Digital Risk Management — General Principles
Technology introduces special concerns and risks with regards to medical malpractice and risk management.
The ethical guidelines and professional etiquette that govern and guide traditional treatment and communications between the healthcare provider and patient are equally applicable to e-mail, websites, social media, and other electronic services and communications. However, this technology introduces special concerns and risks as follows:
Confidentiality. The healthcare clinician is responsible for protecting patient privacy and guarding against unauthorized access to and/or use of patient healthcare information. This responsibility extends to the use of network services that have an appropriate level of privacy and security as required under HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). Following are key considerations:
- Privacy and Security. Online communications between healthcare clinicians and patients should be conducted over a secure network, with provisions for privacy and security, including encryption, in accordance with HIPAA. Standard e-mail services do not meet the requirements under HIPAA.
Note: With respect to e-mail specifically, clinicians are encouraged to add a disclosure to the bottom of their standard, nonsecure e-mail service stating that “this e-mail is not secure and is not for use by patients or for healthcare purposes in general.”
Authentication. Healthcare clinicians have responsibility for taking reasonable steps to authenticate the identity of correspondent(s) in electronic communication and to ensure that recipients of information are authorized to receive it. Authentication of the patient or an authorized patient proxy (e.g., parent of a minor, authorized family member) for patient-provider online communication including the delivery of patient data is important in order to ensure patient privacy and confidentiality. Clinicians are encouraged to follow these suggestions for patient authentication:
- Have a written patient authentication protocol for all practice personnel, and require them to understand and adhere to it.
- Establish minimum standards for patient authentication when a patient is new to a practice or not well known.
- Keep an electronic or paper record of each patient authenticated for online communication or data exchange. The record should include the following:
- Name of the patient.
- Date of authentication.
- Name of practice staff authenticating the patient.
- Means used to authenticate the patient.
Providers should not offer, promote, or encourage patients to participate in online healthcare services where patient authentication is not addressed.
Unauthorized Access to Computers. Unauthorized physical access to computers can compromise patient information. Practices should establish procedures to guard against unauthorized access to computers with technologies such as automatic logout and password protection.
Informed Consent. Prior to the initiation of online communication between healthcare clinician and patient, informed consent should be obtained regarding the appropriate use and limitations of this form of communication. Clinicians should develop written protocols for online communications, such as avoiding emergency use, heightened consideration of use for sensitive medical topics, and setting expectations for response times. Clinicians should also exercise discretion when selecting patients for the use of online services to ensure that they are capable of electronic communication and will be compliant. These guidelines should be documented in the clinician’s practice policy manuals.
Clinician-Patient Relationship. Healthcare clinicians may increase their liability exposure by communicating with and treating patients online. More and more online products are offered to patients who want to have video access to a doctor 24 hours a day. Doctors who work for these types of online health services should make sure they follow state law and company protocols regarding the types of patients that can be treated, patient referrals, and whether patients who reside in another state can be treated via this type of online service.
Licensing Jurisdiction. Online interactions between a healthcare clinician and a patient are subject to requirements of state licensure. Communications online with a patient, outside of the state in which the clinician holds a license, may subject the clinician to increased risk. For example, pathologists, radiologists, and other clinicians interpreting specimens, slides, or images sent through interstate commerce for a primary diagnosis that becomes part of the patient’s medical record should have a license to practice medicine in the state in which the patient presents for diagnosis or where the specimen is taken or the image is made. Intraspecialty consultation generally does not require in-state licensure, provided the consultation is requested by a physician licensed within the state and is referenced in a report he or she issues. Physicians are advised to check with their state’s medical board to determine their licensure requirements.
Sensitive Subject Matter. Clinicians should advise patients of the risks that information the patient may consider sensitive might be inadvertently accessed by someone not authorized to see it, such as information on mental health, substance abuse, reproductive history, sexually transmitted diseases, drug and alcohol problems, genetic disorders, and HIV status. Some states have laws about special classes of health information, such as HIV or mental health. Clinicians should follow state law in obtaining approval from the patient to exchange those classes of information. Some states may prohibit electronic transfer of specific classes of information regardless of patient consent.
Patient Education and Care Management. Healthcare clinicians are responsible for the information that they make available to their patients online. Information that is provided to patients through automated patient education programs, care management, and other online services should come either directly from the healthcare clinician or from a recognized, credible, and authoritative source.
Emergency Subject Matter. Clinicians should discourage use of online communication to address medical emergencies, such as chest pain, shortness of breath, high fever, physical trauma, or bleeding during pregnancy. Instruct patients to call the office or go to an emergency department for emergency issues. Physicians should consider including a disclaimer on webpages and e-mails reminding patients that emergency subject matter is not appropriate for electronic communication.
Medical Records. A permanent record of online communications relevant to the ongoing medical care of the patient should be maintained as part of the patient’s medical record, whether that record is paper or electronic. Accurate and thorough documentation is effective risk management and integral to communicating the treatment plan to all members of the care team.
Physicians and patients should be aware that e-mail and online information, including personal health records and consultations, are not erased from a computer’s hard drive when deleted and are discoverable in litigation. Therefore, all communicated information should be accurate and professional.
Practice Website Considerations
- Authoritative Information. Healthcare clinicians are responsible for the information they make available to their patients online. Information that is provided on a medical practice website or provided to a patient via secure e-mail or other online services should come either directly from the healthcare clinician or from a recognized and credible source.
- Commercial Information. Websites and online communications of an advertising, promotional, or marketing nature may unrealistically raise patient expectations and subject clinicians to increased liability. Liability risks include implicit guarantees or implied warranty and potential violation of consumer protection laws designed to guard against deceptive business practices. This is particularly true when cosmetic procedures, off-label drug use, and non-FDA-approved procedures are promoted.
- Links to Third-Party Websites and Other Sources of Information. Clinicians are encouraged to post a disclaimer page between their website and a link to any third-party website/information that advises patients and other visitors that they are leaving the clinician practice website and that the clinician and the practice do not assume any responsibility for the content or the privacy of other websites linked to the practice website.
The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.