HIPAAconnections: No. 4/ June 12, 2000

HIPAA and ePCCC

Clifford C. Dacso, MD, MBA
President, eMedicalResearch, Inc.
Professor of Medicine, Baylor College of Medicine

Electronic patient-centered communication, ePCC, is an emerging label for the clinical use of e-mail as well as other modes of electronic patient communication. Dr. Daniel Z. Sands of the Center for Clinical Computing at the Beth Israel Deaconess in Boston has smashed the three-letter barrier of acronyms and given us a subject heading to encompass new opportunities and liabilities.

Many of us have been performing ePCC for years and have gradually (or acutely) become wary of the ease with which confidential patient communications can be disseminated. Dr. Sands has clearly given this a great deal of thought. He outlines some his guidelines on his very informative Web page (http://clinical.caregroup.org/ePCC/). But, as usual in the intersection of medicine and bytes, HIPAA and privacy problems rear their heads.

Whether we are following a explicit protocol or merely cautioning our patients about the openness of e-mail, we are concerned with patient privacy. In a pioneering 1988 article (http://www.jamia.org/cgi/reprint/5/1/104.pdf), Kane and Sands identified important, common sense guidelines of physician-patient ePCC:

GUIDELINES

INFORMED CONSENT
To these, I would add another extremely important step. The physician should insist that the patient read and execute an informed consent document for e-mail communication between the patient and the doctor's office. The consent document should include acknowledgement that employees in the doctor's office will have the same access to the e-mail that they currently have to the patient's private chart. A warning to the patient that anyone who has access to the patient's computer are likely to be able to read the doctor's communications should be included as well.

If the doctor expects e-mail to become a critically important link to his or her patients in the future, some consideration should be given to securing communication links with patients. Secure email links are now available on a number of free websites using a variety of effective methodologies. These measures effectively eliminate the risk of intrusion by outside third parties. However, they will not eliminate the most likely information leaks - those in the doctor's office and the patient's home or office.

HIPAA
HIPAA, as a rule, seeks to protect individually identifiable health-related information by assuring that the individual maintains rights of access, copying, amendment, and knowledge of disclosures. The current state of e-mail technology does not allow widespread use of public key encryption or other technology that would assure privacy, so disclosure of the risk of interruption of the privacy chain is critical. Although this sounds daunting, compliance may be as simple as being certain not to leave patient communications on the screen when the doctor is out of the office.

It remains possible that HIPAA would require the use of identifiers. This, and other responsibilities of the provider, has not yet been clearly defined. Congress is likely to construe e-mail as a form of telemedicine. If so, watch out for rules about format and control of content. For now, adherence to these simple rules and use of common sense about the public nature of e-mail seems the best policy. It's just another case of technology getting out ahead. Incidentally, with all this talk of e-mail, it's timely for me to include ours.