Responses

• Set up an automatic reply to acknowledge receipt of messages; determine a reasonable turnaround time for responding to patient messages and adhere to it.
   
• Advise all patients to use alternate forms of communication for any matter that cannot wait at least 72 hours to be addressed. 
   
• Use automatic messaging features to direct patients to go to an emergency department or call 911 in the event of an emergency. 
   
• Avoid anger, sarcasm, criticism, and libelous references to third parties in your messages. 

Security, Storage and Retention  

• Recognize that e-mail will always have inherent insecurity, in that it can be intercepted, misdirected or forwarded, that could result in a person’s medical record or other personal information being seen inadvertently by the wrong person, at the sender’s or receiver’s end.
   
• HIPAA is federal law that applies to a physician practice (known as a “covered entity”), that electronically transmits healthcare information.  Regulations were developed to protect the security and privacy of protected health information (“PHI”).  PHI includes information in medical records and other individually identifiable health information. 
   
• These regulations require physicians (1) to implement a security policy (protect PHI against unauthorized access); and (2) to notify patients about privacy and confidentiality procedures in effect for the practice (conditions under which PHI may be transmitted or disclosed).  However, a “reasonableness” standard gives covered entities the flexibility to select solutions they consider appropriate for their circumstances.[3]
   
• Consider the use of encryption technology (e.g. password-protected) to safeguard electronic PHI; alternative approaches include secure Web portals, secure messaging networks and virtual private networks (“VPN”). Inform patients if encryption is not used.  
   
• Implement a mechanism to ensure that all software is up-to-date, that includes regularly checking for security updates or patches. 
   
• Once the original sender transmits the e-mail, he/she no longer controls its re-transmission. Physician practices may want to implement a policy that any e-mail containing PHI should include a statement: “This message may not be forwarded.”
   
• Perform regularly scheduled back-ups (e.g. weekly) of e-mail onto long-term storage; define “long-term” to be consistent with the time period that applies to retention of paper records for a given jurisdiction.
   
• When appropriate, physicians should save electronic and/or paper copies of e-mail communications with patients in the patient’s office medical record.
   
• Develop archive and retrieval mechanisms for any and all electronically stored patient information, including that stored in e-mails, your Web pages, word-processing files, databases stored in electronic memory systems, such as magnetic disks (computer hard drives), optical disks (e.g. CDs) and archival media or back-up tapes (that may be managed and stored off-site for disaster recovery).  

Electronic Information in Litigation

• Electronic discovery ("e-discovery")[4]: Recently, the Federal Rules of Civil Procedure were amended to address advances in electronic data. These federal procedure rules will govern discovery of electronic health information (“e-discovery”) in malpractice cases brought in the federal court system. Under the new rules, all electronically stored information that the disclosing party may use to support its claims or defenses, unless otherwise privileged from discovery, must be disclosed. [5] 
  
• The new rules cover not only information in an electronic medical records system and other health information systems, but all data in electronic form, including e-mail, instant messages and healthcare providers’ Web pages. The significance of this is that discoverable electronic information may include data that has not traditionally been considered to be part of the patient’s medical record.

• New Jersey has adopted electronic discovery rules that mirror the federal rules.[6] Since most medical negligence cases are filed in state courts, the expansion in scope of discovery of electronic health information will no doubt create challenges to those parties that have to produce requested electronic documents. 

E-mail is increasingly being used as a means of communication between patients and their physicians. E-mail can be used to provide follow-up care, clarify instructions to patients, send test results, make appointments or provide Web links to additional educational resources.  However, while there can be advantages with using e-mail over traditional forms of communication, there are also concerns, including issues of privacy and security, that should be recognized and addressed appropriately.