What the BMA says

"Doctors obviously have a duty to protect the confidentiality of their patients and thus all emails should be conducted via secure connections and any patient identifiable data must only be sent using encrypted messages."

Patient confidentiality in emails falls under the remit of the Data Protection Act, which states that all reasonable precautions must be taken to ensure the confidentiality of patient-identifiable data.

This is taken to mean that encryption must be used, hence the BMA statement.

What is the Risk?

Breaching the Data Protection Act can lead to a fine. But that is only the beginning of the story. If you have breached the Act, then it leaves you open to being sued by the patient involved. And which practice does not have on its list a politician, footballer or TV presenter who would claim to be badly damaged by the release of sensitive medical data?

Will my insurance cover me?

And if you think that your insurance will cover you, look at the fine print. The insurance cover usually requires that you "take all reasonable steps to comply with statutory requirements obligations and regulations imposed by any authority".

So if there is a breach of confidentiality and you have not encrypted the data (Data Protection Act), or are not Caldicott compliant, you probably won't be covered.

Am I protected with a disclaimer?

The short answer is No. Just stating that email or an entry form on your website is not secure does not absolve you from any responsibility. In fact the warning makes no difference whatsoever: if confidentiality is breached, and you have made no effort of protect the data, you're still responsible.

What if a patient sends the practice an email anyway?

Some PCTs have advised that in this case you must reply to the email stating that you cannot respond to patient-identifiable information via email. And you shouldn't answer whatever the patient was emailing your practice about, as that would be tentamount to endorsing the email.