Emailing patients: what to include in your policy

Use this checklist when putting together your practice’s policy and procedures for email communication with patients. It helps you consider consent, privacy, security, documentation, and staff responsibilities so you can meet your privacy obligations and communicate with patients safely and effectively.

Wednesday, 3 September 2025

To satisfy your obligations, your practice should have clear policy and procedures about the appropriate use of email to communicate with patients, and how email communications will be managed. Your policy should include:

Whether you and your team are willing to respond to email requests from patients. This will depend on the size of the practice, the ability to monitor emails and respond in a timely manner, and the type of request.

How you will respond to requests if you are unwilling to send information by email – whether because of practice capacity or because of the particular circumstances. Outline what those circumstances are. For example, your practice may have a policy of not answering clinical questions by email. If you do provide clinical care by email, ensure you comply with the Medical Board of Australia's guidelines - Telehealth consultations with patients and check your medical indemnity insurance covers this.

How you will respond to emails from patients who have not yet been seen at the practice.

How you will respond to emails from patients that include clinical information such as clinical images.

How you will confirm and document patient consent to communication by email.

Criteria for when patient emails must be referred to a doctor or other clinician for action.

Which staff are approved to send or reply to patient emails.

What sorts of information will be sent by email and the level of protection required – encryption, secure messaging, password-protected attachments.

If using password protected PDF files, outline how that password is chosen and communicated to the patient.

How you will ensure that electronic communications, including emails and attachments, are retained, stored and destroyed in compliance with record-keeping requirements. See Avant Factsheet: Storing, retaining and disposing of medical records.

When you will require confirmation of receipt – for example for time-sensitive information.

Steps staff need to take to avoid data breaches – for example, checking email addresses, avoiding auto-complete text in addresses. See Avant article: 7 steps to avoid a human data breach.

Your procedure if a data breach occurs via email with reference to your data breach policy. See our Collection: Cyber collection - Avant by doctors for doctors

How you will manage your practice email addresses - including auto-replies and ongoing monitoring.

The wording of your practice privacy disclaimer, which should be included at the end of all emails.

Suggested wording

Disclaimer

This communication is confidential and intended only for the individual or entity to whom it is addressed. No part of the email should be copied, disclosed or redistributed without [business name’s] authorisation. If you have received this in error, please notify the sender of its incorrect delivery by reply email or phone [insert reply email or phone number].

Auto-reply

This email address is not constantly monitored and is only periodically checked [or insert a specific frequency e.g. once a day, three times a day] by a non-clinical staff member. As such, it is not possible to manage or respond to clinical queries via email. For any clinical queries please contact the practice on [insert phone number].

Additional resources

Avant - Email communication with patients: privacy and patient safety

Avant - Recommendations when using SMS messaging

Avant- Cyber: what you need to know

Office of the Australian Information Commissioner – Guide to securing personal information

Royal Australian College of General Practitioners – Using email in general practice

More information

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.

This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.