Can't you just email it?

Ruanne Brell, BA LLB (Hons), Senior Legal Adviser, Advocacy, Education and Research, Avant

Sunday, 9 October 2022

Email symbol

Sally has left a voicemail message asking for a copy of her prescription for her upcoming trip, in case she loses her glasses. She doesn’t have time to come in, can you email it to her?

Electronic communication became even more essential for healthcare during COVID-19 isolations and lockdowns. However, there is still some confusion among practitioners about how to communicate by email without breaching patient privacy.

Email communication requires reasonable steps to protect privacy

Healthcare information is considered sensitive information under the Privacy Act, but that doesn’t mean email communication is prohibited. In fact, healthcare organisations may communicate with or about patients using unencrypted email, provided they take ‘reasonable steps’ to protect the information transmitted and the privacy of the patient.

The Office of the Australian Information Commissioner’s (OAIC) Guide to Securing Personal Information provides guidance on what steps are considered reasonable.

Practices need to develop clear policies and procedures for using email and make sure staff understand these.

Is it appropriate to email?

Always consider whether email is appropriate for the situation and the information you are communicating.

For example, if you need to give a patient bad news or communicate complex or difficult information, this will usually require a face-to-face discussion.

You can send time-sensitive information by email, but make sure you have a process to check it has been received.

Since email is not a secure form of communication, it will be inappropriate for some types of information, or in some circumstances. This applies even if the information itself seems relatively innocuous, such as an optical prescription, so use your judgement and your knowledge of the patient’s circumstances to determine if email is appropriate.

Inadvertently disclosing personal information such as a home address to the wrong recipient would breach privacy and could potentially cause harm.

Confirm patient consent

Also check the patient understands email is not secure and confirm they still wish to have the information sent in that way. Keep a copy of their consent if they give it in writing. Or if the patient consents verbally, document this in the clinical record.

Double check the address

Private information being emailed to the wrong recipient accounted for nearly 18% of breaches reported to the OAIC in the last reporting period (June – December 2021).

  • Always make sure:
  • which address the patient would like you to use – patients may not want health information sent to a work address or shared address
  • that you have typed in the correct address – be particularly careful about auto-complete errors that could see the software completing a recently or frequently used address instead of the one you started to enter.
  • Ideally, contact the patient and ask them to email their request to you. You can reply to that address – which both ensures you’re using the correct address and confirms their consent.

Protect sensitive information

Your policy should also address whether clinical or sensitive information should only be sent in an attachment, or sometimes in a password-protected file. You need a protocol for providing the passwords (for example, phone the patient with the password).

It is always best to ensure there is no sensitive information in the body of the email.

Use a privacy disclaimer

While you want to avoid sending email to unintended recipients, it is still useful to include a privacy disclaimer as an added layer of protection.

Document and communicate your approach

Make sure someone in the practice is responsible for actioning any incoming emails appropriately and in a timely manner. All emails also need to be documented in the patient’s clinical record and stored appropriately. Your policy also needs to address how to manage and store any clinical images sent by email.

If you have an email address on your website, be very clear how and when this address is monitored.

You may need to add a warning that patients should not use email if they need an urgent response and provide an appropriate alternative emergency contact. This information could also be included in an autoreply for emails sent to that address.

Disclaimer: This article is intended to provide commentary and general information. It does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances.

A version of this article first appeared in Insight magazine and has been republished with permission.

Useful resources

Factsheet: Email communication with patients: privacy and patient safety

Office of the Australian Information Commissioner (OAIC) Guide to securing personal information

Share your view

We welcome your feedback on this article.

To Top