Liability for electronic medical communications

By John W. Jones, Jr., Esq.

Although the majority of physicians still rely on telephone or paper correspondence to communicate with patients, physicians are becoming more comfortable with the use of e-mail in the practice of medicine. Those physicians who have integrated e-mail in their practices are employing it to perform a variety of functions, including anything from enhancing patient education to improving adherence to treatment plans. Although e-mail communication provides a direct and expedited means of communicating with physicians, it presents various pitfalls to physicians because it presently offers less security and confidentiality than other forms of communication.

The ability to transmit and forward messages to thousands of users, the ease with which a message can be mistakenly transmitted to an unintended recipient, and risk of unauthorized disclosure are features of electronic messaging systems which can expose a physician to liability. Some of the legal and ethical issues presented by electronic medical communications include patient confidentiality, security and privacy, informed consent, standard of care and malpractice, medical records and licensing. Unique issues also arise out of physician maintained web sites.

Patient Confidentiality

Physicians have long had an ethical and legal duty to protect the confidentiality of patient communications and information. In Pennsylvania, for example, it constitutes unprofessional and immoral conduct for a physician to reveal personally identifiable facts of a patient obtained as a result of the physician-patient relationship, unless the patient has consented to the disclosure or the disclosure is otherwise authorized or required by statute. This confidentiality standard applies irrespective of the form in which the confidential information is transmitted. Therefore, a physician who communicates with her patients through e-mail (the contents of which contain personally identifiable facts of the patient) has a duty to protect those communications from disclosure absent patient consent or some statutory authority or mandate.

Accordingly, physicians should take precautions to secure electronically transmitted patient-related information including, at a minimum, developing an office policy regarding the confidentiality of such information, obtaining the patient’s written consent prior to the release of any electronic patient communication to a third party, maintaining a confidentiality notice on any patient e-mail communication and educating office staff and patients on the appropriate uses of e-mail communications.

Security and Privacy

E-mail communication between physicians and patients presents significant security and privacy concerns. If a physician is going to maintain an e-mail account, the physician must ensure that any individually identifiable patient information transmitted electronically is secure from third party interception. This becomes especially important where the physician maintains an Internet e-mail account which can be monitored and accessed by the Internet service provider. Inadequate protections can lead to unauthorized use and disclosure, which can result in liability to the physician for, among other things, invasion of privacy and breach of confidentiality.

Although the federal Electronic Communications Privacy Act of 1986 (ECPA) imposes civil and criminal penalties for the unlawful interception of digital communications such as e-mail, it provides physicians little, if any, comfort since ECPA cannot prevent the dissemination of such information once the interception has occurred. Additionally, when the e-mail communication becomes part of the medical record, it arguably loses the protections afforded by ECPA and is controlled by state privacy and confidentiality statutes.

Accordingly, physicians should take steps to secure electronically transmitted patient information from unauthorized disclosure and interception, including establishing policies and safeguards governing the gathering, storing, use and disclosure of identifiable patient information. Physicians should also consider implementing enhanced systems technology, such as encryption software which can scramble messages until received by the patient and guarantee the authenticity and integrity of such messages.

Further, physicians should determine when and under what circumstances their practices may be governed by the medical records privacy and security standards proposed by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996. The proposed regulations would preempt less stringent state medical privacy laws as well as impose significant civil monetary and criminal penalties against certain health care providers, including physicians for their failure to protect, under certain circumstances, individually identifiable electronic health information.

Informed Consent

Informed consent for surgical and certain other procedures is a well established legal doctrine. Under Pennsylvania law, a physician is required to obtain full, knowing and voluntary informed consent from a patient for certain nonemergency procedures, including surgery. The purpose of informed consent is to permit patients to participate fully in the medical decision-making process. Informed consent results where the physician gives the patient a description of the procedure and the risks, benefits and alternatives that a reasonably prudent patient would need to consider in making an informed decision as to whether or not to undergo the procedure.

Although no Pennsylvania law has been proposed for e-mail consent, given the potential exposure of liability to physicians for unauthorized disclosure, invasion of privacy, breach of confidentiality and the like, physicians should engage patients in a similar dialogue about the risks and benefits inherent in the use of electronic medical communications and available alternatives. Specifically, physicians should discuss with their patients the scope of foreseeable uses of e-mail and the potential privacy implications.

For example, the patient should understand the topics that will be covered by e-mail; the physician’s usual response time; when and under what circumstances e-mail communications should or should not be used (e.g., nonemergency situations); whether e-mail will be stored in the patient’s medical record and, consequently, viewed by third parties; who, if anyone, can access the physician’s e-mail account; and security measures such as passwords that are in place.

