Duties and responsibilities
Using electronic communications, protecting privacy
Originally published October 2013; Revised January 2016
Technology is changing communication between doctors and patients, and between physicians and other health care providers. While electronic communication can improve patient care and enhance patients’ engagement in their care, it can also present unique challenges to patient privacy and confidentiality.
To help members address some of the medical-legal risks with using electronic communications (eCommunications) in their practice, the CMPA has developed an electronic communications consent template [PDF, DOC]. This template, or form, is intended for physicians to use as the basis for an informed discussion with patients about the use of eCommunication tools. It should be modified by physicians to suit the particular circumstances of their practice, and the applicable medical regulatory authority (College) requirements and privacy legislation in their jurisdiction.
The CMPA’s experience suggests that, at present, physicians are most interested in using email and instant messaging (texting), videoconferencing (including Skype and FaceTime), patient portals, and various social media applications. All these electronic communication tools can be accessed from a number of devices, including smartphones and tablets.
Physicians are aware of their general obligations to protect patient information. If they are considering using electronic communication tools with patients, they must also be aware of the risks to patient privacy that are inherent in the use of the devices and applications. The risks related to each are not necessarily the same. In addition, while patients need to be informed of the benefits of electronic communications, they must also be informed of the potential risks. Doctors should have an informed consent discussion with patients, and if the tools will be used, patients’ consent should be recorded in their records.
The CMPA’s electronic communications consent template [PDF, DOC] is offered primarily as a basis for an informed consent discussion, but may also help in developing an appropriate form for documenting consent. It is worth repeating that members should be aware that using the eCommunications consent form is not a substitute for a proper and informed discussion with patients about the risks associated with the use of the technology. It also does not relieve physicians of their obligation to fulfill all applicable jurisdictional privacy obligations.
Communication via email and messaging
Despite their pervasiveness and convenience, email and texting are often the least secure communication tools. Imagine, for a moment, using standard email software to send personal medical information to a patient — and getting the email address wrong. Worse — the email does not bounce back, but rather appears in the mailbox of an unintended recipient. The risks of interception or errors in sending email, texts, or instant messages can be significant. For these reasons, some privacy commissioners have indicated that using unencrypted email and texting with personal health information should be avoided, and in the case of Alberta appropriate security is mandated by the Health Information Act.
Despite any disclaimer physicians may include in the message, they remain responsible for protecting patient health information and preventing unauthorized access. Privacy legislation generally requires that custodians adopt safeguards to protect the personal health information under their control. Privacy regulators generally agree that the use of encryption software to protect electronic messages is a reasonable safeguard under the circumstances. There are a number of enterprise solutions that can provide encryption, including many patient portals. The protection options that are available outside the institutional environment can be complex and expensive, however more encryption options and applications are becoming available for use on devices such as smartphones.
Physicians considering using unsecured or unencrypted email or messaging should do so only for information that does not include identifiable personal health information.
Patient portals — Active pathways for two-way communication
Patient portals have been used in a limited way in community health practice since the 1990s.1 In recent years they have evolved into popular, secure interactive tools that can greatly enhance communication between physicians and patients, and help patients better manage their health.
There are multiple communication functions of web-based portals. For example, portals can house patient profiles and medical records, contain patient education documents, generate alerts and reminders for prescriptions and medication management, make the booking of appointments more efficient, and enable quick review of lab reports and follow-up messages to patients.
A growing number of physicians are taking advantage of this technology, particularly in response to patients’ demand for accessibility to everyday technologies that increase convenience and access to information. However, physicians using patient portals should clearly understand the benefits and limits of the technology and what steps should be taken to protect personal health information. While some of the functions of portals may appear innocuous, even downloading patient education materials could communicate confidential information about an individual's health status.
Patient portals need to be secure and accessible only by those who are authorized. The chosen platform must have adequate security systems to protect patient information and private online conversations, and to meet the requirements of applicable privacy legislation. Because the technical and security issues with portals can be complex, physicians and institutions should seek appropriate advice.
Patients also need to be informed in advance about how a portal will be used for online communication. They need to be aware that portals should never be used for urgent messages or time-sensitive health issues. Physicians should explain what information is available and what will be shared through the portal. As well, they should also explain that not all information should be shared online and that face-to-face consultations may be required to avoid the possibility that patients may misinterpret results or to ensure appropriate follow-up care.
Physicians need to keep privacy and confidentiality in mind when using social media such as Facebook, YouTube, LinkedIn, or Twitter. These networks can be valuable for sharing information for health promotion and for educational purposes. However, physicians should not communicate identifiable patient health information using social media. While some of these networks appear to mimic private one-on-one conversations through a chat function or direct messaging, content communicated via social media is unprotected and publicly accessible. Despite rigorous use of privacy settings, information shared on social media sites should be considered public forever.
Physicians should review guidelines provided by their College on the use of social media. Some Colleges provide detailed guidelines for sharing information on blogs, discussion forums, and maintaining professionalism.
Remember that social media platforms are public channels and can be considered equivalent to the front page of any newspaper or home page of any website.
Videoconferencing is increasingly being used to communicate with and deliver medical services to patients. Platforms such as Skype and FaceTime are frequently employed as telehealth tools, especially to provide clinical care directly to patients who live in remote communities or who have limited access to services outside their home.
The CMPA article, "Videoconferencing consultation: When is it the right choice?", emphasizes the importance of assessing whether videoconferencing is appropriate in the patient’s particular circumstances. Physicians should be aware of the limitations of the technology and determine whether it is appropriate to use in each specific circumstance. If the standard of care cannot be met using videoconferencing or patient privacy cannot be adequately protected, then an in-person consultation should be considered. Physicians should also be aware and follow their College’s position on the use of videoconferencing.
Reducing risk in eCommunications
Physicians who communicate personal health information electronically need to keep in mind that they are governed by the same legal and professional standards that would apply in other professional settings. For example, physicians should carefully consider how they will document electronic communications in the patient’s medical record.
Further, physicians using electronic communication with patients need to be aware of and follow the privacy legislation and College requirements that apply to their practice and jurisdiction.
Physicians should establish policies and procedures for using electronic communications in their practice. Employees should be informed of the risks with each form of electronic communication and trained to follow the policies and procedures.
- CMPA Good Practices Guide: eCommunication and Social media
- "Technology unleashed — The evolution of online communication"
- "Social media: The opportunities, the realities"
- "Top 10 tips for using social media in professional practice"
- Coach: Canada's Health Informatics Association. Privacy & Security for Patient Portals: 2012 Guidelines for the Protection of Health Information, Special Edition [Internet].Toronto: Coach; 2012 [cited 2016 Jan 15]. 111 p. Available from: http://www.ehealthontario.on.ca/images/uploads/pages/documents/Privacy-Security-for-Patient-Portals.pdf