The Medical Council Guide to Professional Conduct and Ethics for Registered Medical Practitioners provides clear guidelines in relation to maintaining patient confidentiality and this should always be observed when communicating with patients. A doctor should protect a patient’s privacy by keeping records and other information about patients securely and guarding against accidental disclosures. Doctors must comply with data protection and other legislation relating to storage, disposal and access to records.
Under the Data Protection Acts 1988 and 2003, persons are required to register details with the Data Protection Commissioner if they record data on a computer relating to the physical or mental health of identifiable individuals. GPs are data controllers in relation to their patients’ medical records. Registration with the Data Protection Commissioner must be renewed on an annual basis. Registration can be completed online on the website of the Office of the Data Protection Commissioner www.dataprotection.ie.
GPs are responsible for processing “data” about their patients and must ensure adequate security measures are in place before sensitive personal information is processed. While sending of text or SMS messages to patients may seem to be an efficient and appealing means of communication, difficulties can arise if sending confidential information in this manner, as text messages can be read by people other than the intended recipients and phone numbers may have changed. It is, therefore, advisable to restrict messages by text to matters which are non-clinical, such as appointment reminders or notification that non- specific test results are available and not to give the patient’s name or identifiers in the message so that if it is delivered to the incorrect phone, the person receiving it does not know who the message was intended for. As with all communications with a patient it is advisable that you include details of all text and fax messages on the patient’s chart.
A patient has a right to determine for himself/herself when, how, and to what extent information about his/her is communicated to others. It is, therefore, advisable to obtain informed consent in advance from your patients to communication by means of text messages. Provision of a mobile phone number in and of itself should not be seen as consent to receive text messages. Ideally when a patient is registering their details they should be asked to provide written consent to communication by text message for specified purposes and this should be kept on the patient’s chart. Such consent will need to be renewed if the manner in which you communicate with the patient changes significantly and /or the content and purposes for which you use text messages changes. Patients must be given an opt-out or more ideally an opt-in to this form of communication. The patient should be informed as to what the general content of messages will be and how the source of the communication shall be indicated. They will then have the opportunity to make a decision, based on their personal circumstances as to whether they wish to receive such messages. If a patient gives consent they should be advised to inform the surgery of any changes to their contact details.
Considerations when sending text messages to patients:
Considerations when receiving text messages from patients:
Patients may wish to send messages for some services - for example requesting prescriptions or appointments. While facilitating this means of contact from patients may provide considerable benefits for some patients, these messages must be processed effectively with procedures in place to ensure an appropriate level of safety and security.
The patient should be required to identify themselves in their text message but this alone cannot be relied upon and the mobile number must also be checked against the patients details contained in their records.The message details should then be transcribed carefully into the patient’s file.
The transmission of personal health information to a patient by fax should be avoided. In circumstances where medical information is required urgently and a more secure means of communication is unavailable the following should be taken into consideration:
Sample confidentiality notice:
“The information contained in this facsimile message is privileged and confidential information intended for the use of the individual or entity named above. If you have received this fax in error please contact us immediately and then destroy the faxed material”ICGP’s A Guide to Data Protection Legislation for Irish General Practice 2011 (7.1.5)
If using email communication with patients, the practice should have an email communications policy which incorporates safeguards in order to preserve patient confidentiality. Ensure that the patient has given consent for email communication. A system should be in place so that emails are replied to in a timely manner. All communication by email should be included in the patient’s medical chart. Do not use email to respond to complicated problems or engage in an exchange of emails if a consultation would be more appropriate.
It is important to ensure that there are appropriate levels of email encryption. Consult your IT provider to ensure that proper safeguards are in place so that clinical system information remains as secure as possible. Personal health information should not be transmitted by GPs to hospitals and other health providers by e-mail unless it is encrypted or a secure electronic pathway, such as Healthmail, has been established between the GP and the secondary health provider.
Notwithstanding appropriate measures to protect the security and confidentiality of email information sent and received, it must be considered that email communication remains subject to risks which include:
Monitor email queries at regular intervals and ensure that they are brought to the attention of the relevant person. Set up an automated response to indicate that the email has been received including details on when the patient may expect to receive a reply. It may also include direct contact details recommending how the patient should contact the practice for urgent matters.
Remember that email communications are an important part of the medical notes of a patient and must be recorded there.
Section 43.3 of The Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners states:
A doctor “must follow the standards of good practice set out in this Guide, whether you provide services using telemedicine or traditional means. In particular, you should:
Paragraph 44.1 states “Information about medical services published in the media, internet or other means is generally in the public interest provided the information is factually accurate, evidence-based and not misleading.”
You must include your Medical Council registration number on your letter headings, medical prescriptions, and all other documentation and records (paper or electronic) related to your practice or in any information published about your practice including your website site. Information about your practice or services must also make it clear that “doctors may only practise in countries in which they are registered”.