Electronic communication can provide a useful and alternative point of access for patients. However, you should ensure that, if sensitive information needs to be sent electronically, safeguards are in place to avoid breaching patient confidentiality. This factsheet sets out the potential risks of electronic communication.
Keeping patient information secure
Data relating to an identifiable individual should be held securely, in accordance with the Data Protection Act 1998 and GMC guidance on confidentiality. You have a responsibility to keep patient information secure and protected against improper disclosure at all times. The Information Commissioner can impose a Civil Monetary Penalty up to a maximum of £500,000 if data controllers seriously contravene the Data Protection Act in a deliberate or reckless way, or of a kind likely to cause substantial distress or damages to an individual.
Use of email
Email is an attractive way for patients to communicate with the practice, and the demand for such a service will undoubtedly increase over time. Safeguards are required in order to preserve patient confidentiality. Unless messages are encrypted, patients should be aware that their messages could potentially be read by someone else.
Only appropriate matters should be dealt with via email exchanges, eg, appointment scheduling, ordering repeat prescriptions and obtaining test results. A standard protocol for email exchanges could prevent emails from patients asking for more complex information about medical symptoms or their proposed treatment, which would be difficult for the practice to respond to quickly and appropriately. It is important to ensure that all emails to and from the patient are included as part of the patient’s medical record.
It is a good idea to:
- Ensure that there are appropriate levels of encryption.
- Liaise with your IT provider to ensure that appropriate safeguards are in place and information on the clinical system remains secure.
- Have an automated response indicating that the email has been received, when the patient should expect to receive a reply and a recommendation that they should contact the practice directly if the matter is urgent.
- Monitor email enquiries at regular intervals and ensure that they are promptly brought to the attention of the relevant person.
- Respond in a professional manner and, in particular, avoid “textspeak”.
- Ensure that there is a mechanism in place to deal with enquiries that arrive whilst you are on leave or away from the practice.
- Ensure that email communication should be from a secure NHS email address and not from a private email service provider.
It is important not to:
- Forget that email exchanges are an important part of a patient’s medical records.
- Underestimate the amount of work that is likely to be involved in both setting up and maintaining such a system.
- Forget that many of the subtleties of communication, including non-verbal cues, are lost when communicating by email.
- Use email to respond to complicated or difficult problems.
- Forget to set aside some time in the working day to respond to email enquiries.
- Forget to have robust procedures in place to follow up any matters that arise from an email exchange.
MPS has dealt with a number of cases where information has been picked up by the wrong person, often because of misdialling or out-of-date fax numbers. This can mean that patient confidentiality is breached and treatment is delayed, due to the time lapsed until the information reaches the correct person.
Doctors are advised to:
- Only use fax machines to send sensitive data if it is absolutely necessary to do so. For example, to send an urgent referral or when no other means of requesting the referral is available.
- Ensure any fax machines are only accessible to authorised staff, and are placed in a secure location.
- Check with the intended recipient before sending that incoming faxes are only picked up by authorised staff, and ask them to confirm when it has been received.
- Ensure confidential faxes are not left lying around by the recipient.
- Use pre-programmed fax numbers wherever possible, rather than hand-dialled numbers, to avoid the risk of misdialling a number when sending sensitive information.
- Send a cover sheet along with the fax, containing a confidentiality statement.
- Only the minimum amount of personal information necessary should be sent by fax and, where possible, should be anonymised or a unique identifier used.
The GMC states in Good Medical Practice (2013), paragraph 32:
"You must give patients the information they want or need to know in a way they can understand. You should make sure that arrangements are made, wherever possible, to meet patients' language and communication needs."