Hostname: page-component-78c5997874-8bhkd Total loading time: 0 Render date: 2024-11-09T07:17:05.577Z Has data issue: false hasContentIssue false

Online Without a Net: Physician-Patient Communication by Electronic Mail

Published online by Cambridge University Press:  24 February 2021

Alissa R. Spielberg*
Affiliation:
Harvard Medical School; Columbia University; Boston College Law School; Harvard School of Public Health

Extract

Patients continue to find new ways of reaching their physicians. In the past, patients and their health care providers developed relationships through the course of everyday affairs and across a wide variety of social exchanges. Although other methods of communicating were introduced into the medical context, telephones, pagers and voicemail all retained some connection to individual voices. Moreover, medical practitioners and patients alike never anticipated that these technologies would substitute for genuine personal interactions. Nor did they anticipate that another new technology, electronic mail (e-mail), would shift communications back in time to the days when letter writing formed the basis for diagnosing and relating. E-mail in medical practice has already begun to reconfigure the patient-physician relationship in the electronic age.

Type
Articles
Copyright
Copyright © American Society of Law, Medicine and Ethics and Boston University 1999

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 See generally Alissa R. Spielberg, On Call and Online: Sociohistorical, Legal, and Ethical Implications of E-Mail for the Patient-Physician Relationship, 280 JAMA 1353 (1998) (discussing the present and future impact of electronic mail (e-mail) on the traditional patient-physician relationship).

2 See Esther B. Fein, For Many Physicians, E-Mail Is the High-Tech House Call, N.Y. Times, Nov. 20, 1997, at Al.

3 Stanley Joel Reiser, Medicine and the Reign of Technology 196 (1978).

4 See id.

5 See id.

6 See id.

7 See id. at 198.

8 See Spielberg, supra note 1, at 1354.

9 See id.

10 See id.

11 See Claude S. Fischer, America Calling: A Social History of the Telephone to 1940 176 (1992).

12 See Paul Starr, Smart Technology, Stunted Policy: Developing Health Information Networks, Health Aff., May-June 1997, at 91, 92.

13 See id. at 94. One of the pioneers was the Harvard Community Health Plan. See id.

14 See id.

15 See id.

16 Id.

17 See id. '8 See id.

19 See Lee Green, A Better Way to Keep in Touch with Patients, Med. Econ., Oct. 28, 1996, at 153, available in 1996 WL 9421679 (noting that some patients now ask doctors for prescription refills via e-mail).

20 See Starr, supra note 12, at 94.

21 See id.

22 See id. at 95.

23 See Green, supra note 19, at 153.

24 See Bartley L. Barefoot, Enacting a Health Information Confidentiality Law: Can Congress Beat the Deadline?, 77 N.C. L. Rev. 283, 286-87 (1998).

25 See Kathleen Doheny, Digital Docs: More Patients and Physicians Are Using E-mail to Discuss Routine Medical Matters, L.A. Times, Nov. 23, 1998, at SI; see also Richard Saltus, Take Two Aspirin and E-Mail Me in the Morning, Boston Globe Mag., Jan. 18, 1998, at 11 (noting that the present concerns over the use of “e-mail medicine” are slowly eroding); Christine Gorman, E-Mail Your Doctor: Frustrated By Phone Tag? Join the Growing Ranks of Doctors and Patients Talking Through the Net, Time, Aug. 17, 1998, at 82 (commenting on e-mail's ability to increase communication between physicians and patients).

26 See generally Tom Ferguson, Digital DoctoringOpportunities and Challenges in Electronic Patient-Physician Communication, 280 JAMA 1361 (1998) (noting that many patients who use online services express interest in communicating with their physicians by e-mail); Jamie Talan, On the Net, Be Wary of What Dr. Orders, NEWSDAY, Oct. 21, 1998, at A9, available in LEXIS, NY Library, NEWSDY File (suggesting that patients may enjoy direct communication with the physicians via e-mail).

27 See Ferguson, supra note 26, at 1361.

28 See David J. Brailer & Tiffany S. Hackett, Points [& Clicks] on Quality, Hosp. & Health Networks, Nov. 20, 1997, at 32, 32.

29 See, e.g., Stephen M. Borowitz & Jeremy C. Wyatt, The Origin, Content, and Workload of E-mail Consultations, 280 JAMA 1321 (1998); Christine Gorman, Ask a Cyberdoc: Need a Fast Answer to a Medical Question? AOL Now Lets you Talk to Physicians For Free, Time, Nov. 16, 1998, at 128.

30 See, e.g., Jan Greene, Sign On and Say 'Ah-h-h-h-h', Hosp. & Health Networks, Apr. 20, 1997, at 45, 45; Gary Baldwin, Web Doc—Pushing the Electronic Envelope: Physicians and Patients Connect Over the Internet, Am. Med. News, July 27, 1998, at 19 [hereinafter Web Doc]; Aaron Zitner, Cybermedicine Seen As Unhealthy By Some, Boston Globe, Aug. 6, 1998, at CI; Gary Baldwin, Web RxWhen It Comes to Prescribing Via the Internet, There's a Cyberclash Brewing, Am. Med. News, Aug. 3, 1998, at 22.

31 See, e.g., Web Doc, supra note 30, at 26; Marie C. Sanchez, Top Doctors Can Be There in a Heartbeat, Boston Globe, July 30, 1998, at Bl.

32 See Whitfield Diffie & Susan Landau, Privacy on the Line: the Politics of Wiretapping and Encryption 12 (1998).

33 See id.

34 See id.

35 See id. at 227.

36 See Suruchi Mohan, E-mail Security Ignored, Computerworld, Sept. 25, 1995, at 53, 67 (comparing use of unencrypted e-mail to “sending an important message on a postcard").

37 See Barry R. Furrow Et Al., Health Law §§ 4-29, at 139-40 (1995).

38 See id.

39 See id.§ 4-30, at 141.

40 See Mass. Gen. Laws. Ann. ch. 231, § 60B (West 1998); see also Ariz. Rev. Stat. Ann. § 12-2291(4) (West 1998) (stating that medical records consist of “all communications that are recorded in any form or medium and that are maintained for purpose of patient treatment.…"); Ga. Code Ann. § 24-10-70(2) (1998) (defining a “medical record” as “all written clinical information which relates to treatment of individuals when such information is kept in an institution"); Haw. Rev. Stat. § 622-51 (Michie 1998) (broadly defining medical records as simply the patient records “kept by a medical facility").

