JONATHAN BICK, JD, LLM is of counsel to Brach, Eichler, Rosenberg, Silver, Bernstein, Hammer & Gladstone of Roseland and is an adjunct professor of Internet law at Pace Law School and Rutgers Law School. He is the author of 101l Things You Need To Know about Internet Law, which was published by Random House in 2000.

Banks and retail firms have proven that Internet technology can both greatly reduce errors and increase productivity. Physicians are learning this lesson, too. However, unlike the banking and retail industries, which have success­fully mastered using the Internet while complying with legal standards for privacy, many physicians have not.

This deficiency may prove costly to those phy­sicians who fail to comply. The reason is simple. E-mails are files for Health Insurance Portability and Accountability Act (HIPAA) purposes. Most physicians have a HIPAA-related legal obligation to implement reasonable e-mail procedures. Those failing to do so face fines.

Today, many patient-physician e-mails contain material that exposes physicians to legal difficulties. To use e-mail communications lawfully, physicians must consider how to comply with special e-medi­cal privacy matters. Otherwise, in addition to HIPAA-related sanctions, physicians will face such causes of action as breach of confidentiality, inva­sion of privacy, breach of contract, and breach of fiduciary relationship, if they are considered to have unreasonably publicized medical information.

Physicians have found that medical errors can be reduced when the Internet is used to send elec­tronic medical records and information. It has been shown that the Internet can improve the speed and accuracy of transmission of patient medical data. While physicians continue to rely on personal and telephone contacts to practice medicine, they are increasingly using e-mail to communicate with pa­tients, insurers, and colleagues.

Physicians who use e-mail must comply with federal and state statutes that set forth both direct and indirect e-mail limitations, and while, for the most part, state constitutional provisions protect against governmental intrusion into an individual's privacy, specific state statutes do provide for indi­viduals to take legal action against other-than-gov­ernmental intrusion. For example, the HIPAA Data Transaction Rule poses both direct and indirect limitations on a physician's use of the Internet. Similarly, the Privacy Act of 1974 (5 u.s.c. 552a [1998]) and the Freedom of Information Act (FOIA; codified at 5 u.s.c. 552 [1998]) limits e-mail use by physicians, as well. In particular, these statutes do so by detailing protection requirements for medi­cal records at Medicare and Medicaid programs maintained by a federal agency, insurance compa­nies acting as intermediaries for the Medicare pro­gram, and hospitals maintaining medical records under a government agency contract.

State statutes also limit physicians' e-mail use. Consider N.Y. Civil Rights Law 50-52 (McKinney 1998), which protects various individual privacy rights and provides private rights of action, all of which restrict a physician's e-mail use. Another example is N.Y. Pub. Health Law 280S-c(S)(f) (McKinney 1998), which provides for the confidentiality of hospital patients' medical records when e-mails are used.

The content of an e-mail sent from a physician to a patient passes through many third-party com­puters before it is received by the patient. Each of these third party computers store a copy of the e-mail message. These messages may be readily retrieved by unauthorized third parties unless the physician prevents this from happening. Physicians have a legal obligation to take affirmative action to prevent such unauthorized access. As detailed below _ suchaction is easily described and is generally not costly to implement.

The American Medical Informatics Association established guidelines for physician-patient inter­action via e-mail in 1998.' These guidelines address proper protocol for physicians to follow in e-mail communication with patients.

It is recommended that physicians do not use e-mail for urgent matters and that they obtain in­formed consent from their patients before using e­mail to communicate with them. Physicians should not forward patient-identifiable information to third parties without patient permission. The guidelines also suggest keeping a backup of all e­mail communications.

In New Jersey_ as in most states_ the scope of

"medical records" includes all records kept in the usual course of the practice of the health care pro­vider. It is_ therefore_ necessary that any document uniquely concerned with a patient’s care become a part of a patient’s permanent medical record in or­der to prevent legal difficulties. Thus_ physicians should take steps to integrate e-mail communica­tions between patients and providers into their record keeping process.

Physicians with electronic patient files can sim­ply send a copy of the patient e-mail to the elec­tronic file at the same time that it is sent to the patient. Physicians who use traditional filing sys­tems can comply with this legal requirement by having all physician e-mails automatically printed and placed within the patients_ files.