Once the physician has advised the patient of the risks and benefits inherent in the use of e-mail and available alternatives, then the patient can make an informed decision as to whether or not to use it as a mode of communication with the physician. The physician should then fully document and maintain the patient’s decision in the medical record or on a separate e-mail consent form.

Standard of Care and Malpractice

Although patient consent will likely deter some litigation with respect to electronic medical communications, malpractice actions are sure to arise out of issues of standard of care. Generally, a physician owes a duty of care to a patient through the existence of a physician-patient relationship. Given that some jurisdictions have recently found the existence of a physician-patient relationship where a physician communicates with a patient solely by telephone, it is not difficult to foresee courts concluding that such a relationship is formed by e-mail as well. Courts will then be left to grapple with the issue of which community standard applies (if the physician and patient are not located in the same geographic area) or whether a national standard should be adopted if the physician is practicing nationwide.

Jurisdictional issues such as where the suit may be filed and which state law applies if the e-mail communication is across state boundaries will need to be addressed as well. Physicians should also consider whether their malpractice carriers will cover actions that arise out of electronic medical communications, especially for unlicensed activities.

Medical Records

Generally, any document or communication related to the care or treatment of the patient becomes part of the patient’s medical record. Under Pennsylvania law, a physician must maintain medical records for patients which contain, among other things, clinical information and medical treatment pertaining to the patient. Typically, this includes information related to the patient’s personal history, diagnoses and treatment regimen. Traditionally, this information is produced by the physician as part of a face-to-face encounter with medically relevant conclusions drawn from the physician’s observations.

E-mail communications between a physician and patient, however, provide an unfiltered transcript of the physician-patient encounter, which may include not only clinical information about the patient but also non-clinical personal information which the patient may not want revealed to a third party such as an insurer. Accordingly, physicians should educate patients on the appropriate uses of e-mail and take steps to protect both clinical and non-clinical patient information. Additionally, since the e-mail communications will be considered medical records, they should of course be retained in accordance with state law by either printing them out and preserving them in paper form or electronically archiving the communications.

If the physician maintains patient records in electronic form, the American Medical Association (AMA) recommends that additional safeguards be implemented when using, storing or disclosing such information. Specifically, the AMA suggests, among other things, that only authorized personnel be permitted to enter confidential medical information into the computer-based patient record, that stringent security procedures be in place to prevent unauthorized access and that patient identifiers be omitted when disclosing patient records to certain third parties such as peer-review organizations.

Licensing

Before a physician engages in electronic medical communications with patients across state boundaries, the physician needs to be aware of the licensing requirements of the states in which the physician’s practice extends. Generally, most states interpret their licensure statutes to require full and unrestricted licenses for the practice of medicine across state lines. The practice of medicine generally includes the diagnosis and treatment of a patient. Thus, where a physician communicates electronically with a patient across state lines (the contents of which indicate a diagnosis or treatment of the patient), the physician has arguably practiced medicine in such state which could require separate licensure.

Although many states, including Pennsylvania, have adopted a consultation exception to their licensing laws, which would permit a physician who has an unlimited license to practice medicine in one state to provide consultations in a different state, such an exception has no application to a primary care physician whose practice extends into another state. It remains to be seen whether the border state exception (which authorizes a physician to practice in the adjoining state in which her practice extends) will be recognized by state licensing boards to permit electronic medical communications among physicians and patients across state lines.

Accordingly, given the potential liability and licensure sanction which can result from the unauthorized practice of medicine, physicians would be well advised to check each state’s licensing laws (as applicable) before providing electronic medical communications in such states and conform their practices accordingly.

Web Sites

Physician-maintained web sites provide medically related information to consumers, but also serve to advertise and provide electronic linkages (known as “hyperlinks”) to other sites. In addition to the issues discussed above, the maintenance of medically related web sites raises a host of other concerns, including ethical and legal obligations governing marketing practices, and potential civil and criminal liability for misrepresentation, fraud, antitrust and violations of the anti-fraud and abuse and anti-referral laws. Accordingly, physicians need to consider these issues before maintaining a web site and implement appropriate safeguards to insulate their practices from potential liability.

Technology is fundamentally transforming the practice of medicine. The emergence of e-mail communication in the delivery of patient care, although offering significant benefits, presents new legal and ethical challenges to physicians. If physicians are going to integrate electronic messaging systems into their practices, they need to be aware of the unique issues pertaining to such systems, inform patients of the relevant confidentiality, security and privacy issues presented by electronic medical communications and adopt appropriate policies, procedures and safeguards to meet the obligations associated with the use of such technology.

John W. Jones, Jr., Esq., is a member of the Health Law Department at Schnader Harrison Segal & Lewis LLP in Philadelphia, PA.