41 See, e.g., 215 Ill. Comp. Stat. Ann. 5/1003(R) (West 1998) (defining medical record information as “personal information which … relates to an individual's physical or mental condition, medical history or medical treatment"). An American Bar Association monograph notes that medical “records” or “documents” may be defined quite broadly in discovery requests. See Karen S. Guarino, Developing a Comprehensive Records Management and Retention Policy, in Health Care Facility Records: Confidentiality, Computerization and Society 1, 3 (Forum on Health Law of the American Bar Ass'n ed., 1995). For example,

“Document” means any typed, printed, handwritten, recorded, or graphic matter, and all non-identical copies of each such matter… including, but not limited to … agreements, analyses, briefs, calendars, charts, computer records, contracts, correspondence, diaries, letters, logs, memoranda, messages, minutes of meetings, … reports, studies, tapes, telecopies, telegrams, telephone messages, records, videotapes, and writings of any kind of description, including drafts, regardless of origin, whether sent or received … in whatever form….

Id. at 9 n.2.

42 See Furrow Et Al., supra note 37, § 4-30, at 141.

43 See Failure to Document Telephone Calls Can Lead to Serious Injuries and Malpractice Claims, 39 Ala. Med. 14, 14 (1997).

44 Joint Commission on Accreditation of Healthcare Organizations, Comprehensive Accreditation Manual for Hospitals Standards IM.7.2 (1998) [hereinafter JCAHO MANUAL].

45 See Cal. Health & Safety Code § 1457(a) (West 1998); N.Y. Pub. Health Law § 3370 (McKinney 1998).

46 See Guarino, supra note 41, at 7 (surveying state, federal and Joint Commission on Accreditation of Healthcare Organization's (JCAHO) requirements). JCAHO certification for health care institutions, for example, requires retention of accurate and up-to-date medical records. See JCAHO MANUAL, supra note 44, Standards IM.7.2. In addition to the JCAHO requirements, Medicare also requires that providers maintain records for reimbursement purposes. See Guarino, supra note 41, at 5-7 (citing Health Care Financing Administration, Pub. 15-1, Provider Reimbursement Manual Part I §§ 2304-2304.01 (1999)). Moreover, hospitals must retain records for at least five years as a condition of participation in the Medicare program. See id. at 6 (citing 42 C.F.R. § 482.24(b)(1) (1999); Health Care Financing Administration, Pub. 10, Provider Reimbursement Manual Part I § 413(C) (1999)).

47 See Furrow Et Al., supra note 37, § 4-30, at 140 (citing Thomas v. United States, 660 F. Supp. 216(D.D.C. 1987)).

48 See Terri Finkbine Arnold, Let Technology Counteract Technology: Protecting the Medical Record in the ComputerAge, 15 Hastings Comm. & Ent. L.J. 455, 470 (1993).

49 See id.

50 See id.

51 See id. However, “information protected by the doctor-patient relationship does not lose its confidentiality by incorporating it into the computer record." Id. at n.81 (citing Rudnick v. Superior Ct. of Kern County, 523 P.2d 643 (Cal. 1974)).

52 Paper chart refers to the collection of medical information that is retained by a practitioner or hospital in a physical file rather than stored electronically. See Veling W. Tsai, Cheaper and Better: The Congressional Administrative Simplification Mandate Facilitates the Transition to Electronic Medical Records, 19 J. Legal Med. 549, 558-59 (1998); see also National Research Council, for the Record: Protecting Electronic Health Information 26 (1997) (comparing paper and electronic records).

53 See Kathryn Montgomery Hunter, Doctors' Stories: the Narrative Structure of Medical Knowledge 162 (1991) (stating that case history is not the patient's story). It is important to note that even when the patient's “own words” do appear in chart notes, they are only those words that the practitioner, who is making the notes, chooses to include. Patients do not routinely have an opportunity to have their personal accounts directly entered into the charts without the intervention of an intermediary such as a health care practitioner.

54 See id. at 162, 166.

55 As Kathryn Montgomery Hunter notes:

Case narrative is tolerated grudgingly in medicine because it enables clinicians to describe the nonlinear, subjective, and uncertain aspects of their experimental field. But, as the profession's prohibition against anecdotes recognizes, narrative that bursts the generic constraints of the strict case history, especially narrative of any length and fullness or speculative force, inevitably pulls against medicine's commitment to the objective, scientific study of human illness. The medical case history is, after all, a history: a narrative that attempts both to control the subjectivity of the observer-narrator and to stabilize and evaluate the encapsulated narrative of the patient who is its object.

Id. at 166.

56 See id. at 5-6. Hunter argues that “physicians are like literary critics, who … arrive at the text [here, the patient] laden with theory, assumptions, hypotheses." Id. at 8.

57 See id. at 84-85. These “other” medical personnel include medical students, nurses, therapists and social workers. See id.; see also Barefoot, supra note 24, at 285 (stating that medical records often include impressions of nurses as well as other caregivers).

58 For example, “[t]he contents of the patient record are not limited .. . to objective test data or information provided by the patient. Medical records also frequently contain impressions of doctors and nurses, including assessments of a patient's character, personality, and mental state.” Barefoot, supra note 24, at 285.

59 Mark Berg, Practices of Reading and Writing: The Constitutive Role of the Patient Record in Medical Work, 18 Sociology of Health & Illness 499, 501 (1996).

60 See Hunter, supra note 53, at 128. Hunter contends that:

[a]s a part of the care provided by a physician, a respectful, impersonal attention is important to the therapeutic relationship. It can imply a recognition that the sufferer is more or other than patienthood presents to view. The person who is ill seeks help, in part, for the sake of the physician's discriminating but nonjudgmental interpretation.

Id. at 133.

61 See Maurice Willis et al., Documenting the Clinical Encounter, in Telemedicine: Practicing in the Information Age 175, 176 (Steven F. Viegas & Kim Dunn eds. 1998) (noting that “healthcare workers documenting a clinical encounter use the same phrases from day to day and follow a general standard").

62 See id. The form of progress notes is strictly defined. The “SOAP” format is the practice standard: subjective—usually a quotation, selected by the health care worker, from the patient; objective—the physical exam; assessment—where the physician diagnoses and assesses the patient's symptoms; and plan—what treatment options the physician should follow. See id.

63 See generally Lawrence O. Gostin, Health Information Privacy, 80 Cornell L. Rev. 451 (1995) (stating that a comprehensive health information system is technologically feasible and would be socially beneficial).

