Six ways to ensure your practice website is safe
Dr Richenda Tisdale on the key medico-legal risks to consider with your surgery’s online resources.
The benefits of a well-run practice website are many. Many GPs report that that allowing patients to book appointments online can reduce the DNA rate and being able to request repeat scripts online frees up the telephone lines for other functions.
A practice website can also help you demonstrate compliance with the essential standards specified by the Care Quality Commission, which practices will need to register with by April 2013 (for example, in providing information to patients about your services and how to complain, outcome 1). In addition, with the recent publication of the NHS information strategy*, many practices may be reviewing their websites, with a view to providing more information to patients and colleagues. This may include access to records and online appointment booking and repeat prescription requests. On the other hand, a well-run practice website can take up a lot of administration time and needs updating regularly.
There are numerous medico-legal issues to consider when setting up or adding new services to your practice website, and such services should always be considered very carefully.
1. Secure data
Patients need to be informed that electronic transmission of data is not totally secure or foolproof and be told how their data will be used. This could be done through a notice on the website as well as in a patient leaflet or notice in the waiting room. In the case of systems such as those for reminding patients of appointments, practices may consider asking patients individually if they wish to make use of the service. If a patient decides not to take advantage of an electronic method of communication, this wish must be respected.
The GMC expects doctors to protect the confidentiality of patient information. Should an unauthorised disclosure occur you will need to be able to justify the steps that you have taken to prevent breaches in patient confidentiality. The GMC states in its guidance Confidentiality: Protecting and Providing Information (2009), paragraph 13: 'You must make sure that any personal information about patients that you hold or control is effectively protected at all times against improper disclosure.'
GPs are also advised to 'make use of professional expertise when selecting and developing systems to record, access and send electronic data' and to ensure staff are trained and understand their responsibilities to ensure data is kept secure.
2. Manage email consultations
Some practices allow patients to consult with a GP by email via their website. Before embarking on email consultations with patients, you will need to make sure the patient is happy to use the medium. The patient will need to be informed that, while you have taken all reasonable steps to ensure that the exchange is private and confidential, no email exchange can ever be 100% secure.
Because email consultations allow no opportunity for a physical examination, it is important to make patients aware of this in advance and to explain that there will be circumstances in which it may still be clinically necessary for them to attend the surgery in person. For example, if a patient consulted you in the surgery complaining of a sore throat, you would routinely carry out a physical examination – something which is not possible during an email consultation.
In Good Medical Practice (2006), the GMC advises that good clinical care must include an assessment of the patient's condition, based on the history, symptoms and if necessary, an examination (paragraph 2). There is also a contractual obligation to offer patients a physical examination where this is appropriate [Terms of Service, paragraph 12 2 (b)]. It is also important to keep a note of the email exchange in the patient's medical record.
Email consultations are limited by the nature of the communication involved. They may not be suitable for some consultations where sensitive discussions are required or positive test results need to be communicated. You may need to consider whether another type of consultation would be more appropriate and be prepared to justify the advice given.
3. Improve your online prescribing services
It goes without saying that where a practice offers a facility on their website for patients to request repeat prescriptions online, they should have secure systems in place. It would be advisable, for example, for patients to enter a code or password to identify themselves.
GPs offering a prescribing service for their patients via the website should be aware of, and follow, the GMC's guidance in Good Practice in Prescribing Medicines (2008), particularly paragraphs 39-43, which specifically address remote prescribing via telephone, email, fax, video link or a website. The GMC advises that doctors prescribing in this way will usually have responsibility for care of that patient; or be deputising for a doctor who has that responsibility; or have prior knowledge and understanding of the patient's condition/s and medical history and have authority to access the patient's records.
For e-prescribing GPs must have an appropriate dialogue with patients which should allow them to:
· establish the patients' current medical condition and history and concurrent or recent use of any other medications including non-prescription ones
· carry out an adequate assessment of the patient's condition
· identify the likely cause and ensure there is sufficient justification to supply the medicines or treatment proposed
· check that the treatments are not contra-indicated for the patient
· where appropriate, discuss treatment options with the patient
· make a record of all the medicines prescribed. (Para 40)
The GMC says that if doctors cannot satisfy all these conditions, they should not use remote prescribing.
4. Be careful what advice you offer
If you offer general medical information on your practice website to your patients, which may also be read by non-patients, you should include a statement making it clear that the medical information you are providing is intended solely for patients of the practice and that it is general information only and should not be used as a substitute for the personal advice patients receive when consulting their own GP face-to-face. One solution may be to simply provide an electronic link to another website such as NHS Direct (nhsdirect.nhs.uk/).
5. Seek consent for patient photographs
If you are planning to use images of patients on your practice website, you will need to ensure that you have their consent, even if the patient is not identifiable, and that you do not breach their confidentiality. GPs should not use the photograph for purposes outside the scope of the original consent without obtaining further consent. You should follow the GMC's guidance on the subject contained in Making and Using Visual and Audio Recordings of Patients' (2011).
6. Don't forget the small stuff
There are other considerations practices need to bear in mind when developing or reviewing their websites. You should consider seeking advice from a legal or web specialist on the best way to advertise your practice, how to avoid libel and copyright infringement, checking the website complies with the Disability Discrimnation Act and what the latest legislation is on using cookies on your practice website.
Dr Richenda Tisdale is a medico-legal adviser for the Medical Defence Union (MDU).