Return to the homepage
October 6, 2008 Brokers Only Links Employment Contact Us Home Insureds Only
Print
  Test your knowledge!
Take a short, interactive quiz on this topic by clicking here.
Guidelines to Reduce Risk in Online Communications

The eRisk Guidelines have been developed by the eRisk Working Group for Healthcare—a consortium of professional liability carriers (including SCPIE), medical societies and state licensure board representatives—and Medem, Inc.—a network provider that was initially founded by the nation’s medical societies to serve the healthcare industry.

Through the years, these guidelines have been revised as online technology and government regulations have changed. What follows is a portion of the latest guidelines, dated December 2006. (The complete guidelines may be viewed at www.scpie.com/riskmgmt/eguidelines.) These guidelines are not meant as legal advice and doctors are encouraged to bring any specific questions or issues related to online communication to their legal counsel.

General Principles
The legal rules, ethical guidelines and professional etiquette that govern and guide traditional communications between the healthcare provider and patient are equally applicable to e-mail, websites, list serves and other electronic services and communications, including the use of personal health records with patients. A personal health record (PHR) is established, owned and controlled by the patient or their caregiver. An electronic medical record (EMR) is a practice-based clinical record that is established, owned and controlled by the practice. However, the technology of online communications introduces special concerns and risks as follows:

  • Confidentiality. The healthcare clinician is responsible for taking reasonable steps to protect patient privacy and to guard against unauthorized access to and/or use of patient healthcare information. This responsibility extends to the use of network services that have an appropriate level of privacy and security as required under HIPAA. Following are key considerations:

    Privacy and Security. Online communications between healthcare clinicians and patients should be conducted over a secure network, with provisions for privacy and security, including encryption, in accordance with HIPAA. Standard e-mail services do not meet the requirements under HIPAA. Healthcare clinicians need to be aware of the full range of potential privacy and security risks and the requirements under HIPAA designed to mitigate those risks, and develop policies and procedures accordingly.

    Note: With respect to e-mail specifically, clinicians are encouraged to add a disclosure to the bottom of their standard, non-secure e-mail service stating that “This e-mail is not secure, and is not for use by patients or for healthcare purposes in general.”

    Authentication. Healthcare clinicians have responsibility for taking reasonable steps to authenticate the identity of correspondent(s) in electronic communication and to ensure that recipients of information are authorized to receive it. Patient authentication, or authentication of an authorized patient proxy (i.e., parent of a minor, authorized family member, etc.) for patient-provider online communication including the delivery of patient data is important in order to ensure patient privacy and confidentiality. Clinicians are encouraged to follow these guidelines for patient authentication:

    • Have a written patient authentication protocol for all practice personnel and require all members of the staff to understand and adhere to the protocol.
    • Establish minimum standards for patient authentication when a patient is new to a practice or not well-known.
    • Keep a written record, electronic or on paper, of each patient authenticated for online communication or data exchange. The record should include the following:
      • Name of the patient
      • Date of authentication
      • Name of practice staff authenticating the patient
      • Means used to authenticate the patient.
    • Providers should take care not to offer, promote or encourage patients to participate in online healthcare services where patient authentication is not addressed to at least the level offered by the provider in his/her own practice.
  • Informed Consent. Prior to the initiation of online communication between healthcare clinician and patient, informed consent should be obtained from the patient regarding the appropriate use and limitations of this form of communication. Clinicians should develop and adhere to specific written guidelines and protocols for online communications with patients, such as avoiding emergency use, heightened consideration of use for highly sensitive medical topics, and setting expectations for response times. These guidelines should be documented in the clinician’s practice policy manuals, in patient terms of service or disclosures, or in the medical record when appropriate.

    Clinicians should exercise discretion when selecting patients for the use of online services to ensure that they are capable of electronic communication and will be compliant. Practices should consider developing patient use guidelines to help clinicians decide who uses these services on a patient-specific basis.

  • Pre-existing Clinician-Patient Relationship. Healthcare clinicians may increase their liability exposure by initiating a clinician-patient relationship online. Payment for online services may further increase that exposure. Online communications of any kind are best suited for patients previously seen and evaluated in an office setting.
  • Licensing Jurisdiction. Online interactions between a healthcare clinician and a patient are subject to requirements of state licensure. Communications online with a patient, outside of the state in which the clinician holds a license, may subject the clinician to increased risk. For example, pathologists, radiologists and other clinicians interpreting specimens, slides or images sent through interstate commerce for a primary diagnosis that becomes part of the patient’s medical record, should have a license to practice medicine in the state in which the patient presents for diagnosis or where the specimen is taken or image is made. Intra-specialty consultation does not require in-state licensure, provided the consultation is requested by a physician licensed within the state and is referenced in a report they issue.
  • Sensitive Subject Matter. Clinicians should advise patients of the risks that information the patient may consider sensitive inadvertently may be accessed by someone not authorized to see it. Physicians may wish to specifically list examples of sensitive information such as mental health, substance abuse, reproductive history, sexually transmitted diseases, drug and alcohol problems, genetic disorders and HIV status to their patients for their consideration.

    Some states have laws about special classes of health information, such as HIV or mental health. Clinicians should follow state law in obtaining approval from the patient to exchange those classes of information with patients. Some states may prohibit electronic transfer of specific classes of information regardless of patient consent.

  • Emergency Subject Matter. Healthcare clinicians should advise patients of the risks associated with online communication related to emergency medical subjects such as chest pain, shortness of breath, high fever, physical trauma or bleeding during pregnancy. Clinicians should discourage the use of online communication to address medical emergencies and instead instruct patients to call the office or go to an emergency department. In addition, patients should be referred to the Online Consultation Terms of Service where they have accepted the condition that the Online Consultation service is not to be used for emergency issues. Physicians should consider using a disclaimer on web pages and e-mails reminding patients that emergency subject matter is not appropriate for electronic communication.
  • Medical Records. A permanent record of online communications relevant to the ongoing medical care of the patient should be maintained as part of the patient’s medical records, whether that record is paper or electronic. All clinically relevant online clinician-patient and clinician-clinician communications (including e-mail) should be a permanent part of the medical record. Accurate and thorough documentation is effective risk management.

    Providers and patients should be aware that e-mail and online information, including PHRs and consultations, are not erased from the hard drive when deleted and are potentially discoverable in litigation. Therefore all communicated information should be accurate and professional.

    As interoperability between technology-based services (such as an EMR and PHR) become more common, if a patient is allowed to electronically transmit information to a clinician, that information should be quarantined until the clinician has reviewed and commented on the data, to avoid introducing inappropriate or incorrect information into the clinician’s medical record.