Healthcare Law, Litigation & Public Policy   Medical Licensure & Discipline ♦ Employment Board of Registration

The content of this page is copyrighted as it is original content produced by the lawyers at Reardon Law Office LLC (formerly Hassan & Reardon P.C.) in Boston.  Please contact us if you would like to use any of this material.

Many of us cannot imagine life without email; others of us dream of a life that does not include an electronic In-box.  Regardless of our personal preferences, email has pervaded the workplace.  Employers and employees rely on email to communicate with both colleagues and clients. 

          Today, even healthcare providers are in contact with their patients via email. Many patients have access to the internet and prefer to communicate electronically. Email offers a convenient, efficient way for patients to contact their healthcare providers.  Due to an increase in patient demand for electronic correspondence, many physicians are now offering medical advice over the internet.  Despite the convenience and popularity of email, there are many legal implications associated with the transmission of medical information over the internet. 

Doctor-patient email correspondence creates two primary legal concerns: (1) protecting the privacy rights of patients and (2) medical malpractice.

The Health Insurance Portability and Accountability Act (“HIPAA”) regulates the electronic transmittal of protected health information (“PHI”).  An impetus behind HIPAA’s enactment was the protection of patient’s privacy rights. HIPAA requires providers to obtain patient authorization or consent in many instances involving PHI. HIPAA, however, does not require a patient authorization or consent form for the transmission of PHI if the covered entity is using the information in connection with treatment, payment or healthcare operations.  45 C.F.R. §164.502 (2003).  Most healthcare providers use doctor-patient emails for treatment or billing purposes.  Thus the provider need not obtain an authorization or consent under HIPAA.

To safeguard again potential privacy violations and even medical malpractice claims, a patient’s informed consent, although not required, should be obtained.  Under HIPAA, a consent form may be more generalized and less formal than an authorization.  The form is a method for the covered entity to obtain the individual’s permission but also to inform the individual about the entity’s email policy.  The consent form acts as an agreement between the parties as to the permissible uses of electronic communications. 

          A patient email consent form should contain specific language regarding: (1) turnaround time; (2) privacy; and (3) permissible transactions and content.

          With regard to turnaround time, it is important for patients to be aware of the typical response time, especially in exigent situations.  Healthcare providers may want to utilize an Automatic Reply option.  This option instantly sends a message to incoming patient e-mail that indicates a specific time period in which the patient should expect a response and also gives a number to call in case of an emergency.  The listing of business hours in the consent form or in the Automatic Reply may also help to create reasonable expectations for turnaround time.

          With regard to privacy concerns, the patient consent form should specify what employees of the healthcare provider will have access to patient emails. Will only the physician view patient emails or will nurses and office staff have access to the correspondence? Patients should know who is viewing the emails in advance.  In addition, to protect the privacy of patients and to prevent against unintended disclosures, the email should contain a Header that reads: “Confidential Communication” or “For Intended Recipient Only.”  An Archive option should also be utilized to allow for all doctor-patient emails to be saved.  These messages should be printed out and posted to the patient’s file.  Any correspondence between doctor and patient should become part of the patient’s permanent medical record.

The healthcare provider may specify topics that are appropriate for electornic communications.  Examples are refills, medical advice, test results, release of records.  The transmission of highly sensitive information, such as HIV test results, may not be appropriate for electronic transmission and the cost of an erroneous transmission of such information may be high.

Under HIPAA, a covered entity must mitigate, to the extent practical, any known harmful effect from an improper use or disclosure of PHI.  45 C.F.R. §164.530(f). Accordingly, A consent form should include an Indemnity Clause: a disclaimer that limits the covered entity’s liability for system failures beyond its control (for example: system malfunctioning; computer viruses, etc).  

          Many medical malpractice claims are a result of communication errors between a physician and patient. A physician must be sure to have the same level of clinical information they would require in person or over the phone prior to dispensing advice.  If the provider is unclear about the appropriate advice as a result of not having any personal contact, they should have the patient follow a more traditional means of obtaining clinical advice.         

          Email is a less formal, more spontaneous method of communication than other traditional methods.  A healthcare provider should be aware of the presentation, tone and content of emails because unlike telephone conversations, email messages are easily preserved and available for production. 

          No case law yet exists that deals with medical malpractice claims based on email correspondence.  It is only a matter of time, however, and healthcare providers should take steps to safeguard against potential claims of liability based on electronic communications.

Contacting Patients Via E-Mail

by Attorney Frank E. Reardon

September 2003