The following article applies in normal circumstances. For more information specific to the COVID-19 pandemic, see the CMPA COVID-19 Hub.
Technology is changing how doctors interact with patients and other health care providers. While virtual care can be an effective means of providing care and may enhance patients’ engagement in their care, it can also present unique challenges to patient privacy and confidentiality.
The CMPA’s experience suggests that, at present, physicians are most interested in using email and instant messaging (texting), videoconferencing, patient portals, and various social media applications. All of these virtual care delivery tools can be accessed from a number of devices, including smartphones and tablets.
Physicians must consider the risks to patient privacy unique to the devices and applications used to deliver patient care. The risks related to each tool are not necessarily the same. While patients should be informed of the benefits of virtual care, they must also be informed of the potential risks. Such a discussion should be noted in the medical record.
To help members discuss with their patients some of the general medico-legal risks associated with delivering care virtually, the CMPA has developed a virtual care consent template [PDF, DOC]. This template form is intended for physicians to use as the basis of an informed discussion with patients about the use of virtual care tools. It should be modified by physicians to suit the particular circumstances of their practice, and the applicable medical regulatory authority (College) requirements and privacy legislation in their jurisdiction.
The virtual care consent template [PDF, DOC] may also help in developing an appropriate form for documenting consent. It is worth emphasizing that using this consent form is not a substitute for a proper and informed discussion with patients about the risks associated with the use of the technology. It also does not relieve physicians of their obligation to fulfill all applicable jurisdictional privacy obligations.
Communicating electronically
Despite their pervasiveness and convenience, email and texting are often the least secure electronic communication tools. Imagine, for a moment, using standard email software to send personal medical information to a patient — and getting the email address wrong. Worse — the email does not bounce back, but rather appears in the mailbox of an unintended recipient. The risks of interception or errors in sending email, texts, or instant messages can be significant.
Despite any disclaimer physicians may include in the message, they remain responsible for protecting patient health information and preventing unauthorized access. Privacy legislation generally requires that custodians adopt safeguards to protect the personal health information under their control. Privacy regulators generally agree that the use of encryption software to protect electronic messages is a reasonable safeguard under the circumstances. There are a number of enterprise solutions that can provide encryption, including many patient portals. The protection options that are available outside the institutional environment can be complex and expensive; however, more encryption options and applications are becoming available for use on devices such as smartphones.
Physicians considering using unsecured or unencrypted email or messaging should do so only for information that does not include identifiable personal health information.
Patient portals — Active pathways for two-way communication
In recent years, patient portals have evolved into popular, secure interactive tools that can greatly enhance communication between physicians and patients, and help patients better manage their health.
There are multiple functions of online patient portals. For example, portals can house patient profiles and medical records, contain patient education documents, generate alerts and reminders for prescriptions and medication management, make the booking of appointments more efficient, and enable a quick review of lab reports and follow-up messages to patients.
A growing number of physicians are taking advantage of this technology, particularly in response to patients’ demand for accessibility to everyday technologies. However, physicians using patient portals should clearly understand the benefits and limits of the technology and the steps to be taken to protect personal health information. While some functions of portals may appear innocuous, even patient education materials could communicate confidential information about an individual's health status.
Patient portals need to be secure and accessible only by those who are authorized. The chosen platform must have adequate security systems to protect patient information and private online conversations, and meet the requirements of applicable privacy legislation. Because the technical and security issues with portals can be complex, physicians and institutions should seek appropriate advice.
Patients also need to be informed in advance about how a portal will be used for online communication. They need to be aware that portals should never be used for urgent messages or time-sensitive health issues. Physicians should explain what information is available and what will be shared through the portal. As well, they should also explain that not all information should be shared online and that face-to-face consultations may be required to ensure appropriate follow-up care and the correct interpretation of results.
This discussion with the patient should be noted in the patient record. Consent forms [PDF, DOC ] should set out the terms of use for the portal and the patient's consent to its use for those specific purposes. As well, a terms of use agreement [PDF] should be submitted online before the patient is granted a password and access to the portal. These agreements outline the terms and conditions under which patients can use the portal.
Social media
Physicians need to keep privacy and confidentiality in mind when using social media. These networks can be valuable for sharing information for health promotion and for educational purposes. However, physicians should not communicate identifiable patient health information using social media. While some of these networks appear to mimic private one-on-one conversations through a chat function or direct messaging, content communicated via social media is unprotected and publicly accessible. Despite rigorous use of privacy settings, information shared on social media sites should be considered public forever.
Some medical regulatory authorities (Colleges) have created resources for physicians using social media in their practices. These resources include information about respecting professional boundaries and exercising caution when posting information that could identify a patient.
Remember that social media platforms are public channels and can be considered equivalent to the front page of any newspaper or the home page of any website.
Videoconferencing and online meeting platforms
Increasingly, physicians are providing care to patients using video conferencing and other online meeting platforms with video capability.
Physicians should consider whether the platform they intend to use meets the applicable privacy requirements in their jurisdiction. In some jurisdictions, a privacy impact assessment may be required before using a platform.
Physicians should be aware of the limitations of the technology and determine whether it is appropriate to use in each specific circumstance. If the standard of care cannot be met using videoconferencing or patient privacy cannot be adequately protected, then an in-person consultation should be considered.
Physicians should review any guidance from their Colleges, privacy commissioners, specialty organizations, or medical associations/federations concerning the use of videoconferencing to deliver care virtually. The Canadian Medical Association’s Virtual Care Playbook is one resource that provides practical guidance on appropriate use of virtual care technologies.1
Reducing risk in virtual care
Physicians who share personal health information through virtual care platforms need to keep in mind that they are governed by the same legal and professional standards that would apply in other professional settings. For example, physicians should carefully consider how they will document virtual care interactions in the patient’s medical record.
Physicians should establish policies and procedures for delivering care virtually, including the tools and technology used in their practice. Employees should be informed of the risks unique to each tool and trained to follow the policies and procedures.
Physicians should consider security measures and procedures to reduce the risk of privacy breaches. This includes using appropriate protection and privacy settings. As technologies continue to evolve, physicians should continue to consult specialty vendors and privacy commissioners, among others, about appropriate and required security measures (e.g. encryption). While physicians will generally want to disable any recording function available through the virtual care platform to protect patient privacy, it is also prudent for physicians to encourage patients to speak with them before making their own separate recording of the virtual encounter.
A patient's informed consent to virtual care should be obtained and documented, either through a notation in the patient's medical record or by a signed consent form or terms of use agreement. Even if a consent form [PDF, DOC] or terms of use agreement [PDF] is signed, physicians should still document in the patient’s record the discussion about the risks and limitations of the virtual care tool(s) that will be used. Physicians need to keep abreast of advances and be informed about privacy and security issues related to their jurisdiction and practice environment.
Reference
-
Canadian Medical Association. Virtual care playbook for Canadian physicians. Ottawa (CA): CMA;September 2021. https://www.cma.ca/sites/default/files/pdf/Virtual-Care-Playbook_mar2020_E.pdf