Wednesday, October 21, 2009
By Dan Schulte, J.D.
MDA Legal Counsel
From the July 2009 issue of the Journal
Question: Some of my colleagues are advertising their e-mail addresses and encouraging patients to communicate with them by e-mail. What are the legal issues involved with sending or receiving dental record information by e-mail?
Answer: The use of e-mail to communicate with patients is not risk-free, and certain legal concerns should be addressed. For example, you must ensure compliance with HIPAA’s Security Rule. You should also consider the effect e-mail messages may have on your ability to defend yourself in a malpractice case.
HIPAA’s Security Rule sets forth a set of administrative, technical and physical security procedures to be implemented by covered entities (such as dentists) to ensure the confidentiality of protected electronic health information. This information includes most dental record information that is maintained in an electronic form, such as e-mails.
HIPAA’s Security Rule contains standards (which must be met by dentists in order to comply with the Security Rule) and Implementation Specifications (guidelines for how each standard may be met). Which standards will apply to your practice and the implementation specifications you should employ to meet those standards will vary depending on your size, available resources, etc.
One such standard applicable to patient e-mails is the transmission security standard. This standard requires that measures be put in place to render electronic protected health information communicated electronically unusable, unreadable or indecipherable. In the implementation specifications for the transmission security standard is an encryption implementation specification. That specification (assuming it is reasonable and appropriate given the size of your practice, the volume of e-mail traffic, etc.) requires you to have in place software or a third party service to encrypt patient e-mails. This means of course that you, in most cases, should not be responding to patient e-mails (including protected health information) through online commercial e-mail services.
I am frequently asked which encryption software should be purchased to comply with HIPAA. This past May, the Department of Health and Human Services issued guidance stating that the following encryption processes have been tested by the National Institute of Standards and Technology (“NIST”) and have been judged to meet the Transmission Security Standard:
- valid encryption processes for data at rest on your computer are those consistent with NIST special publications 800-111, Guide to Storage Encryption Technologies for End User Devices; and
- valid encryption processes for data being transmitted are those that comply with Federal Information Processing Standards 140 2.
When purchasing encryption software you should insist on a representation and warranty that these standards are met by the product being purchased.
Your e-mails to patients can and will be used as evidence in dental malpractice litigation. Dentists should ensure that their e-mail messages contain clearly written, complete, and appropriate information. Using the same acronyms, abbreviations, short-hand descriptive terms, etc. that you would in documenting something in a patient’s dental record is not appropriate in an e-mail to a patient. Any misunderstanding or misinterpretation by the patient that results will certainly be used against you in malpractice litigation.
All of your e-mail communication with a patient should in some fashion be retained in the patient’s dental record. This is necessary to ensure your complete knowledge for subsequent treatment decisions and the treatment decisions of other dentists providing treatment to the patient who need to rely on these records.
Finally, I believe it would be advisable to include an auto-reply message on your system so that patients are aware you may not respond to their message immediately, and to let them know that if they are experiencing what they believe to be an emergency situation to go to an emergency room without delay.