What Physicians Need to Know
Many neurosurgeons take advantage of e-mail technology to consult with colleagues regarding difficult cases through unsecured (unencrypted) home and office e-mail accounts. Subscribing to listserves (electronic mailing lists) such as those of the AANS/CNS sections at https://www.neurosurgery.org/listserv represents another way that e-mail facilitates communication and participation in neurosurgery. Both the scope of e-mail communication and the responsibilities regarding its use have evolved in the last 10 years. The Bulletin asked the AANS director of information services and representatives of Ross & Hardies law firm to discuss what neurosurgeons need to be aware of regarding their e-mail communications today.
E-mail Innovations Expand the Scope of Messaging
Recent innovations in e-mail technology have expanded the definition of e-mail from a simple digitized text message to a communication method that encompasses digitized images, videos, voice messages and even music. For a neurosurgeon these innovations can mean that a voice message narrative may accompany complex text or an entire presentation on a neurosurgical technique, a set of patient images, and video of an operation, all bundled into one message. Integrated network communications systems allow digitized voice messages, faxes, and images to bridge into e-mail systems for easy information management. Users who are members of large networks can anticipate exchanging e-mail across wireless connections in the very near future.
Security needs to be an integral part of an e-mail system. Many e-mail applications such as Eudora and Outlook offer encryption for sensitive information, and the ability to filter out objectionable or unsolicited material (“spam”). Additional security features like antivirus software, as well as “firewall” packages that keep out both hackers and viruses, can be purchased to fit the scope of your particular system. McAfee.com Corporation (Virus Scan Online, Personal Firewall Plus, https://www.mcafee.com and Symantec Corporation (Norton AntiVirus, Norton Personal Firewall, https://www.symantec.com/product) offer a variety of security software packages.
To accommodate the burgeoning capabilities of e-mail systems and maintain optimal functionality for the user, the workstation environment needs to have abundant internal memory (256MB RAM or more); contain a fast processor to handle the large data transfer tasks demanded by image transfer (Pentium 4 or equivalent); and have a generous allowance of hard disk storage (20GB or more) to store these digital files for quick retrieval.
Outsourcing to an e-mail service organization, for example Critical Path (www.cp.net/sitemap.html), Commtouch Software https://www.commtouch.com or EarthLink https://www.earthlink.com, is an option for providing a complete package of advanced e-mail message handling and management services without the investment in software, security and maintenance.
Kenneth L. Nolan is the AANS director of information systems.
E-mail Consultation and Patient Confidentiality
Physicians who engage in e-mail or listserve consultations with other physicians regarding a patient’s condition need to be aware of the patient privacy protections under the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA defines protected health information as any demographic information which identifies or can reasonably be used to identify an individual relating to the patient’s past, present or future physical, mental health, or condition; the provision of healthcare to the individual; or a past, present, or future payment for the provision of healthcare.
If the physician removes patient-specific information such as the patient’s name, geographic designations, phone and fax numbers, e-mail address, etc., then such communication is no longer subject to the HIPAA privacy rules. However, most U.S. states consider communication about a patient’s condition as the practice of medicine under telemedicine; therefore e-mail consultation is subject to each state’s laws regarding physician licensure and laws related to the practice of telemedicine.
Conversely, if information identifying a patient is not removed, HIPAA privacy rules will apply. To comply the physician will need to obtain prior written consent from the patient for diagnostic and treatment-related disclosures; a general consent form that a physician typically provides to new patients can be adapted to meet HIPAA’s specific requirements. The physician additionally must ensure that the communication containing protected health information is secure and encrypted in accordance with HIPAA’s Electronic Health Care Transaction and Code Set Standards .
Because HIPAA does not preempt stricter state law, a physician also should determine if there are state requirements that need to be observed in addition to HIPAA’s requirements. Typically, the law of the state where the patient resides applies to medical consultations. Moreover, because many nations and the European Union have adopted their own-often stricter-patient privacy laws, any international consultation must conform to that country’s privacy laws, if any.
Morgan Moran, JD, and Kara Friedman, JD, Ross & Hardies, Chicago, Ill.