Websites, e-mail, electronic consultations, electronic health records, identity theft, bureaucratic regulations, computer stations, personal digital assistants (PDA’s), blackberry telephones… our new electronic world is rife with potential liability and malpractice. Unfortunately, the list continues to grow in direct proportion to the ongoing evolution of our electronic world. In fact, President Obama’s recovery program dictates further commitment to electronic utilization within healthcare for increased efficiency and productivity in order to reduce expenses.
One example on the regulatory side is the new “Red Flags Rule” from the Federal Trade Commission that became enforceable on August 1st. Any medical practice that extends, renews, or continues credit for a patient must implement written policies aimed at curbing identity theft. The simple act of billing a patient for services, even if an insurance carrier is billed first, triggers inclusion under this new rule.
It would take a book to address the necessary risk management of these new, electronic exposures. However the solutions would probably be outdated by the time such a book was published. In this month’s column, we’ll categorically look at the management of some of these inherent risks in hopes of raising levels of awareness.
- Although websites are excellent resources for patient education, be sure to include a disclaimer that the information does not constitute specific medical advice.
- Make sure that you have reviewed, and are in agreement with, any article or information posted on your site.
- Protect access to your website with patient passwords. This eliminates potential “duty of care” obligations to non-patients and further eliminates out-of-state residents from creating a liability relating to a lack of license to practice in other states.
- If you do opt for an open website, have a lawyer research licensing issues, malpractice insurance coverage, and conflicting laws in the other 49 states.
- Place a prominent disclaimer discouraging the use of the website (and e-mail) in cases of medical emergency. Advise patients to call 911, your office, or go to an emergency treatment facility.
- Transmission of standard, non-secure e-mails to patients should include a disclosure that the e-mail is not secure and is not for use by patients or for healthcare purposes in general.
- You can incorporate an encrypted e-mail function within your website for your administrative staff to handle and process appropriately.
- A patient portal for communication can enable patients to request prescription refills, receive test results, request appointments or make e-mail contact with their physician.
- Take reasonable precautions to authenticate the identity of patients receiving electronic communications from you. Under HIPAA you have a responsibility to assure that patient privacy and confidentiality is never compromised.
- All network services, from the website to general e-mail, triggers a responsibility by the physician to protect patient privacy and guard against unauthorized access to patient information. Such services, under HIPAA, are expected to have an appropriate level of privacy and security.
- Ensure that your office has a system to protect against unauthorized computer access with password protections and automatic log-outs.
- Have your patients sign an informed consent form before initiating any online communications. Such forms should be part and parcel of your “Red Flags” written policy.
- Advise patients that sensitive health information and issues may be better handled in an office setting, as there is always a risk that such information could be accessed by someone not authorized to see it. You could even provide a list of such sensitive topics.
- As a general practice, it is also a good idea to inform patients that their personal data stored on their own blackberries, PDA’s, CD’s, storage drives, and personal computers may not be secure. (Note that the Secret Service has issues with our president’s use of a personal blackberry.)
- It is absolutely essential that your entire staff be properly trained in policy, protocol, and procedures relating to electronic communications with your patients.
- You should also train your patients in order to manage their electronic expectations. In today’s world people expect immediacy. Therefore you need to educate them as to typical response times for electronic communications with your office.
As stated in the beginning, this column is merely a starting point to get you thinking about the risks and exposures associated with the electronic world. There are four basic considerations:
- Educate yourself, your staff, and your patients about electronic activities that are being undertaken by your practice.
- Utilize a technology specialist to develop/install/manage appropriate firewalls and security protocols to assure that you meet privacy and identity theft regulations.
- Consult with your legal representative to verify that your electronic activities fall within state and federal statutes, as well as updating you on new changes and regulations.
- Consult with your insurance agent to make sure that your malpractice and other business insurance will protect you in accordance with your electronic undertakings.