64 See Willis et al., supra note 61, at 176-77.

65 See Beverly Kane & Daniel Z. Sands, Guidelines for the Clinical Use of Electronic Mail with Patients, 5 J. Am. Med. Informatics Ass'N, 104, 105 (1998).

66 Clearly, additional documentation of any diagnostic, prescriptive or consultative interaction between a practitioner and a patient may be relevant in future treatment decisions.

67 See Spielberg, supra note 1, at 1357; Kane & Sands, supra note 65, at 106.

68 See Spielberg, supra note 1, at 1357.

69 See id. Moreover, despite the often cavalier attitude toward e-mail communication, medical e-mail represents a lasting record of physician judgment and patient response and reporting of symptoms. Accordingly, e-mails sent in a medical relationship, or generally in the course of medical treatment, should be drafted with care, composed as a formal written document on a professional letterhead. Furthermore, as a precaution, the patient's preferred method of communication should be noted in the medical record, along with relevant telephone numbers and e-mail addresses that the patient has specifically endorsed for use by health care practitioners for medical purposes.

70 For example, a patient may be uncomfortable conducting candid e-mail conversations with her gynecologist if she knew that her ophthalmologist would be able to access those e-mails.

71 Policymakers and legislators have proposed this kind of suggestion to protect medical information from being viewed by insurers. For example, one congressional bill that failed to pass in the 105th Congress would require medical record-holders “to segregate and maintain identifiable information designated by the patient, other than billing data, outside of any computerized networked system.” Barefoot, supra note 24, at 352 (citing S. 1368, 105th Cong. § 202(f) (1997)).

72 See, e.g., Mass. Gen. Laws Ann. ch. 175, § 47B(c) (West 1998). Section 47(B)(c) prevents payers of health care services from obtaining details about a patient's psychiatric condition prior to allowing mental health benefits (at least up to a statutory ceiling of $500, after which the payer may request further information before approving future treatment). See id. Because several Massachusetts health plans routinely stored comprehensive psychiatric notes (including updates on individual therapy sessions) in an electronic record, enabling any health plan employee to view their contents, the Massachusetts legislature enacted this psychiatric record “privacy” provision. See Deborah Pergament, Note, Internet Psychotherapy: Current Status and Future Regulation, 8 Health Matrix 233, 277 (1998). With psychiatric records maintained in a separate electronic file, only specifically recognized personnel would be able to examine these intimate records.

73 Cf. Jerry Kang, Information Privacy in Cyberspace Transactions, 50 Stan. L. Rev. 1193, 1249-50 (1998) (discussing the concept of a “functionally necessary use” of personal information by which access is granted on a “need-only basis to complete the transaction in which the information was originally collected").

74 See id.; see also Spielberg, supra 1, at 1357 (advising physicians to guard against unauthorized use of patient e-mails and to secure the patients' consent before forwarding e-mail messages to their colleagues).

75 This is similar to how a patient's words are treated in an office visit (or over the telephone) in which the patient's words are summarized by the health care provider. The actual e-mail would still be retained, however.

76 See Gostin, supra note 63, at 455; see also Arnold, supra note 48, at 457 (arguing that “confidentiality of the computerized medical record is not yet adequately protected"); Grace-Marie Mowery, Comment, A Patient's Right of Privacy in Computerized Pharmacy Records, 66 U. ClN. L. Rev. 697, 701 (1998) (discussing uncertain legal requirements in maintaining patient privacy in pharmaceutical records); Robert Gellman, Does Privacy Law Work?, in Technology And Privacy: the New Landscape 193, 204-07 (Philip E. Agre & Marc Rotenberg eds., 1997) (describing ambiguous legal standards for the constitutional protection of personal information privacy).

77 See Gostin, supra note 63, at 489. − See id. at 485.

79 See Barefoot, supra note 24, at 309-10.

80 In his concurrence to Roe v. Wade, Justice Douglas asserted that “the right of privacy has no more conspicuous place than in the physician-patient relationship." See Doe v. Bolton, 410 U.S. 209, 219 (1973) (Douglas, J., concurring) (concurrence opinion applicable to Roe v. Wade, 410 U.S. 113 (1973)).

81 See Ken Gormley, One Hundred Years of Privacy, Wis. L. Rev. 1335, 1337-39 (1992).

82 See id. at 1339; see also Judith Wagner Decew, in Pursuit of Privacy: Law, Ethics, and the Rise of Technology 66 (1997) (noting the “close relationship between tort, Fourth Amendment, and constitutional privacy claims” which supports arguments for a “broad conception of privacy"). Ken Gormley specifically questions the utility of these demarcations, arguing that “[s]uch a sharp division is unfortunate … because history confirms that the various offshoots of privacy are deeply intertwined at the roots, owing their origins to the same soil.” Gormley, supra note 81, at 1357. Further, Gormley contends:

Although helpful in refining our understanding of various subsets of privacy opinions and case law, single one-size-fits-all definitions of privacy have proven to be of limited value. The harsh reality is: legal privacy consists of four or five different species of legal rights which are quite different from each other and thus incapable of a single definition, yet heavily interrelated as a matter of history, such that efforts to completely sever one from another are (and have been) disastrous.

Id. at 1339.

83 See Gormley, supra note 81, at 1337.

84 See Warren, Samuel D. & Brandeis, Louis D., The Right to Privacy, 4 Harv. L. Rev. 193, 193 (1890)CrossRefGoogle Scholar.

85 Id. at 198.

86 See Gormley, supra note 81, at 1348-55.

87 381 U.S. 479(1965).

88 See id. at 485.

89 See id. at 485-86.

90 See. e.g., Olmstead v. United States, 277 U.S. 438 (1928) (holding that evidence obtained by intercepting a telephone call was admissible).

91 See Spielberg, supra note 1, at 1354.

92 See Gormley, supra note 81, at 1356.

93 See Katz v. United States, 389 U.S. 347, 358-59 (1967).

94 Simon G. Davies, Re-Engineering the Right to Privacy: How Privacy Has Been Transformed from a Right to a Commodity, in Technology and Privacy: the New Landscape 143, 143 (Philip E. Agre & Marc Rotenberg eds., 1997).

95 410 U.S. 113(1973).

96 See George J. Annas et al., 77ie Right to Privacy Protects the Doctor-Patient Relationship, 263 JAMA 858, 858-59 (1990).

97 See id. at 859.

98 See Gostin, supra note 63, at 498; see also Alberts v. Devine, 479 N.E.2d 113, 120 (Mass. 1985) (holding that “a duty of confidentiality arises from the physician-patient relationship"); Hague v. Williams, 181 A.2d 345, 349 (N.J. 1962) (same).

