Think about HIPAA before you hit send’
As medical communications move on-line, so does medical liability risk, according to the eRisk Working Group for Healthcare, a consortium of national medical societies and liability carriers.
The eRisk Working Group for Healthcare has published an updated list of guidelines for on-line communications with patients, other health care providers, and industry. Driving the creation of these guidelines is the continued growth of e-mail, which is being driven by strong patient demand, according to recent studies published by Boston Consulting Group, Jupiter Media Metrix, and Medem Inc. The new guidelines were developed by the carriers and medical societies at the second annual eRisk Working Group for Healthcare conference held recently in San Francisco.
Authentication, encryption recommended
The new guidelines address both routine on-line interaction as well as on-line consultations, in which providers are reimbursed for providing care on-line, says Mark Gorney, MD, medical director for the Doctors Company, one of the largest national malpractice carriers.
The guidelines emphasize the need for secure on-line messaging, with authentication and encryption, he says, as opposed to the use of standard e-mail. A second set of guidelines for reimbursed on-line consultations was created in response to the growing interest in this service among both patients and physicians and an increase in the number of payers who are reimbursing or considering reimbursement for on-line consultations.
"The new eRisk guidelines make it clear that there are risks in using standard e-mail to communicate with patients or to transmit patient information to third parties," Gorney explains. "Charging patients or payers for an on-line consultation likely increases those risks. Given these risks and the HIPAA [Health Insurance Portability and Accountability Act] guidelines, it makes good sense to use a network that includes both encryption and authentication for transmitting messages."
The liability carriers and the societies agreed that technology adoption among health care providers is advancing rapidly and is challenging the health care industry to keep up with appropriate guidelines and advice. Ed Gotlieb, MD, a pediatrician and representative from the American Academy of Pediatrics, whose board has formally endorsed the eRisk guidelines, says the frequency of on-line communications is increasing rapidly.
Get informed consent before using e-mail
Gotlieb points out that many may assume e-mail communication is acceptable to patients, but the guidelines specifically say that informed consent is necessary before beginning any e-mail communication with a patient. That means the sender must explain to the patient that e-mail communication may not be as private as other methods, and the patient must consent to communicating that way despite the privacy shortcomings.
In particular, risk managers should warn staffers and clinicians against routinely soliciting patients’ e-mail addresses as part of data collection and then using that address without informed consent. The new guidelines have this to say about getting informed consent for e-mail communication:
"Prior to the initiation of on-line communication between health care provider and patient, informed consent should be obtained from the patient regarding the appropriate use and limitations of this form of communication. Providers should consider developing and publishing specific guidelines for on-line communications with patients, such as avoiding emergency use, appropriate expectations for response times, etc. These guidelines should become part of the legal documentation and medical record when appropriate. Providers should consider developing patient selection criteria to identify those patients suitable for e-mail correspondence, thus eliminating persons who would not be compliant."
The summary guidelines for on-line communications and reimbursed on-line consultations have been posted on the liability carrier Web Sites and are also available at www.medem.com/erisk.