Patient E-mail: Handle With Care

May 15, 2002
Joanne Tetrault

How to reduce risks related to e-mail

Got the blues? Visit Shrink-Link, where a "group of highly trained mental health professionals focus on you." Need to lose weight? Click here to order the "miracle drug" FenPhen. No consultation needed!

Clearly, we've learned some hard lessons in the few years since fast online medical fixes were all the rage. Shrink-Link quickly became defunct, according to an early study on the legal issues of Internet medicine, published in the Canadian Medical Association Journal back in 1997. The problem, said researchers, was the absence of legal disclaimers from those giving health advice online.

And an online search for "FenPhen" today reveals numerous legal entities offering help for patients wanting to join the class action lawsuit filed against the drug's manufacturer after some patients developed heart valve disease. Physicians who prescribed the drug online have also run afoul of the law.

Physicians should keep these lessons in mind as physician-patient e-mail becomes an accepted way to save time and respond to patient demands for increased access. National studies by Medem, a healthcare information consortium made up of leading medical societies, show that the number of physician Web sites doubled and the volume of physician-patient e-mail tripled in a 12-month period ending in May, 2000.

It's clear that "there are risks in using standard e-mail to communicate with patients," said Mark Gorney, medical director of the Doctors Co., as he introduced "eRisk Guidelines" at the beginning of this year. The guidelines were developed by the eRisk Working Group for Healthcare, a consortium of malpractice carriers, to increase physicians' awareness of risks and to outline solutions.

Attorney Reece Hirsch, who co-chairs the practice group on healthcare and the Internet for law firm Davis Wright Tremaine in San Francisco, agrees that "the regulatory actions against physicians who prescribed online are probably the best examples of what can happen if you don't provide online medical advice appropriately."

What's your role?

Health systems, physicians, and legal experts agree that, before you hit the "reply" button on a patient e-mail message, it's critical to have ground rules in place and clearly defined for patients.

"You should not just open up this channel of communication without thinking very carefully about what your policies are going to be," says Hirsch. First, it's important to determine where the "line in the sand" is between offering general advice and establishing a physician-patient relationship, which entails both responsibility and potential liability on the physician's part.

Other key considerations include: Who will answer patient e-mails -- and how quickly? How will sensitive or urgent medical situations be handled? And what needs to be done to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) security rules?

"Just because [a communication] is via e-mail or through the Internet doesn't mean that all of the rules that you would apply to your other patients don't apply here," Hirsch cautions. "E-mail communications with patients may be part of the medical record and they need to be treated that way. Basically, the question to ask is: 'Are you exercising your professional judgment and providing specific medical advice to an individual?' If so, it's likely that a physician-patient relationship has been established."

Are there special precautions for physicians who participate in health-oriented chatrooms, preside over patient-oriented "e-health" Web sites, or otherwise provide general medical advice or information online?

Hirsch says, "You need to be very clear in your disclaimer and in the way you manage those communications. You have to stick to the parameters you've defined -- the 'rules of engagement,' so to speak. It's possible that you could go from providing general information to establishing a relationship with a patient. The best way to do that is to request that the patient make an appointment."

"I have participated in online discussions, particularly on pediatric developmental issues," says Eric Knight, MD,

of the Elliot Physician Network in Londonderry, N.H. "In this situation, I have never allowed myself to fall into discussing diagnosis or treatment of an individual, but rather kept things very general. If things started getting more specific I deferred to their local providers."


Chris Woleske, an attorney and health plan compliance officer in Green Bay, Wis., agrees that e-mail between a physician and patient "is not meant to take the place of face-to-face patient care. It is only intended to supplement it," she says.

Responding effectively

Does offering e-mail privileges to patients mean physicians will be chained to their computers answering messages? Not if other qualified staff members are involved in reviewing e-mail requests and responding when appropriate.

"Our e-mails are received in a central account, triaged, and routed the way phone calls and faxes are handled," says Brad Stoklasa, an electronic medical records coordinator for a large, integrated healthcare system in Wisconsin.

"It makes sense to arrange the office information flow so that e-mail messages go through triage just like phone calls do," Knight agrees. "For fairly routine exchanges such as referral and refill requests and many lab results, the triage person might be able to respond perfectly well, saving the more complex questions for the physician."

Hirsch adds, "Usually there is an understanding that other members of the staff will have access to patient records to a reasonable extent." Still, you should establish guidelines that specify exactly how incoming e-mails will be processed once they reach your office. "Just because a patient is sending an e-mail to 'DrSmith.com' doesn't mean Dr. Smith is going to be the only person who reads it," he says.

