Using email in general practice

General practices must ensure their communication of health information is safe and secure. The use of unencrypted and unsecured email can create risks to the privacy and security of personal and sensitive health information. Email can be used to communicate healthcare information, but it is important general practices understand the risks and take steps to mitigate them before using email.

All forms of written communication involve an element of risk that information could be read by someone other than the intended recipient. The risks of using unsecured or unencrypted email include:

• emails can easily be sent to the wrong recipient
• email is often accessed on portable devices, such as smart phones, tablets and laptops, which are easily lost or stolen
• emails can be forwarded or changed without the knowledge or consent of the original sender
• email is vulnerable to interception.

Because of the risks of email and fax communication, the RACGP has long been a strong advocate for the use of secure electronic communications as the most efficient and appropriate method of communication across the healthcare sector.

Health information is considered one of the most sensitive types of personal information. The Privacy Act 1988 (Privacy Act) provides extra protections around the collection, use or disclosure of health information.

Whilst the Privacy Act does not prescribe how healthcare organisations should communicate health information, reasonable steps must be taken to protect the information transmitted and the privacy of the patient. What is considered reasonable steps will depend on the nature of the information and the potential for harm caused by unauthorised access. Failure to take reasonable steps to protect health information may constitute a breach of the Australian Privacy Principles (APPs).

Practices should consider the level of risk associated with how they use email to assist in determining the level of security needed in order to use email for communicating health information. The section ‘Practice policies and processes risk assessment’ below outlines different practice processes relating to email use and the level of risk they present. It is intended for use as a general guide to highlight issues for GPs and general practices for further consideration when using email.

High Risk

• Email communications are undertaken without the use of passwords or encryption.
• No formal policy or supporting resources are in place.
• No processes are in place to ensure email addresses are correct and are not sent to a generic inbox.
• No written consent from patient is obtained or recorded.

Medium Risk

• No written consent from patient is obtained or recorded.
• Email communications undertaken without the use of passwords or encryption.
• No processes in place to ensure email addresses are correct and are not sent to a generic inbox.

Low Risk

• Documented policies and resources exist.
• Consent from patient is obtained and recorded.
• Email address is verified by the practice before sending an email.
• Emails are sent with password protection OR email communications are sent using encryption software or via a secure website.

No Risk

• No email communication is used, or intended to be used.

• RACGP - Information security in general practice
• RACGP – Privacy and managing health information in general practice
• RACGP – Position statement: Safe and effective electronic transfer of information to and from general practice
• OAIC – Guide to health privacy
• OAIC – The Privacy Act: Health and Medical Research
• The Australian Digital Health Agency – Secure messaging