Today Blawgletter welcomes back the estimable Ron Woessner as Guest Blawger. Joining him is aspiring SMU law grad Chris Knowles.
Their post calls on the American Bar Association to tighten the ethical test for security of electronic communications involving confidential matters. As you'll see, the ABA's standard contrasts with the stricter one that applies to our friends who practice healing arts instead of law.
The opinions they express, of course, are their own. Let's see what they have to say.
Trust Me — I'm a Doctor (Not a Lawyer)
Ethical Standards for Confidential Communications
Doctors are more ethical than attorneys. Just ask the American Medical Association. In maintaining the professional standard of care in communicating confidential information, the professional guidelines are clear. Doctors are required to protect their patients' personal, confidential information when using electronic mail while lawyers get a pass on client privacy.
The ABA position regarding unencrypted email is well established. An attorney may communicate confidential client information via unencrypted email without violating the ABA's Model Rules of Professional Conduct. This same conduct by a medical doctor would run afoul of the AMA guidance for physicians regarding electronic transmission of patient information. When the AMA considered the ethical responsibility owed to patients in email communication, it determined that the potential privacy implications demanded the use of encryption technology in the transmission of messages containing a patient's personal information.
According to risk guidelines adopted by the AMA, email communications should be conducted over a secured network, with provisions for privacy and security — including encryption — in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). "As online communications between physician offices and pateints continue to rise, it is imperative that physicians protect privacy and medical record confidentiality as well as reduce their own liability," said Donald J. Palmisano, MD, an AMA Trustee and member of the AMA Online Oversight Panel. Dr. Palmisano added that he "encourage[s] physicians to select a secure messaging solution, rather than use un-secure email."
Aditionally, the AMA has noted that unencrypted email services do not meet the security guidelines established by federal law in HIPAA. The HIPAA Security Standards require physicians to protect the security of patients' electronic medical information through the use of procedures and mechanisms that protect the confidentiality, integrity, and availability of information. Therefore, physicians and other healthcare providers and their business associates must implement administrative, physical, and technical safeguards that will safeguard electronic health information that they collect, maintain, use, and transmit. In short, doctors must use email encrytion to protect patient privacy.
The AMA mandates encryption because it has determined that email is not a secure method for sending sensitive data. The conclusion that physicians should steer clear of unencrypted email communication with patients has been endorsed by the majority of the nation's leading medical societies, including the American Academy of Opthalmology, the American Academy of Pediatrics, the American College of Obstetricians and Gynecologists, the American Psychiatric Association, and the American Society of Plastic Surgeons — groups comprising over 70 percent of the nation's insured physicians. However, it's not just doctors who understand the duty to protect a client's privacy.
State governments and privacy-attuned companies require encryption for email containing personal, confidential customer information. In addition to the scores of banks and healthcare companies that use email encryption to transmit personal, confidential data, the governments of Massachusetts and Nevada either currently or soon will demand encryption of personal information sent via email. And consider the recent press announcement by Walgreens/Kentucky Health Systems (KHS) concerning the unencrypted transmission of roughly 28,000 state retirees' names, dates of birth, and Social Security numbers by Walgreens to their customer, Kentucky Retirement Systems (KRS). Under KRS rules, the failure of Walgreens/KHS to comply with KRS's encryption mandate required them to disclose the security breach to the public.
In contrast to the privacy-conscious position of the AMA, state governments, and privacy-responsible companies, the ABA permits the use of unencrypted email communication between attorneys and clients because it believes unencrypted email affords a "reasonable expectation of privacy." The courts do not always agree — as one client recently discovered when using unencrypted email at work to communicate with his attorney. See Scott v. Beth Israel Medical Center, Inc., 847 N.Y.S.2d 436 (N.Y. Sup. Ct. Oct. 17, 2007). The case did not end well for the client. See Scott v. Beth Israel Medical Center, Inc., 850 N.Y.S.2d 81 (N.Y. App. Div. 2008) (ordering judgment against client).
Clients deserve better. The AMA requires email encryption for private health information. Why does the ABA accept a lower standard for attorney-client communications? It is time for the ABA to raise the ethical bar and require the use of encrypted email for attorney-client communications.
Senior Vice President, General Counsel, and Secretary