• E-mailer Beware: Texas Doctors Who Use E-mail Must Maintain Certain Policies and Procedures
  • February 4, 2011 | Author: Jeffery P. Drummond
  • Law Firm: Jackson Walker L.L.P. - Dallas Office
  • While most businesses and industries have adopted electronic mail as a standard means of communications, this is not the case for many physicians. Although physicians and other health care providers may use e-mail to communicate internally within a hospital or physician practice, most physicians do not communicate with their patients via e-mail. However, Texas physicians who are beginning to use e-mail to communicate with patients should be aware of the various rules and regulations associated with this activity, including the Health Insurance Portability and Accountability Act and its regulations ("HIPAA") and the telemedicine rules adopted by the Texas legislature.

    As stated above, physicians have not traditionally used e-mail as a method of communicating with their patients; however, some physicians have ventured out into the high-tech arena and are using practice websites, social media sites such as Facebook and Twitter, and other internet tools to market their practices and to communicate with prospective and current patients. Physicians who practice via telemedicine, which by definition involves a physician in one location conducting the evaluation, diagnosis, consultation and treatment of a patient in a different location via advanced telecommunication technology, are more likely to use e-mail to communicate with their patients.

    Some physicians do allow e-mail access to patients, but usually only if the patient understands and consents to the privacy and security risks involved in using e-mail. Other physicians may use e-mail, text messages, or other electronic communications for appointment reminders and other communications that do not involve the disclosure of substantial amounts of health information; however, even limited information such as that found in an appointment reminder contains protected health information ("PHI") for HIPAA purposes.

    Most physicians are at least aware of, if not in substantial compliance with, the privacy and security requirements of HIPAA. These include the requirement to adopt safeguards to protect the confidentiality and security of PHI, including PHI in electronic format, which protections may include encryption. Physicians who e-mail PHI should seriously consider the use of some sort of encryption technology, particularly if the PHI will be traveling beyond a firewall or outside of a secure network.

    Texas physicians should also be aware of Rule 174.9 of the Texas Medical Board, which requires physicians to maintain written policies and procedures if they use electronic mail for patient-physician communications. Specifically, the policies and procedures should address (i) privacy, so as to ensure confidentiality and integrity of patient-identifying information; (ii) the health care personnel, in addition to the physician, who will process messages; (iii) the hours of operation and availability; (iv) the types of transactions that will be permitted to be conducted via e-mail; (v) required patient information to be included in the e-mail communication, such as patient name, ID number and type of transaction; (vi) e-mail archiving and retrieval issues; and (vii) quality oversight mechanisms.

    In addition to the adoption of the policies and procedures (which must be periodically evaluated and updated), all patient e-mails and other patient-related electronic communications must be stored and filed in the patient's medical record; presumably, this would involve printing and storing if an electronic medical record is not in use. Finally, patients must be informed of alternative means of communication in case of emergency or urgent situations.

    The Rule is in the "Telemedicine" chapter of the Texas Administrative Code, so it is likely that many physicians who do not regularly practice telemedicine may not be aware of it. The Texas Medical Board has recently indicated that all physicians using e-mail to communicate with patients would be advised to follow Rule 174.9. When adopting policies and procedures in connection with e-mail communications, physicians should make sure those policies and procedures coordinate with the physician's general HIPAA privacy and security policies and procedures. In fact, given the overlap between the HIPAA security rule provisions regarding encryption and Rule 174.9, these policies and procedures should probably be incorporated into the practice's HIPAA policies and procedures.