Email Privacy
Introduction
This email policy is to provide information on how we manage our privacy and security via email communications. This email policy is adapted from and in accordance with RACGP 5th Edition standards and AHPRA guidelines.
General practices are increasingly receiving requests from patients, other clinicians and third parties for health information to be sent to them electronically because it is an easily accessible method of communicating. The Australian Privacy Principles published by the Office of the Australian Information Commissioner state that: “Health information is regarded as one of the most sensitive types of personal information.
For this reason, the Privacy Act 1988 (Privacy Act) provides extra protections around its handling.
The Privacy Act defines health information as:
Information or an opinion about:
the health or a disability (at any time) of an individual; or
an individual’s expressed wishes about the future provision of health services to him or her; or
a health service provided, or to be provided, to an individual; that is also personal information; or
other personal information collected to provide, or in providing, a health service; or
other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
Rationale
As all health information is sensitive by nature, all communication of health information, including via electronic means, must adequately protect the patient’s privacy. Our practice takes reasonable steps to make our communication of health information adequately safe and secure. GPs, health providers. support staff and patients should be aware of the risks associated with using email in the healthcare environment.
OUR PRACTICE POLICY
Our practice considers our obligations under the Privacy Act before we use or disclose any health information. The Privacy Act does not prescribe how a healthcare organization should communicate health information. Any method of communication may be used as long as the organization takes reasonable steps to protect the information transmitted and the privacy of the patient. A failure to take reasonable steps to protect health information may constitute a breach of the Australian Privacy Principles and may result in action taken against the organization by the Australian Privacy Commissioner. What amounts to reasonable steps will depend on the nature of the information and the potential harm that could be caused by unauthorized access to it. The RACGP has developed a matrix to assist practices in determining the level of security required in order to use email in general practice for communication.
- Our clinic doesn’t communicate via emails with patients unless the patient requests with their written informed consent.
- Our clinic has documented protocols, resources on how the patient consent is obtained and recorded. The Email address is verified by the practice before sending an email and Verbal consent is taken when possible.
- We strongly recommend the avoidance of sharing confidential sensitive details/clinical matters /blood results etc via emails as our emails are not encrypted. If the patient requests with written consent, we will send clinical documents following the doctors advise.
- We have taken written informed consent from patients and saved in the patient file and takes verbal consent during the consultation as well.
- Our staff has been advised to avoid copy & pasting and autofill the email address and update the contact details of the patient regularly. Patients also have agreed to update if any changes in their contact details.
- Our clinic staff ensure that electronic communications, including email and attachments, are retained, stored and destroyed in accordance with record-keeping requirements. If any information held in our email accounts is specific to a patient’s health information it will be downloaded as per practice policy. It will be imported into relevant patient file/S to ensure contents are backed up with the rest of our data.
- The receptionists and practice manager send or reply to patient emails.
Our clinic has an automatic email response that includes the practice’s telephone number and when the sender can expect to receive a reply.
- The emails received from another practitioner or hospital / pathology/imaging reports or emails which request clinical advice or attention must be forwarded to the clinical staff for action.
- We will call the patient and inform them if we are unable to send information by email. We will also offer the option of registered post if the patient consents to this method of communication.
- We ask that other health practitioners do not email us with personal information about mutual patients (unless you have the patient’s express consent).
- We prefer to receive correspondence via secure messaging, such as Argus, HealthLink, Referral Net or Medical Objects or by post.
WARNING REGARDING THE SECURITY OF EMAIL COMMUNICATIONS
Please note that our email service is encrypted, however we cannot guarantee the security of our email communications. There is a risk that emails and/or attachments could be read by someone other than the intended recipient (for example, as a result of widespread hacking, or because someone accesses your email account).
For this reason, we discourage health providers from sending emails to us with personal information about patients, and we discourage patients from sending emails to us with their own personal information.
However, we may agree to email you with a response to a query and/or with information or documentation that you have requested which does include your health information, provided that you have confirmed that you have considered and accepted the risks associated with email communications. We may also require you to email us confirming that you have considered and accepted the risks associated with email communications. Also we strongly recommend you to update your email address /phone numbers if it is changed.
Email configuration
Communication of clinical information to and from healthcare providers are completed from within the practice’s clinical software, wherever possible, using a secure clinical messaging system such as Health link. The use of a practice’s clinical software means that a record of communication is automatically retained in the patient’s medical record. This is not possible when communicating with patients.
Particularly during the current Pandemic there has been an increase in email communication with patients and pharmacies. Increasingly, referrals and prescriptions have been sent by email.
We have the current protective measures in place:
- Computer security measures.
- Using 3 identifiers to identify patients.
- Notifying patients that the information is encrypted however there is still a security risk in
sending emails to them containing their personal medical information. They can choose to collect a hard copy from our office if they prefer. ( Encryption of patient information: Use server to server encryption such as SSL or TLS.)
- A notice on our emails if the email is sent to the wrong address.
- Notification to OAIC of any significant data breach.
- Protection against spam: Use a spam filtering program.
- Encryption of patient information: Use server to server encryption such as SSL or TLS.
General protection information
We do not provide confidential information to an email address (especially by return email) no matter how credible the sender’s email seems (for eg: apparent emails from your bank).
Use a spam filtering program.
All email communications should be treated as confidential.
When sending patient information or other confidential data by email, it is best practice to use encryption.
Be aware that encrypted files are not automatically checked for viruses. They must be saved, decrypted and then scanned for viruses before being opened.
Protection against the theft of information
There are significant risks if providing confidential information by email: only do so via the internet when the site displays a security lock on the task bar and with an https in the web address.
Do not inform people of your email password.
Be aware of phishing scams requesting logon or personal information (these may be via email or telephone).
Email disclaimer
The practice uses an email disclaimer notice on outgoing emails that are affiliated with the practice stating:
CONFIDENTIALITY NOTICE AND DISCLAIMER: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
Email correspondence
Email correspondence sent to our email address is retained as required by the Public Records Act 2002 and other relevant legislation. Email messages may also be monitored by our information technology staff for system trouble-shooting and maintenance purpose. Patient email address details will not be added to a mailing list or disclosed to a third party unless required by law.
Policy review statement
This privacy policy will be reviewed regularly to ensure it is in accordance with any changes that may occur.