The College of Physiotherapists of Alberta asked members about their use of technology in clinical practice.1 Physiotherapists report using a wide range of technologies in their day-to-day work; however, the most commonly used technology is email.
- 72.2% of Alberta physiotherapists report using email to confirm appointments or send patient education materials.
- 55.6% report using email to communicate with other members of the patient care team.
Given how common it is for people to have one (or several) email addresses, this finding is not surprising. Interestingly, a much smaller proportion of respondents (27.8%) reported using text messaging to confirm appointments. The College of Physiotherapists of Alberta has heard anecdotes of organizations that actively discourage their employees from using email, due to perceived risks related to the technology. However, email and text messaging constitute powerful tools to enhance communication with patients and fellow health-care providers and meet the performance expectations outlined in the Standards of Practice, provided the technology is used effectively and appropriately.
Some of the performance expectations outlined in the College of Physiotherapists of Alberta’s Standards of Practice that could be met or enhanced through the use of electronic communications include:
- Communicates effectively with clients to promote their understanding of proposed services (e.g., active listening, use of plain language, encouraging questions).2
- Identifies potential barriers to effective communication and makes a reasonable effort to address these barriers (e.g., interpreters, technology, diagrams, printed education materials).2
- Shares information with clients, team members, and other stakeholders about the roles and responsibilities of physiotherapists in client-centered care.3
- Communicates effectively with clients, team members, and other stakeholders to facilitate collaboration and coordinate care.3
eHealth competencies related to the use of email include the ability to create, send, and respond to email messages, and to attach and receive/download email attachments.4 These are, arguably, pretty basic skills that most active email users master quickly. However, there is another aspect of email use in practice that deserves attention - that’s the obligation to maintain patient confidentiality and manage risks to that confidentiality when using this form of communication. Physiotherapists are required to protect their patients’ “privacy and personal information at all times.”5
With such ubiquitous use of email within both patient and health professional groups, it’s easy to become blasé to the risks of emailing information. As identified by the Office of the Information and Privacy Commissioner of Alberta, email is susceptible to several risks, including:6
- Interception
- Misdirection
- Alteration
- Loss
- Inference
Text messaging poses the same security risks as email, with additional issues related to record management and identification/verification of the recipient. For example, the Standards require that you retain a record of all communications with patients, and text messages are no exception. However, processes to save these records are less readily available. Similarly, the clinic needs to address the question of how it will identify itself to the patient and how it will verify the identity of individuals sending text messages to the clinic.6
As the Privacy Commissioner has indicated, safeguards need to be used to mitigate these risks. A starting point is to consider the sensitivity of the information in question and then implement safeguards that match the sensitivity of the information.6 Consider the following scenarios:
A physiotherapist emails a patient a reminder about their upcoming appointment including its date and time. The physiotherapist is not aware that the patient recently left their partner due to domestic abuse. The message is intercepted by the patient’s estranged spouse, who comes to the clinic on the date of the next appointment, confronts the patient, and puts the patient, other patients, and clinic staff in a precarious position.
Following an appointment, a physiotherapist emails a patient several education materials, including exercises and information about the patient’s condition. They include information about community mental health resources in the email as the patient was demonstrating some yellow flags on assessment. The email address that the patient provided is their work address. Their employer, who routinely monitors staff email, reads the message, makes inferences about the patient’s mental health and uses that inference to make employment and staffing decisions effecting the patient.
The physiotherapist emails a patient information about their assessment findings and diagnostic imaging results. The patient alters the message and shares the altered message with another health-care provider, effecting that provider’s decision-making and treatment plans.
Hopefully those scenarios drive home the point that even seemingly innocent email communications can have serious implications if intercepted or altered. So, what can a physiotherapist do to strike a balance between using technology to improve communication with or about their patient and protecting the patient’s privacy? The two main options for protecting information are to limit the amount of information shared or to encrypt the content of those messages.
Best practices when sending information via email or text include:
- Keep it professional.
- Email and especially text messaging, are notorious for having an informal communication style. Consider the expectations of professionalism and appropriate boundaries if emailing or texting patients.
- Obtain consent.
- The basic requirements for consent also apply when it comes to consent for email communication. To be valid, the consent for email communication must be:
- Voluntary
- Informed
- Given by someone who has the capacity to give it
- Specific to both the sender and the information sent (for example, the consent should specify if the patient agrees to receive appointment reminders, education materials specific to their condition and sent by their physiotherapist, your clinic newsletter, or other).
