How to Handle E-mails from Patients
Tuesday, January 12, 2016
I recently received a lengthy e-mail from a very worried woman.
She claimed to be an established patient in my office - though,
because she had not signed her message, I had no way of confirming
this. She asked many questions about sexually transmitted diseases,
and how they might affect her and a new boyfriend.
I was undecided on how to reply - or even whether to reply at all
- so I queried several dermatology colleagues around the country,
as well as a few physician friends and acquaintances in other
Responses varied from "I never answer patient e-mails", to "she's
better off getting correct answers from you than incorrect answers
online" - and everything in between.
Clearly this is a controversial issue, and it will only get more
controversial in the future; so I decided to look at what has been
published on the subject.
In 1998, Eysenbach and Diepgen1 questioned this subject
and designed a study to address it. Posing as a patient, they sent
e-mails to random dermatologists describing an acute
dermatologicalproblem, tallied the responses they received, and
followed up with a questionnaire.
As with my informal survey, the authors found what they termed "a
striking lack of consensus" in their responses: 50% of the
physicians queried responded to the fictitiouspatient's e-mail; of
those, 31% refused to give advicewithout seeing the patient and 59%
offered a diagnosis, with a third of the latter group
providingspecific advice about therapy (Figure 1). In response to
the questionnaire, which was sent to responders and non-responders
alike,28% said that they tended not to answerany patient e-mails,
24% said they usually replied with a standardmessage, and 24% said
they answer each request individually. The authors concluded that
"standards for physician responseto unsolicited patient e-mail are
Figure 1. Physician responses to fictitious
patient e-mails, as demonstrated by Eysenbach and Diepgen
My own decidedly non-scientific survey suggests that, almost two
decades later, there is still nothing resembling a consensus on
this issue. While several groups, including the American Medical
Informatics Association (AMIA)2 and the American Medical
Association (AMA)3 have proposed guidelines, none seem
to have been generally accepted. Until that happens, it would be
wise for each individual practitioner to take time to adopt their
own guidelines. For ideas, take a look at the AMIA and AMA
proposals, plus any others you can find. When you are done,
consider running your guidelines past your attorney to make sure
you have not forgotten anything, and that there are no particular
requirements in your state.
Your guidelines may be very simple (if you decide never to answer
any queries) or very complex, depending on your situation and
personal philosophy. However, all guidelines should cover issues
such as authentication of correspondents' identities, informed
consent, licensing jurisdiction (if you receive e-mails from states
in which you are not licensed), and above all, confidentiality.
Contrary to popular belief, the Health Insurance Portability and
Accountability Act (HIPAA) does not prohibit such communication,
nor require that it be encrypted. The HIPAA website (see
specifically says "patients may initiate communications with a
provider using e-mail. If this situation occurs, the healthcare
provider can assume (unless the patient has explicitly stated
otherwise) that e-mail communications are acceptable to the
Still, if the lack of encryption and other privacy safeguards
makes you uncomfortable, encryption software can be added to your
practice's e-mail system. Enli (http://www.enli.net), Sigaba (www.sigaba.com), Tumbleweed (www.axway.com), Zix (www.zixcorp.com), and many other
vendors sell encryption packages. (I have no financial interest in
any product or enterprise mentioned.)
But rather than simply encrypting your e-mail, consider adopting
web-based messaging, where patients enter your website and send a
message using an electronic template that you design. You (or a
designated staffer) will be notified by regular e-mail when
messages are received, and you can post a reply on a page that can
only be accessed by the patient. Besides enhancing privacy and
security, you can state your guidelines clearly to preclude any
misunderstanding of what you will and will not address online.
Web-based messaging services can be freestanding or incorporated
into existing secure web sites. Medfusion (www.medfusion.net),
RelayHealth (www.relayhealth.com), and
other companies offer secure messaging services.
As for the e-mail query which triggered all this; I responded, but
I told the patient I could not provide specific answers to such
personal questions over the Internet, particularly when they were
asked anonymously; but I would be happy to address her concerns in
person, in my office.
Meanwhile, I'm working on my own guidelines.
- Eysenbach G and Diepgen TL. Responses to Unsolicited
Patient E-mail Requests for Medical Advice on the World Wide Web.
- Kane B and Sands DZ. Guidelines for the Clinical Use of
Electronic Mail with Patients. J Am Med Inform Assoc
- American Medical Association. Guidelines for Patient-Physician
Electronic Mail. Available at:
Accessed 12 January 2016.