99 Absent novel legislative enactments to protect medical privacy, such a constitutional argument could be asserted by drawing from the underlying reasoning from both the “information” and “decisionmaking” privacy cases. Indeed, I would argue that medical communications and their preserved records—including e-mail—represent the intersection between these two artificially separated “types” of privacy, because medical communication is itself the process of engaging in medical decision making and its stored record becomes information about which individuals can logically assert a privacy interest.

100 See Annas et al., supra note 96, at 859.

101 See, e.g., Whalen v. Roe, 429 U.S. 589 (1977) (overruling lower court's holding that a New York statute requiring state authorities be provided with copies of every prescription for certain drugs, which will be kept in a computerized database, was unconstitutional).

102 Martin Campbell-Kelly & William Aspray, Computer: A History of the Information Machine 247 (Basic Books, 1996).

103 See Whalen, 429 U.S. at 599-604.

104 See id. at 593-94.

105 See id. at 598-99.

106 See id. at 600-02.

107 See id. at 605.

108 See id.

109 See id. at 599-604.

110 See id. at 594, 603-04. However, the Court's dicta suggests that states have a duty, “arguably … root[ed] in the Constitution,” to prevent unnecessary disclosure of individuals' health data collected for public health purposes. See id. at 605.

111 See Spielberg, supra note 1, at 1355-56; see also Kane & Sands, supra note 65, at 108-09 (listing specific practical precautions for practitioners to take, such as using encryption technology and obtaining consent before utilizing e-mail to communicate with patients).

112 See Spielberg, supra note 1, at 1357.

113 Whalen, 429 U.S. at 602.

114 Id. at 594.

115 See Spielberg, supra note 1, at 1358.

116 429 U.S. at 602-03. Similarly, people also may refrain from making certain decisions about their health care over e-mail because they fear that their e-mails could be misdirected, thus revealing their personal thought processes to unforeseen individuals.

117 See Spielberg, supra note 1, at 1357.

118 500 U.S. 173(1991).

119 Id. at 218 (Blackmun, J., dissenting).

120 See Gormley, supra note 81, at 1439-40; Jerome P. Kassirer, The Next Transformation in the Delivery of Health Care, 332 New Eng. J. Med. 52, 53 (1995).

121 Gormley, supra note 81, at 1440.

122 Indeed, Justice Brennan, in his concurring opinion in Whalen, directly acknowledged the potential for reexamination of privacy and medical databases in the event that new technological changes appear to efface health information privacy:

[Collection and storage of data by the State that is in itself legitimate is not simply rendered unconstitutional simply because new technology makes the State's operations more efficient. However … the Constitution puts limits not only on the type of information the State may gather, but also on the means it may use to gather it. The central storage and easy accessibility of computerized data vastly increase the potential for abuse of that information, and I am not prepared to say that future developments will not demonstrate the necessity of some curb on such technology.

Whalen v. Roe, 429 U.S. 589, 606-07 (1977) (Brennan J„ concurring) (emphasis added).

123 See Gostin, supra note 63, at 498.

124 See id. at 494-95.

125 See id. at 506-11.

126 See id. at 508-09.

127 See id. at 510-13.

128 See, e.g., Ark. Code Ann. § 23-76129 (Michie 1997) (requiring health maintenance organizations (HMOs) to hold medical information confidential); N.Y. Civ. Rights Law §§ 50-52 (McKinney 1998) (protecting various individual privacy rights and providing private rights of action); N.Y. Pub. Health Law § 2803-c(3)(f) (McKinney 1998) (providing for the confidentiality of hospital patients' medical records); Cal. Civ. Code §§ 56.10-.30 (West 1998) (protecting medical information from general public exposure, but allowing some information disclosure for public health purposes); Cal. Civ. Code § 1798.1 (West 1998) (providing that privacy is a fundamental right).

129 See Gostin, supra note 63, at 516-17.

130 In addition to the general information privacy statutes enacted at the federal level, several specific areas have been identified for special privacy protections. For example, Congress explicitly protects certain aspects of an individual's credit history in the Fair Credit Reporting Act of 1970, which prescribes acceptable uses for that information and enables review and correction by its subject. See 15 U.S.C. § 1681 (1998). Further, the Video Privacy Act of 1988 prohibits disclosure of information pertaining to videotape rentals except in certain circumstances. See 18 U.S.C. § 2710 (1998). Likewise, the Telephone Consumer Protection Act of 1991 regulates unsolicited telephone calls and provides privacy protection for telephone users who would prefer not to receive such calls. See 47 U.S.C. §227(1998).

131 Pub. L. No. 99-508, 100 Stat. 1848 (1986) (codified as amended in scattered sections of 18 U.S.C).

132 See Maureen S. Dorney, Privacy and the Internet, 19 Hastings Comm. & Ent. L.J. 635, 644 (1997).

133 See §§ 101, 201, 100 Stat, at 1848, 1860-68.

134 See Spielberg, supra note 1, at 1355-56. Even though the Electronic Communications Privacy Act of 1986 (ECPA) bolsters the technological security of the message, so that the sender can expect a private, uninterrupted transmission of the message to a known recipient, it does not assure that the message will be properly preserved as a private communication once it is received. See Spielberg, supra note 1, at 1356; infra notes 139-140 and accompanying text. Interestingly, pharmaceutical records do not enjoy the same kind of privacy protections under the law. See Mowery, supra note 76, at 712. While the ECPA may facilitate private transmission from physician to pharmacy, once the pharmacy receives the e-mail message, the message does not necessarily remain private; the pharmacist is under no legal duty to maintain the record as confidential. See id. at 713. Nonetheless, the physicians' copy of their already sent message (which becomes a part of the medical record) must be guarded by the physician with the same standards as any other record. See id. at 712. Thus, because the pharmacy's record itself remains unprotected under current law, gaps exist when records are transferred to those holders who owe no duty of confidentiality or privacy (beyond ethical codes) to the patient whose record is at stake.

135 See §§ 101-103, 202, 100 Stat, at 1848-1854, 1860; Dorney, supra note 132, at 643-45.

136 The ECPA, as any other law, can only deter unlawful acts, but cannot prevent them from occurring in the first place. For example, once an e-mail message has been unlawfully taken, the holder who intends to share that message freely—thus making public the victim's private information—will do so despite the existence of adverse legal consequences.