- Even with consent, the physiotherapist retains the responsibility to protect private information. As stated by the Privacy Commissioner, “It is a good practice to regularly re-confirm that patients want to be contacted via email, to verify their email address and to inform them of possible risk, but this does not transfer responsibility for securing your emails to the patient.”7 Nor can a patient direct you to ignore your legislation- or regulation-based responsibilities. “The patient asked me to” is not an acceptable reason to breach the Standards.
- The basic requirements for consent also apply when it comes to consent for email communication. To be valid, the consent for email communication must be:
- Consider the sensitivity of the information.
- Context matters – what kind of information are you sending, what type of treatment are you providing, what patient and therapist factors are relevant?
- What is the potential for malicious misuse of the information? What are the possible negative outcomes (real and remote risks) if the email was misdirected and ended up in the wrong hands? What would the implications be if the patient’s worst enemy were to receive the information in error?
- Consider other methods of communication.
- Is there another, more secure way to send the information? For example, some electronic medical records include secure patient portals that enable sharing of information between the physiotherapist and the patient.
- Encrypt sensitive information.
- If you are sending private patient information, encrypt the email or document in question to prevent misdirected or intercepted information or documents from being read.
- Protect information accuracy.
- As in the third scenario above, if diagnostic and treatment information is sent electronically there is the potential for that information to be altered and forwarded on, impacting the decisions of other parties (insurers, other health-care professionals).
- Files created in word processing software are easily edited and should not be sent to others.
- An option to address this risk is to save files as pdf files and protect them from editing by using the encryption and password protection tools available in the software used to create the PDF.
Password protection and encryption, what’s the difference?
As one author put it, passwords are like a key to a locked filing cabinet. Once you know (or guess) the key (password), you can open the cabinet and read any of the files inside. What’s more, passwords are notoriously easy to guess for a few reasons:
- People choose simple or obvious passwords that are easy to guess.
- People write down their passwords and keep that record near the device that it’s used for.
- Computer programs developed by professional hackers to break passwords are available for sale on the internet, providing many people with the means to get access.
With file encryption, if a hacker somehow manages to get access to the files, they’re faced with the equivalent of a folder full of shredded paper. Only the encryption key can put the shredded paper back together again.8 Encryption offers a second, strong, layer of protection.
Keep in mind:
- Tools are available to encrypt both email attachments and the emails themselves.
- If you encrypt a file, send the encryption key in a separate message.
- Text messaging apps that can end-to-end encrypt messages are readily available.
- Some EMRs also contain patient portals or messaging programs that enable physiotherapists to share information with patients securely, from within the EMR.
- Physiotherapy Alberta – College + Association. Technology in Practice. Available at: https://www.physiotherapyalberta.ca/physiotherapists/news/technology_in_practice Accessed January 12, 2018.
- Physiotherapy Alberta – College + Association. Standard of Practice – Communication. Edmonton: Physiotherapy Alberta, 2017. Available at: https://www.physiotherapyalberta.ca/physiotherapists/what_you_need_to_know_to_practice_in_alberta/standards_of_practice/communication Accessed January 12, 2018.
- Physiotherapy Alberta – College + Association. Standard of Practice – Collaborative Practice. https://www.physiotherapyalberta.ca/physiotherapists/what_you_need_to_know_to_practice_in_alberta/standards_of_practice/collaborative_practice Edmonton: Physiotherapy Alberta, 2017. Available at: Accessed January 12, 2018.
- Physiotherapy Alberta – College + Association. Technology in Practice: What are eHealth Competencies and Why Should I Care? Available at: https://www.physiotherapyalberta.ca/physiotherapists/news/technology_in_practice_what_are_ehealth_competencies_and_why_should_i_care? Accessed January 12, 2018.
- Physiotherapy Alberta – College + Association. Standard of Practice – Privacy/Confidentiality. Edmonton: Physiotherapy Alberta, 2017. Available at: https://www.physiotherapyalberta.ca/physiotherapists/what_you_need_to_know_to_practice_in_alberta/standards_of_practice/privacy_confidentiality Accessed January 12, 2018.
- Office of the Information and Privacy Commissioner of Alberta. HIA Practice Note 5-Communicating with Patients Via Email: Know the Risks. Available at: https://www.oipc.ab.ca/media/383685/practicenote_hia_communicating_with_patients_via_email_aug2012.pdf Accessed January 12, 2018.
- Office of the Information and Privacy Commissioner of Alberta. Email Communication FAQs. Available at: https://www.oipc.ab.ca/media/604276/faq_email_communications_hia_aug2012.pdf Accessed January 12, 2018.
- Garland, R. Encryption vs. Password Protection: A Matter of Acceptable Risk. Available at: https://www.linkedin.com/pulse/20140912130912-9768674-encryption-vs-password-protection-a-matter-of-acceptable-risk Accessed January 12, 2018.