Potential Legal Pitfalls of Electronic Patient Communication

Text messages, email, and social media make it easier than ever for patients and physicians to communicate. With so many ways to connect, however, establishing boundaries and following patient privacy laws are critical.

Robert Tennant, director of health information technology policy at the Medical Group Management Association (MGMA), shares his tips on safely corresponding with patients and protecting your practice against legal risks.

Use Encrypted Channels
The best way to safeguard patient information is to directly communicate through your office’s electronic health record (EHR) system. The EHR is encrypted and offers a secure form of messaging, ensuring that anything patients and clinicians discuss will become part of the patient’s health record.

“Every other form of communication—Facebook wall posts, text messages, or email—is not part of the health record,” Derek Kosiorek, a consultant with MGMA, explains. “Our advice is to ignore every other method of communication other than face-to-face and just use the messaging that’s in the EHR.”

Preserve Protected Health Information
Patient privacy and confidentiality must be maintained in all forms of communication. If you choose to email and text with patients, then never include protected health information. Sending sensitive information to your patient’s work email address, for example, could have unintended repercussions if his or her employer was to read it, Tennant explains.

He also advises clinicians to err on the side of caution when confirming appointments. If your practice name refers to a specific medical condition, then refrain from listing the full practice name in any automated emails or text messages.

Obtain Patient Authorization
Although the Health Insurance Portability and Accountability Act defines how patient health information can be used or shared, the standard privacy notice doesn’t include an explicit reference to electronic communication. Tennant advises clinicians to discuss email communication with patients and encourages them to establish a privacy notice to inform patients that the practice won’t release any sensitive information via email without specific authorization.

After recent, high-profile security breaches within the US government and large retailers, many patients are understandably concerned about the security of their health information. “Talking about email communication in the privacy notice is a good way of starting the dialogue and reassuring patients that the practice takes their information and security very seriously,” Tennant says.