Widespread across the industry, there appears to be a lack of appreciation of the risks associated with standard unencrypted emails in the healthcare environment. Nonetheless, there is an increasing number of physiotherapists utilising secure messaging for provider-to-provider communications and reporting concerns about replying to ‘non-encrypted emails’, which could lead to breach of national privacy laws.

Traditional versus secure emailing

Traditional email is accessible from personal computers, smartphones and tablets, and are commonly free. However, a major disadvantage is that it was not designed with privacy and security in mind.

There are a number of key risks associated with unencrypted emails:

• can be accessed while it is stored on the computer (client’s


• or physiotherapist’s)


• can be inadvertently and easily forwarded to third parties


• administrative or technical staff may have access to the same account


• for the patient, friends, family members and colleagues may have access to the same account


• web-based free email accounts such as Gmail or Hotmail are prone to be mined for data and targeted advertising, often unethically.

The best way to protect electronic communications is to encrypt them through the use of secure messaging solutions, which encrypt, send, receive, track, and manage confidential information securely and efficiently.

Key takeaways:

• Use secure messaging or encryption where practically possible.


• It is important to inform patients who request information via unencrypted emails and SMS regarding the risks associated with this method. If the patient confirms this method, note that you have sought patient consent formally in the clinical record. This is known as an ‘opt-in’ agreement.


• If the patient is happy with unencrypted email, implement basic measures to manage potential risks, such as password protecting the file and ensuring the correct email address is used (ie, advise the patient to email the practice email address first).


• Develop clear practice policies that outline processes associated with the specific use of secure messaging, encrypted and unencrypted email to avoid data breaches depending on the context of your practice. This could consider what means of communication is appropriate depending on factors such as urgency, sensitivity and risk on a case-by-case scenario.


• It is important to develop a process for ensuring incoming emails are passed on to the appropriate person, actioned and documented in the patient’s clinical record.


• Save all email communications with health providers and patients in the clinical record.


• If you publish an email address on your clinic’s website, ensure you communicate clearly its purpose, how it is monitored and managed, and what to do in case of an emergency.


• Incorporate email privacy disclaimers for unintended recipients at the end of email signatures.


• It is appropriate to request patients to make a physical appointment with you rather than having clinical discussions via email if you feel it may compromise the safety and quality of your healthcare service.


• Educate patients regarding privacy and security by publishing website content, waiting room posters and brochures, and in general conversations with your staff.


• Offer patients alternative forms of communications and make this explicit to the patient.

Email barry.nguyen@australian.physio with any comments or queries regarding this article.

DISCLAIMER: This material is intended for general information purposes only and does not constitute legal advice or meet the specific needs of your clinical context.