137 See § 101(c)(6), 100 Stat, at 1851. As amended by the ECPA, the relevant statutory language provides:

It shall not be unlawful … for … an officer, employee, or agent of a provider of wire or electronic communication service … to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service... . 18 U.S.C. § 2511 (2)(a)(i) (1998). This exception, though, does not authorize random monitoring of communication by providers of wire communication except for mechanical or service quality control checks. See id.

138 See Dorney, supra note 132, at 644; Spielberg, supra note 1, at 1356; see also Smyth v. Pillsbury Co., 914 F. Supp. 97, 100 (E.D. Pa., 1996) (finding no privacy interest in employee's e-mail to a supervisor).

139 See§ 201, 100 Stat. 1861.

140 See id.

141 Pub L. No. 93-579, § 3, 88 Stat. 1897 (1974) (codified at 5 U.S.C. § 552a (1998)).

142 Pub. L. No. 89-487, 80 Stat. 250 (1966) (codified at 5 U.S.C. § 552 (1998)).

143 See 5 U.S.C. § 552(a), (b)(l)-(9) (1998).

144 See 5 U.S.C. § 552(b)(6).

145 See 5 U.S.C. § 552a(b) (1998). The Privacy Act of 1974 prohibits federal hospitals and agencies from disclosing information contained in medical records except under specific circumstances. See id. § 552a(a)(4), (b). Although the Privacy Act acknowledges that a health care provider owns the information contained within the medical chart, the patient is the only person authorized to release such information. See Douglas D. Bradham et al., The Information Superhighway and Telemedicine: Applications, Status, and Issues, 30 Wake Forest L. Rev. 145, 161 (1995).

146 See Arnold, supra note 48, at 475.

147 See Gostin, supra note 63, at 499.

148 See id. at 500.

149 Any clinical e-mail that is relevant to rendering medical decisions ought to be retained in the medical record. Such e-mail might not, however, serve a broader function in public health practice, and thus would be irrelevant for that domain. Much of the information that would be contained as text in a medical e-mail would not be useful for public health data collection, although a summary of medical conclusions, diagnoses, drug reactions, test results and the like could prove relevant in an epidemiological assessment. To prevent inadvertent disclosure of medically related e-mails (which have personally identifiable information even in the address), additional precautions will need to be established to protect medical e-mail within the medical record.

150 For example, an e-mail contained within a medical record would be treated as any other medical record. Because at present no federal law affords uniform privacy protection to medical records generally, see Gostin supra note 63, at 516-17, a medically related e-mail could be open to exposure to a variety of interested third parties to an underlying medical relationship. Because such authorized onlookers may have legitimate access to the medical record itself, it is unclear whether they would be treated as violators undej either the Privacy Act or the ECPA.

151 See Gostin, supra note 63, at 508; see also Estate of Behringer v. Medical Ctr. at Princeton, 592 A.2d 1250, 1274 (N.J. Super. Ct. 1991) (finding hospital negligent for failure to take reasonable precautions to maintain confidentiality of the patient's medical record when sensitive medical information was kept in a chart at a nurse's station, making the chart easily accessible to outsiders). Interestingly, the Behringer court placed the burden on the medical facility to do more than simply instruct health care workers to keep records confidential. See id. at 1272. Instead, the court suggested possible confidentiality measures that the hospital should take, such as securing medical charts, limiting access to those with a bona fide need to know or sequestering portions of the patient's record containing confidential information. See id. at 1273.

152 See Gostin, supra note 63, at 508-09.

153 American Medical Ass'n, Code of Medical Ethics: Current Opinions With Annotations Opinions 5.04-.07 (1998) [hereinafter AMA CODE]. Several exceptions to the general confidentiality principle have been identified, such as cases involving communicable diseases and a patient's articulation of an intent to commit serious harm on a particular or identifiable third party. See id. at Opinions 5.05.

154 See id. Opinion 5.05; Tom L. Beauchamp & James F. Childress, Principles of Biomedical Ethics 422-23 (4th ed. 1994); see also Len Doyal, Human Need and the Right of Patients to Privacy, 14 J. Contemp. Health L. & Pol'Y 1, 4 (1997) (noting that patient trust of physicians has been one of two philosophical justifications for clinical confidentiality).

155 Ama Code, supra note 153, Opinion 5.05 (emphases added).

156 See Spielberg, supra note 1, at 1355.

157 See, e.g., Ama Code, supra note 153, Opinion 5.07 (requiring that physicians use the “utmost effort and care … to protect the confidentiality of all medical records, including computerized medical records"). Some observers question whether the ideal confidentiality standards articulated by law or professional codes can have genuine significance in a post-modern, technology driven, computerized and commodified medical system. See Beauchamp & Childress, supra note 154, at 419. If this concern manifests in the routinization of confidentiality breaches for most medical records, the ultimate harms to vulnerable patients will be potentially greater with the concurrent exposure of personal thoughts and feelings described in e-mail letters to their physicians.

158 See Kane & Sands, supra note 65, at 106-10; Charles B. Conklin, Risk Management Ramifications of E-Mail in a Hospital (visited May 11, 1999) <http://www.rmf.org/b0183.html>; see also Spielberg, supra note 1, at 1355-56 (discussing various precautions that physicians can take to secure their e-mail communications). The AMA has likewise, developed a policy regarding confidentiality of patient information stored on a computer, exhorting physicians that “[t]he utmost effort and care must be taken to protect the confidentiality of all medical records, including computerized medical records.” AMA Code, supra note 153, Opinion 5.07. Opinion 5.07 also delineates some security guidelines to maintain confidentiality of medical records, including employee authorization, patient notification and consent prior to release of identifiable data and use of encryption technology. See id.

159 AMA Code, supra note 153, Opinion 5.07 (emphasis added). 160 See Furrow et al., supra note 37, § 6-11, at 270-79.

161 See id. § 6-9, at 265-66.

162 See id. The ubiquitous “consent form” is evidence that obtaining patient consent in the health care setting has become routine. See id. § 6-16, at 284. However, it is not always the case that a full and meaningful discussion precedes the patient's signing of the consent form, and many states treat the signed form as prima facie evidence of consent treatment, placing the burden on the patient to rebut the presumption. See id.

163 See id. §4-34, at 150-51.

164 See id.

165 See id. at 150.

166 See id.

167 See id. at 150-51.

168 See id.

169 See Barefoot, supra note 24, at 303. Currently, the law is unable to fully acknowledge the transformation in American medicine from a doctor-patient model to a patient-health system/insurer model. See id. Many health care workers currently privy to patient records are “uncertain about their legal obligations” because only some record-holders, such as physicians and hospitals, have been identified as holding legal duties to protect the patients' medical information. See id.