Failure to document such e-mail communica­tions can lead to serious injury and malpractice claims. A failure to preserve e-mail-related medi­cal records information might constitute malprac­tice if a patient is injured by a health care practitioner’s actions that result from erroneous assumptions about the patient's medical record.

Informed consent for release of medical infor­mation likewise has become a standard feature of modem medical practice. The use of e-mail for communications of medical matters between a phy­sician and a patient should be integrated into such signed releases. In order to further insulate physi­cians from privacy-related tort suits_ physicians should tell the patient how e-mails are handled in both their offices and the hospitals. This informa­tion should include who generally has access to the records_ and how hard or easy it is for others to obtain the information found in them.

Currently physicians are using e-mail to main­tain and disseminate patient information. To do this_ physicians are using e-mail to send electronic medical records that contain all the data normally found on paper medical charts. Because they are in electronic form_ both authorized and unautho­rized users can gain access to the data through an Internet connection_ particularly when these e­mails are lodged at portals (i.e. special Internet sites for hospital employees or clinicians who practice at a particular health care facility).

On the positive side_ this use of e-mail allows additional checks of patients _ records for prescrip­tions to verify that the drug selected is appropriate for the patient. On the negative side_ this use of e­mail results in electronic patient records that give rise to novel legal problems concerning the con­servancy_ privacy_ and confidentiality of those records.

Lodged in physicians_ use of e-mail is the po­tential for unlawfully mishandling patient data. In particular _ the abuse of personal information in a deceptive and/or misleading fashion. Such mishan­dling of patient data can give rise to remedial pro­ceedings under most state consumer-protection laws. For instance_ New Jersey could take action against health care providers who have shared per­sonal medical data with third parties_ such as pri­vate practice medical groups_ without disclosure to_ or the consent from_ their patients. This would be a violation of state consumer-protection laws.

The increased use of e-mail by the general population and the lack of any specific prohibition against Internet communications by physicians have resulted in an increase in virtual-bedside medi­cal communications. To protect physicians against legal difficulties associated with this trend, health care providers should examine all the legal facets of Internet patient-physician communications and electronic data storage.

Physician associations should consider provid­ing education initiatives for their members about medical record privacy and health information se­curity that explicitly address Internet patient-cen­tered communication with health care professionals. They might also provide physicians with legally appropriate guidelines for Internet communication systems and the preservation of patient-physician relationships.

Practice guidelines prepared by health care pro­vider associations have traditionally been recog­nized by the courts as a standard by which health care providers' actions have been judged. The con­servancy, privacy, and confidentiality of electronic medical records are no exception.

Physician associations might suggest that all health care provider e-mails be copied to a patient's electronic file to address laws concerned with con­servancy issues. They might suggest that e-mail from health care providers be sent as attachments that require a password to open rather than in the body of an e-mail in order to address legal privacy issues. They might suggest limiting access to e-mail files to address confidentiality legal issues.

To protect physicians from legal difficulties, they should ensure that patients are informed of the privacy implications and inherent risks of e-mail communication as part of an informed e-mail con­sent process, which should conclude with a signed, written consent form.

Physicians and patients should recognize that e-mail messages (either in an electronic form or as a paper transcript) must become part of patients' medical records. Physicians should be trained to treat e-mail with the same level of conservancy, privacy, and confidentiality protections afforded to all medical records.

Health care provider managers should provide their employees notice and training with respect to electronic records. Employee handbooks and annual training sessions should be employed to ensure that the action of a rogue employee is not imputed to the employer.

In conclusion, existing law imposes a duty upon physicians to protect their patients' confidences. Physicians are required to insulate their patients' e-health data (including e-mail communications) from public view. To comply with this duty, with respect to patient e-data generally and e-mail specifically, a physician's duty is more than a pro forma awareness. Rather, physicians have a legal obligation to take precautions to secure patient health e-data through both defined and enforced office practices. NJM

REFERENCES

1. B. Kane and D.Z. Sands. "Guidelines for the Clinical Use of Electronic Mail with Patients," J. Am. Med. Informatics Assn,5 (1998): 104, 106-108.