E-mailing Yourself from the Office? Proceed with Caution

We’ve seen quite a number of doctor-targeted articles lately that trumpet the merits of e-mailing patients - and it’s easy to see why. 

If you’re a doctor, sending e-mail can be more convenient than making a call (no phone tag or annoying on-the-spot questions!). What’s more, patient-physician e-mailing has been linked with better outcomes in those with diabetes, hypertension, and other high-maintenance diagnoses.

But when it comes to e-mailing patient notes to your home e-mail account, the electronic medium could prove more of a hassle than a help.
 

We were alarmed to learn recently that a gastroenterologist may have gotten his former practice in trouble after sending unencrypted e-mails filled with patient information to himself, reportedly for the purpose of analyzing medical-procedure notes.

When his employer, Geisinger Wyoming Valley Medical Center, found out, a letter was sent to nearly 3,000 patients apologizing for the actions of the doctor (who, by the way, is no longer employed by Geisinger).

Though the information sent included patient names, Geisinger medical record numbers, procedures, indications, and the physician’s brief impressions regarding the care provided, it didn’t include addresses, telephone numbers, social security numbers, patient account information or any financial information that could make affected patients vulnerable to financial identity theft, according to a press release issued by the organization.

Wilkes-Barre, Pa.-based Geisinger said it notified patients as part of its own health information security program and in compliance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

“We have reviewed our internal practices and taken appropriate action to avoid reoccurrence,” said Geisinger Privacy Officer John Gildersleeve, in a press release. “With the short time frame and the doctor’s forthright explanation, we believe there is little risk that the protected health information was seen by anyone other than the physician himself. We take our commitment to maintaining our patients’ privacy seriously and regret any inconvenience this inadvertent disclosure may have caused.”

Though there was no information as to whether the physician got fired over the incident, it is a reminder of why taking necessary precautions to protect patient data - through encryption technology or other, federally regulated means - can save you from embarrassment, fines, and other penalties.

“When you e-mail yourself, there is some danger you could accidentally e-mail someone else from your address book,” said Sharona Hoffman, a professor of law and bioethics at Case Western Reserve University, who is co-author of the 2009 report “E-Health Hazards: Provider Liability and Electronic Health Record Systems.”

Docs who want to e-mail themselves patient notes for work at home still have some options: For starters, they can protect themselves by not only securing their office computers, but their home computers as well.

Andy Podgurski, a computer science professor at Case Western Reserve University who co-authored the study, said while it’s good practice to encrypt sensitive e-mails, that’s only a small part of securing sensitive information. A hacker is more likely to attack the endpoints of an e-mail transmission than to break encryption en route.

“It would be far worse for a doctor to be using an older version of Windows that didn’t have the proper security patches [before opening an e-mail],” Podgurski said.

Unfortunately, nothing is fail-safe (hackers have a reputation for loving a challenge). But you can lessen the likelihood of sensitive patient information getting into the wrong hands by enacting a few easy measures. Podgurski suggests checking to make sure that you are using an up-to-date operating system, regularly running antivirus software, and using “basic intrusion-protection software.”

Also: Consider your own behavior. Do you surf the web in dangerous or risky ways? Do you choose secure passwords? Do you lock away your laptop when not in use?

“Liability is judged by the degree of negligence of the defendant,” said Hoffman. “So the more steps you take to achieve security, the less likely it is you will be deemed to be negligent.”

How does your practice handle e-mail to patients? To what extent are you or your practice required to protect e-mail messages to themselves or colleagues? Post your response below.