170 See id. at 283, 288; see also Mowery, supra note 76, at 713 (noting that doctor-patient testimonial privilege does not preclude employers or insurers from learning about a patient's medical information). Not surprisingly, patients are often unaware that so many others will likely view their medical records. See Barefoot, supra note 24, at 288-89. In addition to health care providers and insurers, many “secondary users” of health information may have access to an individual's records. See id. For example, employers, public health organizations, medical and social researchers, government agencies, law enforcement, educational institutions, credit bureaus, licensing organizations and the media may have access to personal records under existing laws. See id.

171 See Gostin, supra note 63, at 487.

172 See id. at 507. Many states do require health care providers, insurers and employers to maintain confidentiality standards. See, e.g., Cal. Civ. Code §§ 56.10, .13, .20 (West 1998); N.Y. Ins. Law § 321 (Consol. 1998); N.Y. Pub. Health Law § 2803-c(3)(f) (McKinney 1998).

173 Mowery, supra note 76, at 716.

174 See Howard Brody, the Healer's Power 126-27 (1992).

175 See id. at 126.

176 As one commentator suggests, this kind of discussion about handling information will accomplish two things:

First, it should help avert overly facile promises by the physician such as “Anything you say to me will be held in the strictest confidence.” Possibilities for information leakage exist in almost all modern care systems, and it is only fair that the patient should know that. Second, it may give rise to specific negotiations about what should be included in the written record. In an example that is becoming commonplace, the physician may advise the patient at risk for HIV infection to be tested anonymously through the local health department instead of ordering the test through a standard laboratory and having the information become a part of the chart.

Id.

177 See id.

178 See id.

179 AMA Code, supra note 153, Opinion 5.07.

180 See Spielberg, supra note 1, at 1356-57; Kane & Sands, supra note 65, at 106.

181 See, e.g., Bradham et al., supra note 145, at 161-62; see Spielberg, supra note 1, at 1356.

182 See Spielberg, supra note 1, at 1356-57.

183 See, e.g., Linda Roemer, Letter to the Editor (JAMA) 1 (Feb. 13, 1999) (on file with author).

184 See Alissa Spielberg, Response to Gurwitz and Roemer, Letter to the Editor (JAMA) 1 (Mar. 9, 1999) (on file with author).

185 See id.

186 See Spielberg, supra note 1, at 1353.

187 United States Dep't of Commerce, Telemedicine Report to Congress (visited Apr. 3, 1999) <http//www.ntia.doc.gov/reports/telemed/intro.htm#N_l_> [hereinafter Telemedicine Report].

188 Committee on Evaluating Clinical Applications of Telemedicine, Inst, of Med., Telemedicine: A Guide to Assessing Telecommunications in Health Care 16-17 (1996) [hereinafter A Guide to Assessing Telecommunications in Health Care]. Interestingly, the Physician Insurers Association of America (PIAA) has also defined telemedicine broadly. Telemedicine is defined by PIAA as “the provision of health care consultation and education using telecommunication networks to communicate information.” Julie M. Kearney, Comment, Telemedicine: Ringing in a New Era of Health Care Delivery, 5 Commlaw Conspectus 289, 290 (1997) (quoting Physician Insurers Ass'n of America, Telemedicine: an Overview of Applications and Barriers 1 (1996)). This sweeping language suggests that e-mail consultation may require special malpractice coverage, for instance under a “Telemedicine” clause or rider to a standard malpractice insurance policy. Indeed, it is quite possible that malpractice insurers will define acceptable parameters of e-mail consultation practice that will be covered under their insurance contracts.

189 See Kearney, supra note 188, at 290 n.12 (quoting Physician Insurers Ass'n of America, Telemedicine: an Overview of Applications and Barriers 1 (1996)).

190 See Telemedicine Report, supra note 187.

Because of its generality, defining telemedicine as practicing medicine over distances is not particularly descriptive. For example, telemedicine does not include nonelectronic communications between physician and patient over distances corresponding via mail. Such a broad definition misses the mark because the “defining aspect” of telemedicine is the transfer of information using electronic signals. However, a definition incorporating the concept of electronic transfers is still very broad because it can encompass both informal diagnosis and treatment prescription for simple ailments over the telephone as well as the earlier example of high-tech medical application ….

Kathleen M. Vybomy, Legal and Political Issues Facing Telemedicine, 5 Annals Health L. 61,69-70 (1996).

191 See Kearney, supra note 188, at 290 (noting that the Federal Communications Commission created an advisory committee in 1996 to advise the commission on rural telecommunication provisions contained in the Telecommunication Act of 1996); see also Bradham et al., supra note 145, at 147 (discussing the benefits of telemedicine to those in rural areas, such as increasing diagnositc capability, convenience and overall care); Christopher J. Caryl, Note, Malpractice and Other Legal Issues Preventing the Development of Telemedicine, 12 J.L. & Health 173, 204 (1997-1998) (noting that telemedicine technology can minimize or even eliminate problems a physician encounters with rural medicine).

192 See generally Douglas A. Perednia & Ace Allen, Telemedicine Technology and Clinical Applications, 273 JAMA 483 (1995) (noting that matching technology to medical needs will be difficult because of already limited medical resources).

193 See Caryl, supra note 191, at 182; Bradham et al., supra note 145, at 156. Additionally, some states with telemedicine legislation specifically require consent prior to engaging in a telemedicine consultation. For example, Arizona's telemedicine law provides that “[b]efore a health care provider delivers health care through telemedicine, the treating health care provider shall obtain verbal or written informed consent from the patient. If the informed consent is obtained verbally, the health care provider shall document the patient's consent on the patient's medical record.” Ariz. Rev. Stat. Ann. § 36-3602(A) (1998). The code further provides that “[dissemination of any images or information identifiable to a specific patient for research or educational purposes shall not occur without the patient's consent." Id. at § 36-3602(D). Likewise, Arizona requires that telemedicine consultations become a part of the patient's medical record. See id. § 36-3602(C). California also includes an informed consent provision in its telemedicine law. See Cal. Bus. & Prof. Code §2290.5(c) (West 1998). In fact, California's informed consent procedure for telemedicine consultations is quite specific. Health care practitioners must obtain both verbal and written consent from the patient or the patient's legal representative. See id. § 2290.5(c). The practitioner must provide the patient with written and verbal information on the patient's right to withdraw consent and the risks, consequences and benefits of the procedure. See id. § 2290.5(c)(l)-(2). Additionally, the practitioner must explain the applicable confidentiality protections and how the telemedicine records will be included in the patient's medical record. See id. § 2290.5(c)(3)-(4)- However, the California law explicitly excludes exchanges by “telephone conversation .. . or an electronic mail message between a health care practitioner and patient ….“Id. § 2290.5(a)(1).

