Today after my small dog struggled to bring in the Wall Street Journal, I was greeted by an article titled “When Email is Part of the Doctor’s Treatment”
It is full of wonderful tidbits that make a HIPAA hound like me cringe.
Let me set a few things straight: I’m a tech guy and my preference would be to do most communication with my physicians via some electronic method.
Let me clarify one other thing: I get wrapped up on some basic vernacular – that is, never never never should a medical office say they are going to email patient information. IF your office has a patient portal for secure messaging, SAY THAT, yes, say I will secure message you.
“Does that really matter?” most ask. If a $50,000 fine matters to you, then yes it matters.
Remember, HIPAA compliance is about reducing the risk of a huge fine, which means reducing the risk of releasing PHI.
Back to the article…
“Dr. Mark Seigel’s Personal email account…”
Never should any person in your office send an email to a patient with any PHI in it. Also, realize by answering that innocent “little” question, you are opening up the communication for too much detail.
“…Blood test results, refill prescriptions…”
No and no. Never send test results or prescription information via email.
“He asks them to sign a form…”
One of the docs in the article has patients sign a form so they can then email information freely. This is the right way to handle this though I always recommend electronic communication be via a secure system. Otherwise you open yourself up to way too many potential issues.
Now we are talking. All of the above would be just fine if using a secure messaging system. This is typically an add-on to your EHR. Generally you will find it is easiest to use the secure messaging system that your EHR vendor offers, as it will generally attach all communications to that specific patient’s file.
“…Her practice has a portal, but…”
“…most parents prefer to email or text.” Right, and most people prefer to eat food that is not good for them and generally don’t want to exercise. This isn’t about what the patient desires, this is about FEDERAL REGULATIONS with hefty fines.
Let me put it this way, if you are not willing to email your credit card information (which you should never do), why would you be willing to email your patient information?
What Should I do?
First, you need to ensure you have a clear set of policies in place clarifying what is allowed when communicating with patients electronically. Next, you should get the patient portal on your EHR stood up. The patient portal is generally what activates your secure messaging. Make sure you only communicate via secure messaging with your patients.
Never use the term “email” when you talk about sending patient information. Always say “secure message”. This may sound dumb, but the moment a staff member emails out a patient’s information because “the doctor said to email their information”, then you have a real problem on your hands.
This is all really simple, yet takes a change in the way you operate.