Risk management tips
Psychiatrists can take steps to safeguard patient confidentiality when using various technologies.1 Computer security risks usually occur in 3 areas: access to records by unauthorized readers; information transmission problems when using phone lines/networks; and transfer of data to nonmedical users, such as insurers.1 Safeguards to prevent a data breach may include:
• Individual passwords for authorized users
• Automated audit trails identifying specific users
• Restrictions on copying/downloading patient files
• Using secure systems when accessing patient files remotely
• Routinely backing up data
Whether saving on a desktop or laptop computer, patient’s records should be properly stored. The portability of laptops makes them a higher risk for being lost or stolen. As such, particular attention should be paid to password protection and encryption.
Psychotherapy notes, if computerized, should be kept in a separate and secure file that is inaccessible to other users or other computers, unless the patient specifically authorizes disclosure to others.2 Furthermore, as an additional safeguard, if your EMR system has the capability, link access levels with specific roles (eg, “attending physician,” “medical assistant”).3
Currently, there is little case law concerning use of e-mail with patients. If you elect to use e-mail with patients, it is strongly recommended that you use a HIPAA-compliant secure messaging platform. Such services have end-to-end encryption, ensuring that information transmitted across the Internet cannot be intercepted. Some EMRs have integrated secure messaging functionality, which allows users to receive and send encrypted messages without manually logging on to a separate messaging server. When patients receive a reply from their provider, they receive an e-mail notifying them that there is a secure message waiting for them; after entering their login credentials, they follow a link to view the message.
In the absence of a secure messaging system, e-mail exchanges between you and your patient should never be about clinical issues, but rather they should be limited to brief administrative issues, such as appointment changes.4 If you are e-mailing a patient at work, remember that the employer can access the e-mail, since it is the employer’s property. Thus, always ensure that you send e-mails to the patient’s personal rather than work account.
Communicating via cell phones, smart phones, and other wireless devices can increase the risk of inadvertent breaches of confidentiality because communications may be intercepted and overheard. If you are using such devices, inform the patient that you are and that there is a risk that the conversation may be overheard. In addition, to continue the conversation, get the patient’s consent and log the call into the medical record when completed.4
Mobile devices used for e-mail, accessing a patient’s EMR, communicating with patients, scheduling appointments, and task management (including patient names or other patient identifying information) must have robust security features. Some of these include screen-locks after several minutes of inactivity, password protection on start-up and unlocking the screen, screen filters that limit visibility from an oblique angle, and the ability to remotely wipe data in the event that the device is lost or stolen.
The confidential nature of the relationship should be protected when leaving messages for patients.1 Using voicemail and answering machines to transmit confidential information may increase the risk of inadvertent disclosure because it is not always possible to know who may hear the message or is able to access the system. Thus, these systems should be set to low volume or soundproofed.
While this article highlights some of the modern-era risks to confidentiality that psychiatrists may experience, it does not constitute an exhaustive list of issues to consider and is not a substitute for legal advice. Modern technology is a moving target that evolves on a daily basis. As such, it is important to be aware of applicable state and federal regulations as well as principles of medical ethics.