Practice Email Policy
David E. Swink
Director of Internet Services
There are significant risks of practice employees using practice email accounts for personal use and/or using personal email accounts for practice use.
Scenario
An employee has just left your medical practice, either voluntarily or involuntarily. What happens to all of the emails that employee sent and received while conducting practice business? If the employee was using a practice email account, i.e. jane.smith@praticeemail.com, then the practice should still have access to that email account, assuming the password is on file. However, there is a chance that the employee was using a personal email account (Yahoo, Gmail, Outlook, Hotmail or AOL) to conduct practice business rather than using a practice-owned email account. If that is the case, the practice has potentially lost access to important information that could have an adverse effect on the business and open the practice to unknown risks.
Background
The use of email in medical practices has expanded significantly over the years. Practice employees and medical staff use email to conduct a wide array of business activities on behalf of the practice. Their emails contain all kinds of data, from vacation requests to highly confidential emails containing patient data, i.e. protected health information (PHI). Employees use email to communicate with internal and external contacts on virtually every aspect of a practice's operations, including insurance credentialing and claims, personnel management and payroll, shareholder compensation, electronic medical records (EMRs), patient portals and other important information.
Risks
There are many risks associated with employees using their personal email accounts to conduct practice business. There are security risks, i.e. hacked accounts. There are also practical risks, such as back-ups, retention and access when an employee is on vacation, etc. Who has access to check the email account? What happens to renewal notices or other important emails sent to that account? Do you assume that an ex-employee will, in good faith, forward those emails to the practice? Or will they just simply ignore or delete those emails?
Recommendations
While it is inevitable that a practice will lose employees, it is very important to have a plan in place to retain all of the intellectual property associated with employee emails to ensure a smooth transition and continuity:
- Every practice should have a professional email domain name, i.e. @mypracticeweb.com.
- Every practice should use a business class email solution (Microsoft Exchange Online or Google Business Email) to facilitate practice business.
- The practice should also have an email policy that is reviewed with employees on an annual basis; it should cover appropriate use, privacy, security and other items.
- Employees should be advised that all email is owned by the practice and is the sole property of the practice.
- Employees should understand that there is no expectation of privacy and, therefore, should limit use of practice email for personal use. Their practice email account may be reviewed at any time by authorized practice representatives with or without their knowledge.
If you need assistance or have any questions regarding setting up or changing email hosts or creating or revising email policies, please contact David Swink, Director of Internet Services, at 770-951-8427 or des@medicalmanagement.com.