The Tech Doctor: E-mail Abuse Primer

October 1, 2008

Do you know what your employees and colleagues are sending out of your company’s e-mail system? You’d better. You need a policy to protect yourself - and your patients.


As a provider or administrator, you care about the security of your practice’s assets. You diligently double-check your security alarm at night before you leave the office. You had your office manager install door locks on your medical records area. You installed security cameras at your office’s entrances and exits. Even your most basic sample medications are under lock and key. Unfortunately, all of these precautions still leave you vulnerable to the fastest way to move valuables out of your office: E-mail!

In practices large and small, having a documented e-mail use and abuse policy and ensuring staff are well versed in that policy are critical to protecting the practice, as well as your employees. Misuse of e-mail at work can lead to lost productivity, clinical liability, and human resources nightmares, among other risks.

What’s the worst that could happen?

Think about your practice and what information you have in electronic format: Spreadsheets of provider/staff pay rates and bonus incentives, tax documents, photos of patients’ dermatological symptoms, transcribed chart notes, and thousands of patient records - all ripe for the picking by an identity thief. Every one of these items can likely escape your secure grasp into the wilds of the Internet, all via simple e-mail attachments.

What is your liability if one of your patient’s “before and after” photos of breast augmentation starts making the “Funny photos, forward this e-mail to at least three people” circuit on the Internet? What if a staffer e-mails an unencrypted transcribed note to the wrong e-mail address; accidentally sending it to her friend’s e-mail address, rather than the intended recipient at another doctor’s office? The ramifications of simple e-mail errors could cost you big.

Make it clear!

Have all new hires (and existing staff, including your physician peers) sign off on an E-mail Use and Abuse Policy. Use any Internet search engine to track down free example policy documents that you can then fine tune for use in your own practice. I would even suggest having the document reviewed by your attorney. Often, staff seem to feel more of a sense of accountability when they have signed off on a specific policy, rather than it simply being part of an employee handbook they may never fully read.

Some general guidelines

Thanks to HIPAA and increasing awareness regarding general Internet security concerns, many technology-savvy physicians and staff are aware that caution is the name of the game. While HIPAA does not specify a particular technology tool for securing e-mail communications, users can to protect themselves by following a few simple rules:

  • Establish policies about personal use. Enforce a rule limiting use of office e-mail to just that, office matters. Explain to users that this is purely an effort to protect them, as well as the practice. If you as an owner want to be flexible, then allow staff to access their SEPARATE Web mail accounts for personal use, and insist office e-mail be used for work purposes only.

  • Specify and document exactly what is and is not acceptable to send via e-mail. While sending protected health information via traditional plain text e-mail is a risky proposition at best, create a defined list for your practice (with the guidance of your attorney) of what components of practice information can safely be sent via e-mail.

Perhaps your practice finds it to be an acceptable risk to send a list of patient names awaiting operating room scheduling to the local hospital via encrypted e-mail. Your documents should be specific enough to define that this is acceptable if encrypted, but not acceptable if sent unencrypted.

  • Teach your staff to use the password protection utilities in word processing and spreadsheet application software. Even though this isn’t foolproof protection, this at least prevents the unintentional recipient of an attached document from being able to easily open it (without the associated password).

  • Do not allow staff to export e-mail to CD/USB Key, or other external media. Often, users will accumulate large archives of e-mail, which needs backing up to make space on drives. Be sure this action is carried out by an office/IT manager, who is responsible for not only making the backup archive, but is also responsible for password protecting that archive, making sure of it’s physical security during storage, and ensuring that a copy doesn’t make it’s way out of the office.

  • Remind staff that e-mail is subject to the same sexual harassment and other HR policies as verbal communication. Too often, good employees fall victim to bad judgment by sharing “humorous” e-mails containing sexually oriented or other inappropriate content with other staff members. Be clear with staff (including physicians) that sharing such material could be considered offensive to some and be grounds for disciplinary action, or worse.

Use of “free” e-mail solutions

In a small office, an e-mail server is often considered too expensive or impractical, and the office will instead use free Web mail services, such as Gmail, Hotmail, Yahoo Mail, or something similar. While these free Web mail services may work well for personal use, they can pose some risks.

Use of a Web mail service will limit your ability as an owner or administrator to control individual e-mail accounts, as you could with a corporately owned e-mail server. In the event a staff member leaves the company, you have no way to reset the password to the e-mail box of the Web mail service, and you may find yourself at the mercy of your ex-employee. If the employee’s parting was amicable, you may have less of an issue.

If, however, the employee was terminated, or otherwise severed their employment agreement under a dark cloud, you risk never having access to that e-mail box again. This could mean you have limited means of notifying anyone (including patients … eek!) who may have communicated with you via that e-mail address, that it is no longer a valid means of communicating with your office.

Encryption: Securing e-mail in transit

At least with the post office when you send something, it is protected from prying eyes by an envelope that hides the contents from the outside world while in transit. Unfortunately, standard plain text e-mail doesn’t always afford this luxury in terms of security. Talk to your local IT support resource about use of e-mail encryption solutions that offer enhanced security to wrap your e-mail messages within, protecting the message contents from prying eyes.

Using these suggestions, you can begin to construct your practice’s e-mail policies. The sooner you begin, the sooner your greatest assets will be better protected.

Jonathan McCallister is a client-site IT manager for a major healthcare consulting firm, and he is currently assigned to a 140-physician practice. He has worked in healthcare IT management for more than eight years and in general IT management for more than a decade. He can be reached via abeckel@physicianspractice.com.

This article originally appeared in the October 2008 issue of Physicians Practice.