Electronic communication can provide a useful and alternative point of access for patients. However, you should make sure that, if sensitive information needs to be sent electronically, safeguards are in place to avoid breaching patient confidentiality. This factsheet sets out the potential risks of electronic communication.
Keeping patient information secure
Data relating to an identifiable individual should be held securely. In accordance with the Medical Council’s A Guide to Professional Conduct and Ethics for Registered Medical Practitioners (2009) all doctors have a responsibility to ensure that any data about patients is kept secure (section 23.1). Doctors should also make sure that, if sensitive information needs to be sent electronically, safeguards need to be in place to avoid breaching patient confidentiality.
Use of email
Email is a useful way for patients to communicate with the practice.
Safeguards are required in order to preserve patient confidentiality. Unless messages are encrypted, patients should be aware that their messages could potentially be read by someone else.
Only appropriate matters should be dealt with via email exchanges, eg, appointment scheduling, ordering repeat prescriptions and obtaining test results. A standard protocol for email exchanges could prevent emails from patients asking for more complex information about medical symptoms or their proposed treatment, which would be difficult for the practice to respond to quickly and appropriately.
It is important to ensure that all emails to and from the patient are included as part of the patient’s medical record.
The Health Information and Quality Authority’s (HIQA) General Practice Messaging Standard (2011) aims to increase the reliability and safety of sharing patient information by electronic means.
- Ensure that there are appropriate levels of encryption.
- Liaise with your IT provider to ensure that appropriate safeguards are in place and information on the clinical system remains secure.
- Have an automated response indicating that the email has been received, when the patient should expect to receive a reply and a recommendation that they should contact the practice directly if the matter is urgent.
- Monitor email enquiries at regular intervals and ensure that they are promptly brought to the attention of the relevant person.
- Respond in a professional manner and, in particular, avoid “textspeak”.
- Ensure that there is a mechanism in place to deal with enquiries that arrive whilst you are on leave or away from the practice.
- Ensure any email communication should be from a secure practice email address and not from your personal email address.
It is important not to:
- Forget that email exchanges are an important part of a patient’s medical records.
- Underestimate the amount of work that is likely to be involved in both setting up and maintaining such a system.
- Forget that many of the subtleties of communication, from face-to-face or by telephone consultations, including non-verbal cues, are lost when communicating by email.
- Use email to respond to complicated or difficult problems.
- Forget to set aside some time in the working day to respond to email enquiries.
- Forget to have robust procedures in place to follow up any matters that arise from an email exchange.
MPS has dealt with a number of cases where information has been picked up by the wrong person, often because of misdialling or out-of-date fax numbers or even where the fax has not been received. This can mean that patient confidentiality is breached and treatment is delayed, due to the time lapsed until the information reaches the correct person.
Doctors are advised to:
- Only use fax machines to send sensitive data if it is absolutely necessary to do so, eg, for urgent referrals, and when no other means of requesting the referral is available.
- Ensure any fax machines are only accessible to authorised staff, and are placed in a secure location.
- Check with the intended recipient before sending that incoming faxes are only picked up by authorised staff, and ask them to confirm when it has been received.
- Ensure confidential faxes are not left lying around by the recipient.
- Use pre-programmed fax numbers wherever possible rather than hand-dialled numbers, to avoid the risk of misdialling a number when sending sensitive information.
- Send a cover sheet along with the fax, containing a confidentiality statement.
- Only the minimum amount of personal information necessary should be sent by fax and, where possible, should be anonymised or a unique identifier used.