194 Likewise, the Institute of Medicine commented that “[decisionmakers still do not have good enough information comparing the effects of telemedicine applications to those of alternative health care strategies for quality, access, cost, and acceptability.” A Guide to Assessing Telecommunications in Health Care, supra note 188, at 207.

195 See generally Pergament, supra note 72 (arguing for regulation of Internet psychotherapeutic services to protect consumers). The absence of effectiveness data on e-mail psychotherapy as an effective mental health treatment modality poses significant problems for establishing informed consent. See id. at 255. In addition to the complexity involved in providing informed consent to psychotherapy patients, giving unproven or inappropriate treatment could also give rise to a negligence action. See id. at 253-54 n.87.

196 See Telemedicine Report, supra note 187, at <http://www.ntia.doc.gov/reports/telemed/payment.htm>.

197 Beginning in 1992, Congress established specific legislation to fund demonstration projects designed to expand rural health care through telemedicine. See 7 U.S.C. § 950aaa-5 (1998). The legislation encompassed the transmission of x-rays and other imaging data. See id. § 950aaa-5(b)(6)(A)(II). By 1994, the Department of Health and Human Services (HHS) had awarded numerous grants for demonstration projects under its Rural Telemedicine Grant Program. See Vyborny, supra note 190, at 65 n.28. In addition, “[t]he Clinton Administration recently announced a three-year experiment in which Medicare will pay for telemedicine services at fifty-seven Medicare-certified health facilities.” Caryl, supra note 191, at 180. The Health Care Financing Administration (HCFA) has also expressed its concern over the absence of clinical studies showing that telemedicine treatment is as safe and effective as face-to-face treatment. See Bradham et al., supra note 145, at 164.

198 Kearney, supra note 188, at 297. In fact, many commentators view the gap in reimbursement policy as a deficiency that poses a significant “barrier” to the development of telemedicine. See Telemedicine Report, supra note 187, at <http://www.nhttp://www.ntia.doc.gov/reports/telemed/payment.htmtia.doc.gov/reports/telemed/payment.htm> (explaining that factors such as third-party payers' “wait-and-see” approach toward telemedicine payment as well as varying Medicare and Medicaid coverage policies are barriers to telemedicine's deployment); Jeff L. Magenau, Digital Diagnosis: Liability Concerns and State Licensing Issues are Inhibiting the Progress of Telemedicine, 19 Comm. & the Law 25 (1997), available in Westlaw, ABI-INFORM database (same).

199 Four states—Georgia, Iowa, North Carolina and West Virginia—are part of the HCFA's demonstration project designed to reimburse a limited number of medical facilities for telemedicine consultation. See Telemedicine Report, supra note 187, at <http://www.nhttp://www.ntia.doc.gov/reports/telemed/payment.htmtia.doc.gov/reports/telemed/payment.htm>. But many more states allow some form of telemedicine reimbursement through Medicaid programs or workers' compensation. See Caryl, supra note 191, at 180. These states include Arkansas, Georgia, Idaho, Montana, South Dakota, Virginia and West Virginia. See id. Additionally, Montana will pay for telemedicine visits in lieu of paying traveling expenses. See id. Finally, HMOs cover a limited number of telemedicine services, particularly for the evaluation of “static images,” in New Mexico and California. See id. Other states may have insurers who will reimburse telemedicine consultations on a case-by-case basis. See Telemedicine Report, supra note 187, at <http://www.nhttp://www.ntia.doc.gov/reports/telemed/payment.htmtia.doc.gov/reports/telemed/payment.htm>. New telemedicine reimbursement legislation continues to emerge. See, e.g., Okla. Stat. Ann. tit. 36, § 6803 (West 1998).

200 gee Magenau, supra note 198 (noting that “because of licensing and liability concerns, out-of-state teleconsultants often do not charge for the conference—hoping to avoid the establishment of a doctor-patient relationship that might lead to attachment of liability").

201 See Spielberg supra note 1, at 1354.

202 In California, for example, “face-to-face contact between a health care provider and a patient shall not be required under the Medi-Cal program for services appropriately provided through telemedicine.” Cal. Welf. & Inst. Code § 14132.72(c)(1) (West 1999). However, the “Medi-Cal program shall not be required to pay for consultation provided by the health care provider by telephone or facsimile." See id. § 14132.72(d). As previously noted, California explicitly excludes e-mail from its definition of telemedicine. See Cal. Bus. & Prof. Code § 2290.5(a)(1).

203 However, one group of commentators suggests that “it might be necessary to charge a flat monthly fee for access to physicians by phone or e-mail to both cover the cost and discourage overuse.” See James W. Mold et al., 91 J. Okla. State Med. Ass'N 331, 333-34 (1998).

204 It is worth noting, however, that some electronic exchanges between physicians and consumer-patients may involve a direct fee being paid by a patient seeking online consultation. See. e.g., Judy Foreman, Promises and Pitfalls of Cyber Medicine, Boston Globe, Jan. 4, 1999, at El (discussing the advantages and disadvantages of “online medical consult services,” which charge an Internet user a fixed fee for providing medical services to users, after receiving an e-mail describing their ailments). Some of these online services take steps to disclaim any doctor-patient relationship, but legal analysts note that the financial exchange may itself impose a professional duty of reasonable care. See id.

205 Telemedicine Report, supra note 187, at <http://www.nita.doc.gov/reports/telemed/legal.htm>; A Guide to Assessing Telecommunications in Health Care, supra note 188, at 91 92.

206 See Spielberg, supra note 1, at 1357.

207 See id.; see also Telemedicine Report, supra note 187, at <http://www.nita.doc.gov/reports/telemed/legal.htm>.

208 Kearney, supra note 188, at 297. In states with such licensure requirements, a “physician in one state may be legally restricted from providing services via telemedicine to a patient in another state unless he is legally licensed in both states." See id.

209 See Telemedicine Report, supra note 187, at <http://www.nita.doc.gov/reports/telemed/legal.htm>. These states include California, Connecticut, Indiana, Kansas, Nevada, Oklahoma, South Dakota, Tennessee and Texas. See id.