Protecting patients' privacy is key, so it is common for physician practices and health systems to alert patients as to who may be reading their e-mails. For example, when patients log on to the University of North Carolina Family Practice's pilot e-mail program (www.unchealthcare.org/fpc), they read that "physicians, nurses, and other clinical staff" are taking part.

"Patients essentially 'self triage' based on whether they need help with a pharmacy issue, to talk to doctor, whatever their needs are," says Karen McCall, vice president of public affairs and marketing for University of North Carolina (UNC) Health Care in Chapel Hill. "Every inquiry to a doctor gets a response in 48 hours."

The expected response time should be shared with patients in advance, along with guidelines for what types of medical situations are appropriate for e-mail.

"You have to tell patients how often the e-mail will be picked up," says Hirsch. "If you're only going to be checking your e-mail once every few days, you need to send a clear message that urgent, time-sensitive communications should not come in this way."

UNC's e-mail program home page clearly states that, if the patient needs a quick response, they should call the office, or in case of an emergency, call 911. An accompanying disclaimer contains additional details as to what types of issues are appropriate for e-mail: "Because e-mail is best suited for non-urgent issues, you should use it for prescription refills, request or cancellation of appointments, or simple medical questions. Sensitive issues such as the results of HIV testing, substance abuse, or mental health issues will not be addressed by e-mail."

Privacy prevails

Government agencies, too, have had to rethink some policies as e-mail becomes an increasingly popular way to transmit health information.

As of last July, the Centers for Medicare and Medicaid Services (CMS) modified its policy to allow CMS data to be transmitted via the Internet, stipulating that "an acceptable method of encryption must be used, and authentication or identification procedures must be employed," according to the organization's Internet Security Policy (www.hcfa.gov/security).

Most practices are complying with these regulations anyway, as they move toward compliance with the security rules of HIPAA.


"Any physician who is communicating with patients via the Internet and transmitting protected health information or any form of medical information should be encrypting it," according to Hirsch.

"In the proposed HIPAA Security Rule, a covered entity like a healthcare provider can't send protected health information over an open network like the Internet without encryption," he adds. "It doesn't say what the standard for encryption is, because HIPAA is 'technology-neutral' - but 128-bit encryption is a reasonable and commercially available form of encryption."

Like so many issues related to HIPAA, Hirsch says encryption "is going to be a moving target as technology improves."

Making e-mail work

For many physicians using e-mail these days, the evolving technology or possible legal snares may not be their primary concern. "The most difficult issue with e-mail -- in fact, one of the leading reasons many of us resist using computers, seems to be poor typing skills," contends Knight.

To those reluctant physicians, Knight says "it's OK to start small with a few patients, but at some point -- when you start getting more than a couple of messages a day -- you have to engage the triage process."

Keep in mind, too, the security rule is still only in a rather rough proposed stage. The requirements could change. The more concrete, final version of the related privacy rule only requires physicians to apply reasonable safeguards to protect privacy. It's up to the provider to define reasonableness based on the particulars of the office. That might mean encryptions, not doing e-mail at all, or some other solution.

If you are spending too much time managing e-mail communications, try:

  • Delegating. Basic questions are easily answered by non-medical staff or mid-level providers;
  • Limiting or defining the range of questions. Instead of providing an e-mail address on your Web site and inviting all questions, ask patients to follow specific links for information on office hours or basic home care advice. Or, provide forms to fill out so you'll know which messages need more immediate attention or can be delegated; or
  • Using a template. If you are always answering the same questions, post the answers on your Web site. Or, craft a standard answer you can cut and paste as a response.

Knight himself is an active user and proponent of e-mail. "It allows me to review what I 'say' before sending a message, and it helps me to make my message more complete and accurate. Also, it allows me to have more complete documentation of what is said," he explains.

On the flip side, e-mail "presents great potential for misunderstanding if you slip over into the relational, emotional milieu, which is a good reason to follow up with a short phone call, just to make sure things are clear with the patient.

"Basically," Knight says, "e-mail is better for transmitting clear and detailed information than a verbal exchange. Some patients love it and will change to -- or stay with -- a particular physician just to be able to use it."

Joanne Tetrault, director of editorial services for Physicians Practice, can be reached at jtetrault@physicianspractice.com.

This article originally appeared in the May/June 2002 issue of Physicians Practice.