Safety of care

Improving patient safety and reducing risks

Using email communication with your patients: legal risks


Originally published March 2005 / Revised May 20151

While the use of email between physicians and patients has many potential advantages, physicians should be aware of the legal risks and consider precautions to help mitigate those risks.

Patients should be informed of, and agree to assume, the risks inherent in this form of communication. As well, physicians should review any applicable statutory (e.g. privacy legislation) or regulatory authority (College) requirements that may affect the use of email. Some privacy commissioners (e.g. Ontario) have indicated that the use of email to communicate personal health information should generally be avoided, but if required in the circumstances, appropriate technical safeguards and security procedures must be implemented.

The legal risks of using email to communicate with patients stem from issues of confidentiality, privacy, and security; timeliness of responses; and clarity of communication.

Confidentiality, privacy and security

Physicians have an obligation to maintain the confidentiality of patient information and must comply with applicable privacy requirements. Privacy legislation generally requires custodians to adopt reasonable safeguards to protect the personal health information under their control.

Since physicians cannot guarantee the privacy and security of email messages, they should consider the following precautions:

  • Advise patients about when and to whom patient information will be communicated by email.
  • Inform patients about how emails are handled, including who will process email messages and who may respond to a patient's email.
  • Carefully check email addresses. When sending an email to a group, recipients should not see the names and addresses of others. One method of keeping the names and addresses confidential is to use the blind carbon copy (Bcc) field. Enter your own name in the "To" field and place the list of recipients in the "Bcc:" field. Placing your name in the "To" field will provide you with a copy of the email for your records.
  • Be aware that when using an employer's or a third party's email system (e.g. hospitals and clinics), these parties may have the right to access the email communications. If the third party is subject to federal or provincial privacy legislation, emails sent from the third party's computer system may also be at risk of being disclosed in the context of an access request, privacy commissioner or College investigation. They may also be subject to disclosure in the context of litigation.
  • If email must be used to communicate sensitive personal matters, consider using a personal email account accessed from a computer you personally control rather than a computer that is shared with others.
  • Refrain from using web-based email services (other than secure webmail such as that offered by the CMPA to communicate medico-legal matters). These services may lack important security features, making them more vulnerable.
  • Consider using encryption to secure email communications. However, because encryption only functions where both the sending and the receiving computers are equipped with the same encryption software, the use of encryption may not always be a viable option when communicating with patients. The patient's decision not to use encryption for email should be documented.
  • Exercise caution when using email on mobile devices (e.g. smartphones and tablets) in public places where others may eavesdrop on these communications. Privacy commissioners and ombudsmen in some provinces, including Ontario, Alberta, and New Brunswick, mandate that personal health information stored on mobile devices must be encrypted.
  • Consider how you will document email messages in the medical record. Physicians have an obligation to include relevant patient care information in the medical record.
  • Consider establishing a policy on topics that may be too sensitive for email, such as messages dealing with substance abuse, HIV status, sexually transmitted disease, psychiatric illness and a diagnosis (e.g. cancer).
  • Consider using a written consent form [PDF, DOC] to document the patient's consent to email communication and acknowledgment of the associated risks. The use of such a form could also decrease the risk that the patient might later make a complaint or bring an action for breach of privacy or confidentiality.

Protect email to/from legal counsel

Using only personal email accounts accessed from a computer personally controlled by you is especially pertinent for members who are being assisted by counsel with legal matters.


Timeliness of responses

Email is not always instantaneous; an email message can arrive hours or even days after it is sent. Email may therefore be a poor method for exchanging time-sensitive information. Physicians may want to consider the following measures to mitigate the potential legal risks associated with timeliness:

  • A target turnaround time may be established for messages received from patients and other healthcare providers.
  • Patients may be informed of escalation procedures to follow if they do not receive a response from their physician in a reasonable amount of time, or if the symptoms or problems worsen.
  • Patients should be informed they are responsible for following up on physician-patient emails.
  • Emails may be triaged to facilitate timely responses. The content and context of messages can indicate the expected turnaround times, and responses can be prioritized accordingly.
  • Automatic replies may be used to acknowledge receipt of emails.

Clarity of communication

When communicating with patients and others via email, physicians should consider the following suggestions to improve clarity and avoid misunderstandings:

  • Acronyms and medical terms should be avoided unless they are explained.
  • Be aware that lay people may not know that common words can have medical meaning.
  • Messages conveying anger, sarcasm, harsh criticism, gratuitous comments and libelous references should be avoided. It is also difficult to communicate humour, wit, sensitivity, warmth and other emotions and such comments can be taken out of context or overemphasized by the recipient. Consider first whether it is appropriate to communicate by email in this context.
  • Email messages should be worded carefully. Emails create an indelible trail, even after copies have been deleted. From a risk prevention standpoint, this can prove to be both a benefit and a detriment. It offers documentation of communication between patient and provider, allowing for more accurate reconstruction of interactions. However, poorly constructed or carelessly worded emails may be used as evidence in a proceeding where the quality of care is being questioned.

Using a consent form

Patients should be informed of the risks inherent in email communication and agree to assume those risks. This may be achieved by requesting patients sign a consent form [PDF, DOC].  The consent form addresses the major legal issues and risks that could arise in electronic communications between physicians and patients. Whether or not a consent form is used, physicians should document in the patient's medical record the discussion with the patient and the patient's express consent to email communication.

Physicians who have websites

Physicians should avoid using their websites to communicate with patients or the public via unsecure email. Members who have websites promoting their practice may consider using the Terms of Use Agreement template provided by the CMPA. The template includes a clause entitled "Email communication with the public", which can be modified where secure email communications occur through a physician's website.

The bottom line

  • Members should understand the legal risks associated in communications by email with patients.
  • Before engaging in email communication, members should review any applicable statutory and College requirements that may impact the use of email for transmitting patient health information.
  • Patients should be aware of the potential risks and agree to assume those risks. A signed consent form that outlines the risks of email communication, as well as the obligations placed on patients who wish to correspond via email, provides a permanent record of the consent given.
  • Physicians working within an organization should be aware of the risk of access by the organization to any email communications using an organization's computer system. This caution is especially pertinent for members who are being assisted by legal counsel.
  • Physicians should establish policies and procedures for handling email communications and implement reasonable technical safeguards. Their employees should be informed of the risks associated with inappropriate email communication.

Related reading

Technology unleashed – The evolution of online communication

1. This article is based on a more extensive review of this issue in: McFadden, J. Health Care Practitioner Email Communication: Legal Concerns and Potential Safeguards.Telehealth Law. 2002 October; Vol. 3, No. 1. (published by Butterworths)


DISCLAIMER: The information contained in this learning material is for general educational purposes only and is not intended to provide specific professional medical or legal advice, nor to constitute a "standard of care" for Canadian healthcare professionals. The use of CMPA learning resources is subject to the foregoing as well as the CMPA's Terms of Use.