Email is one of the most prevalent and convenient forms of communication. GPs and general practices often receive requests from patients, other clinicians and third parties to send health information via email.
As all health information is sensitive by nature, all communication of health information, including via electronic means, must adequately protect the patient’s privacy. GPs, patients, and other healthcare providers may not always appreciate the risks associated with using standard unencrypted emails in the healthcare environment.
With the increasing usage of Virtual Fax/eFax services where faxes are delivered via email, faxes are considered no more or in some cases even less secure than simply sending an email directly.
Overview
RACGP Guidelines and The Privacy Act 1988 do not specifically prescribe how healthcare organisations should communicate health information, however, do state that reasonable steps must be taken to protect the information transmitted and the privacy of the patient.
First and foremost, sending or sharing patient health information with other health professionals and organisations should always be done so via secure messaging (i.e., Medical Objects) where ever possible as this ensures communications are properly encrypted and received by the intended recipient within the secure messaging network.
If the risks are adequately considered and Practices maintain a policy on how to handle fax and email communications, GPs and general practices may move to utilising email for communications where faxing is currently used. This means that private health information may be emailed without additionally encrypting attachments. Those wishing to encrypt attachments may do so in order to further reduce the risk of privacy breach. NOYTECH can provide a guide for properly encrypting attachments – please contact us to request.
Refer to RACGP’s Using email in General Practice Fact Sheet
Understanding the Risks
- Unintended Recipient – Although Email Clients/Applications typically communicate securely, emails (and faxes) can end up in the wrong hands.
Consider, sending an email/fax to the wrong address, a generic address accessed by multiple people, or an address that is accessed on multiple devices including mobile phones. Should a colleague or family member see confidential information before the intended recipient, the patient’s privacy has been breached. - Prior Written Consent – Where health information must be emailed to a patient, obtaining, and recording prior written consent from the patient may be sufficient in minimising the risk of emails being intercepted. See below template for ‘Obtaining Written Consent.’
- Notifiable Data Breach – Confidential health information that is emailed, faxed, or otherwise delivered to the unintended recipient, intercepted by any means, or obtained/shared maliciously via cyber attack or disgruntled staff may be considered a Notifiable Data Breach under the OAIC (Office of the Australian Information Commissioner). Failure to properly assess and remediate a breach may incur significant fines for the individuals and organisation involved. Minor breaches where shared information is quickly contained and serious harm to the patient is unlikely, may not need to be reported to the OAIC, however does still require review.
Templates
Practice Policy on how Patient Information is sent Electronically
Your policy should cover:
- How patient-related and other confidential information is sent electronically between healthcare providers.
E.g., Use of secure messaging providers such as Medical Objects. - Your practice’s approach to using email to communicate patient-related and other confidential information between healthcare providers and patients.
E.g., Obtaining prior written consent from the Patient. - The maintenance of your website to ensure information is current and correct.
I.e., Practice Policy on sending/sharing patient health information is publicly accessible and maintained. - Who in your practice team is responsible for managing consent and sending of patient health information?
- How often your practice team is trained or reviewed in understanding the policy, the risks of and minimising data breaches.
Obtaining Written Consent (Example)
Prior to emailing the Patient, it is advised to first verify their identity and ensure they are expecting the email to obtain written consent. Optionally, utilise a service such as PleaseSign to obtain a signed consent.
Dear [Patient Name],
As discussed, under our Patient Information Privacy Policy, we must obtain written consent from you before confidential heath information may be emailed.
Please understand that emails may be intercepted if your email address is not properly protected with a secure password, or is accessible on multiple devices or by other individuals. Some viruses may also enable access to your devices by an attacker and should be properly protected. By providing consent for your private health information to be emailed, you understand this risk.
Should you not feel comfortable in allowing your private health information to be emailed to you, please do not reply, and instead call or make and appointment to obtain the necessary information in person.
If you understand and accept the potential risks, please reply stating you agree to receive your private health information via email. Consent will be kept on file for future communications.
Kind Regards,
[Practice]
Last Updated: 24/03/2021