Electronic systems make it quick and easy to transfer patient data and images, but it's vital to ensure sensitive information remains secure. In a new report about patient confidentiality, the U.K. Royal College of Radiologists (RCR) gives 10 simple email rules to follow.
These are the rules:
- Never autoforward mail to other accounts.
- Mark all email subject lines as "confidential." Do not include any patient information (e.g., hospital or National Health Service [NHS] numbers) in this line.
- In the text, use the minimum number of patient identifiers. Avoid using names and dates of birth where possible.
- Delete emails that contain patient information as soon as practicable.
- Think carefully about giving proxy access to anybody. Ask yourself: Is it appropriate for secretaries and personal assistants to see patient information?
- Be very careful when using group email accounts. This particularly applies to general practitioner inquiries. Group accounts should only be set up after agreement with your information governance officer and/or data protection officer.
- Be careful when replying to emails from patients or other members of the public. "You have no way of knowing who may read it or where it may end up. It is good practice just to acknowledge receipt of such emails and to request verification of their legitimacy via other means such as standard mail or a telephone call. Limit the exchange of sensitive data as far as possible," the authors noted in the RCR report.
- Remember, email has the same legal status as a letter. Emails can be submitted as evidence in court and can also be requested via the Freedom of Information Act, for instance.
- Be aware of different types of email accounts. In the U.K., ideally you should only send patient information to accounts ending with @nhs.net. If you have to use another type of NHS account -- for example, @somewhere.nhs.uk -- be sure of the identity of the recipient before you send the email.
- Do not import NHS mail account settings into your mobile device email client. This means confidential information can potentially be stored on your device and then inadvertently backed up to the cloud. Only access email remotely using the NHS web portal.
Duties and obligations
Overall, radiologists must be mindful of the duties of confidentiality placed on them by law, in particular the European Union's General Data Protection Regulation (GDPR) 2016 and national legislation such as the U.K. Data Protection Act (DPA) 2018, explained the authors of the 24-page RCR report called "Guidance on maintaining patient confidentiality when using radiology department information systems."
Radiologists are also bound by the professional obligations imposed by relevant medical councils, as well as local information governance and contractual requirements, and this is no different to the way other doctors are required to maintain patient confidentiality on hospital ward rounds, in clinics, in general practice surgeries, etc., they added.
The report aims to provide information on what to do in commonly encountered data sharing situations.
"With this knowledge, and the application of common sense, radiologists should be in a better position to comply with the law and provide the level of confidentiality that patients expect," the authors point out. "A note of caution however; data confidentiality and the legislature surrounding it are complex and constantly evolving. You are strongly advised to seek the guidance of your local data protection officer before commencing any new patient data handling processes."
They acknowledged the contribution of members of the RCR Radiology Informatics Committee and Mark Scallan, head of information governance at Royal Cornwall Hospital.
You can download a copy of the document free of charge from the RCR website.