210 See id.; Kearney, supra note 188, at 297-98. For instance, while California has proposed a limited telemedicine licensing process, the following states have explicitly required full state licensure prior to the practice of medicine within their state by any means, including telemedicine: Arkansas, Arizona, Connecticut, Florida, Georgia, Iowa, Indiana, Kansas, Massachusetts, Maine, Mississippi, Nebraska, Oklahoma, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas and Virginia. See Spielberg, supra note 1, at 1357-58.

211 See Kearney, supra note 188, at 298-300; Magenau supra note 198, at 40-43.

212 See Spielberg, supra note 1, at 1358.

213 See id. at 1357; see also Phyllis Forrester Granade, Medical Malpractice Issues Related to the Use of TelemedicineAn Analysis of the Ways in which Telecommunications Affects the Principles of Medical Malpractice, 73 N.D. L. Rev. 65 (1997) (discussing specific elements of malpractice law as applied to telemedicine consultations). One commentator noted that:

[T]elemedicine merely allows the practitioner to practice medicine in the normal manner… . Although telemedicine uses technology to facilitate diagnosis or treatment, it is designed to transmit to a remote location the same kind of information that is normally available “in person.” As such, a physician deliberates in substantially the same manner as if the patient were present in the doctor's offices, and the substance of the interaction is largely unaffected.

Vyborny, supra note 190, at 72.

214 Id. at 73.

215 See Granade, supra note 213, at 72; Caryl, supra note 191, at 192.

216 See Granade, supra note 213, at 67.

217 See id. at 68.

218 See Kearney, supra note 188, at 300. Elements of a physician-patient relationship in telephone conversation cases are:

(1) whether the consulting physician and the patient actually saw each other; (2) whether the physician ever examined the patient; (3) whether the patient's records were ever viewed by the consultant; (4) whether the physician knew the patient's name; and (5) whether the consultation was gratuitous or for a fee.

Id.

219 See Lopez v. Aziz, 852 S.W.2d 303, 307 (Texas App. 1993); see also Weaver v. Bd. of Regents of the Univ. of Mich., 506 N.W.2d 264, 268 (1993) (holding that a telephone call to a medical center to set up an appointment did not establish doctor-patient relationship where no prior relationship existed).

220 See Bienz v. Central Suffolk Hosp., 557 N.Y.S.2d 139, 139—40 (App. Div. 1990) (holding that if physician offers treatment or advice by telephone, a professional relationship may attach, even if in the context of scheduling an appointment); see also Gilinsky v. Indelicato, 894 F. Supp. 86, 92-94 (E.D.N.Y. 1995) (finding mentor-supervising physician to have formed a physician-patient relationship with a chiropractic patient, even though the physician and the patient had never met when significant consultation with intermediary practitioner occurred); Wheeler v. Yettie Kersting Mem'l Hosp., 866 S.W.2d 32, 40 (Tex. App. 1993) (holding that physician who approves a patient's transfer may establish a doctor-patient relationship).

221 See Spielberg, supra note 1, at 1357.

222 See id. For a more in-depth discussion of standards of care in telemedicine, see Granade, supra note 213, at 74-83.

223 See, e.g., St. Charles v. Render, 646 N.E.2d 411, 412-14 (Mass. App. Ct. 1995) (noting in dicta that plaintiffs may base their breach of contract claims on a physician's failure to return their telephone call within a reasonable amount of time if the plaintiffs can also prove that the actual damages were greater than nominal).

224 See, E.G., Confidentiality of Individually-Identifiable Health Information: Recommendations of the Secretary of Health and Human Services, Pursuant to Section 264 of the Health Insurance Portability and Accountability Act Of 1996 (visited May 12, 1999) <http://aspe.os.dhhs.gov/admnsimp/pvcrecO.htm>. HHS's recommendations include: (1) protecting against inadvertent or deliberate disclosure of personal medical information; (2) requiring health care payers and providers to give patients clear, written explanations of intended policies on use, retention and disclosure of health information; (3) imposing punishments for those who misuse personal health information; and (4) providing redress for those who have been harmed by health information disclosures. See id. at <http://aspe.os.dhhs.gOv/admnsimp/PVCRECl.HTM#INTRODUCTION>. For examples of other recent legislative efforts, see Medical Information Privacy & Security Act, H.R. 1057, 106th Cong. (1999) (providing individuals with access to their own health information without losing privacy protection and imposing criminal and civil penalties for unauthorized use of health information); Medical Information Privacy & Security Act, S. 573, 106th Cong. (1999) (same); Health Care Personal Information Nondisclosure Act of 1999, S. 578, 106th Cong. (1999) (protecting the confidentiality of health information).

225 See Spielberg, supra note 1, at 1354.

226 Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered sections of 29 U.S.C. and 42 U.S.C.). This legislation required HHS to impose confidentiality standards on electronic medical transactions if Congress does not legislate by August 1999. See Barefoot, supra note 24, at 314-15. Accordingly, HHS has proposed rules to regulate the confidentiality of health data, including reimbursement information, that are transmitted electronically. For example, to ensure authenticity and identity of those transmitting and receiving health data, HHS proposed the National Provider Identifier. See National Standard Health Care Provider Identifier, 63 Fed. Reg. 25,320 (1998) (to be codified at 45 C.F.R. 142) (proposed May 7, 1998). It also proposed the Security and Electronic Signature Standards. See Security and Electronic Signature Standards, 63 Fed. Reg. 43,242 (1998) (to be codified at 45 C.F.R. 142) (proposed Aug. 12, 1998).

227 See 42 U.S.C. § 1320d-2 (1998).

228 See id. § 1320d-2(d)(2). HCFA's Internet Security Policy also states that HCFA Privacy Act-protected and/or other sensitive HCFA information sent over the Internet must be accessed only by authorized parties. Technologies that allow users to prove they are who they say they are (authentication or identification) and the organized scrambling of data (encryption) to avoid inappropriate disclosure or modification must be used to insure that data travels safely over the Internet and is only disclosed to authorized parties.

See Health Care Financing Administration, Internet Security Policy (last modified Feb. 19, 1999) <http://www.hcfa.gov/security/isecplcy.htm>. In addition, the Health Insurance Portability and Accountability Act imposes severe penalties, including fines and imprisonment, on health plans, health care clearinghouses and health care providers who transmit any health information in electronic form in connection with financial and administrative transactions if they fail to comply with security standards designed to safeguard the confidentiality of such information. See Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, § 262(a), 110 Stat. 1936, 2028-29 (1996) (codified as amended at 42 U.S.C. §§ 1320d-5, 1320d-6).