The Information Commissioner has the power to levy fines for data protection breaches so always ensure you are contacting the right person.
It is important to check the basic details to ensure you have the correct patient name and address, fax/mobile phone number or email address and that these are secure and cannot be read by someone else.
Crucial number/symbol omitted
This often leads to the incorrect person receiving an email. For example, in one anonymised case an email containing confidential patient information was sent to email@example.com instead of to firstname.lastname@example.org. The former was an administrator in an NHS trust in southern England while the intended recipient was a consultant in a northern England trust in the North.
Personal email used for patient data
The account may be insecure and a confidentiality breach could occur if it is used to send or receive confidential patient data.
Connecting for Health advises that the NHSmail service is the only one secure enough to use for emailing patient data.
There have been cases where doctors were disciplined for forwarding emails containing patient information to their private email address. Note too that it can be difficult to permanently erase data from personal computers.
Group emails with visible addresses
When emails are sent to a number of patients at the same time and the sender does not select the BCC (‘blind carbon copy’) box for this, a confidentiality breach automatically occurs as recipients can see each other’s email addresses.
This can be a triple breach revealing:
- Patients' email addresses to everyone on the list
- All the recipients are patients of the doctor/practice
- They have a condition that might benefit from the service offered, such as a vaccination clinic.
Patients complaining about emails and texts
Some patients may complain if contacted by email or text, especially if they worry that other people can access this information.
Many healthcare organisations use texts and emails to remind patients of their appointments. It is advisable to obtain patients’ consent to be contacted in this way however.
Staff should explain clearly the nature of the information they may receive and that patients can opt out of receiving the service at any time.
No record kept of text messaging
When no record is kept of the patient being texted, this can cause continuity of care problems. It is advisable to consider each text message as a clinical contact and appropriately recorded and actioned.
Any text from a patient should then be deleted from the handset which should be password protected and locked away when not in use.
Dr Old is a medico-legal adviser at the MDU
Information Commissioner guidance for health organisations