Managing Your Practice

Do you answer patient e-mails?



Recently I received a lengthy e-mail from a very worried woman. She claimed to be an established patient in my office, which I had no way of confirming because she did not sign her message. She asked many questions about sexually transmitted diseases and how they might affect her and a new boyfriend.

I was undecided on how to reply – or even whether to reply at all – so I queried several dozen dermatology colleagues around the country, as well as a few physician friends and acquaintances in other specialties.

Responses varied all over the map – from “I never answer patient e-mails,” to “What harm could it do, she’s better off getting correct answers from you than incorrect answers from some ‘advocacy’ web site” – and everything in between.

Clearly, this is a controversial issue which will only get more controversial in the future, so I decided to look at what has been published on the subject.

It turns out that as early as 1998, a group of investigators asked this same question and designed a study to address it. (Eysenbach and Diepgen: “Responses to unsolicited patient e-mail requests for medical advice on the World Wide Web. JAMA. 1998;280[15]:1333-5). Posing as a fictitious patient, they sent e-mails to random dermatologists describing an acute dermatological problem, tallied the responses they received, and followed up with a questionnaire to responders and nonresponders alike.

As with my informal survey, the authors found what they termed “a striking lack of consensus” on how to deal with this situation: Fifty percent responded to the fictitious patient’s e-mail. Of those, 31% refused to give advice without seeing the patient, but 59% offered a diagnosis, and a third of that group went on to provide specific advice about therapy. In response to the questionnaire, 28% said that they tended not to answer any patient e-mails, 24% said they usually replied with a standard message, and 24% said they answer each request individually. The authors concluded that “standards for physician response to unsolicited patient e-mail are needed.”

Indeed; but my own survey suggests that, 17 years later, there is still nothing resembling a consensus on this issue. In the interim, several groups, including the American Medical Informatics Association, Medem, and the AMA have proposed guidelines; but none have been generally accepted.

Until such time as that happens, it seems advisable for each individual practice to take the time to adopt its own guidelines. For ideas, take a look at the examples I’ve listed, plus any others you can find. When you’re done, consider running your list past your lawyer to make sure you haven’t forgotten anything, and that there are no peculiar requirements in your state.

Your guidelines may be very simple (if you decide never to answer any queries) or very complex, depending on your situation and personal philosophy. But all guidelines should cover such issues of authentication of patient correspondents, informed consent of those patients, licensing jurisdiction (if you receive e-mails from states in which you are not licensed), and above all, confidentiality.

Contrary to popular belief, the Health Insurance Portability and Accountability Act (HIPAA) does not prohibit such communication, nor require that it be encrypted. The HIPAA website says, “Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.”

Still, if the lack of encryption and other privacy safeguards makes you (or your patients) uncomfortable, encryption software can be added to your practice’s e-mail system. Enli (, Sigaba (, Tumbleweed (, Zix (, and many other vendors sell encryption packages. (As always, I have no financial interest in any product or enterprise mentioned in this column.)

But rather than simply encrypting your e-mail, consider adopting web-based messaging. Patients enter your web site and send a message using an electronic template that you design. You (or a designated staffer) will be notified by regular e-mail when messages are received, and you can post a reply on a page that can be accessed only by the patient. Besides enhancing privacy and security, you can state your guidelines in plain English to preclude any misunderstanding of what you will and will not address online.

Web-based messaging services can be freestanding or incorporated into existing secure websites. Medfusion (, and RelayHealth ( are among the leading vendors of secure messaging services.

As for the e-mail query which triggered all this: I responded, but I told the patient I could not provide specific answers to such personal questions over the Internet, particularly when they were asked anonymously; but I would be happy to address her concerns in person, in my office.


Next Article: