. If you're a Logician or Medscape Chart Note user and want to do this with onsite consulting help, Medscape will charge your practice up to $5,000 for setup. But the firm also offers its secure messaging system to all doctors on a stand-alone basis for $25 per month.
Ken Terry. E-mail patients? Don't be nervous. Do be careful. Medical Economics 2001;17:83.