GDPR for Doctors and Physios. What you need to know about email and encryption.

In a nutshell, what do you need to know about email encryption if you’re a Doctor, Physio or an Osteopath?

You should encrypt your emails (e.g. with Egress)

You must make sure your email provider is GDPR compliant. So you MUST NOT use personal Gmail, Hotmail, or Mac Mail to send patient emails. Full Stop. (We know many of you currently are, but we’ve got your back if you need to migrate your email to a GDPR compliant provider).

If your email provider isn’t GDPR compliant, then you’re still not fully GDPR compliant.

There are easy ways to train your patients to engage with email encryption (honest).

If you’re NOT taking care of the above, you’re not being GDPR compliant. It’s the law, and it’s YOU who will get into trouble if you’re investigated by the ICO (Information Commissioner’s Office).

These are the commonest questions we’re asked about email and encryption.

How many of them apply to you?

“How do I know if my email provider is GDPR compliant?”

You’ve probably heard about us banging on about email providers needing to be compliant. How do you know if yours is?

Andrew is an osteopath who came for help with his GDPR documentation. He calls himself a ‘tech-Luddite’. (I should say he’s a flippin’ awesome osteo, though). His work email had been set up pre-May 25th, 2018 by his website designer, as part of a web design package. This is a common situation for many clinicians to find themselves in.

In order for Andrew’s previous email provider to have been GDPR compliant, they would have needed to be able to provide a ‘data controller to data processor agreement’, and that wasn’t the case.

What if you’ve set up an email account by yourself?

Andrew also had a personal Gmail account. He wondered if he could use that instead. Again, the answer was ‘no’. So, why not?

Personal email providers are unable to provide you with a ‘data controller to data processor agreement’. These email providers include the free version of Gmail, Hotmail, and Mac Mail, which is why you must NOT use them for your clinical practice.

Yep, it’s time to get legit with some paid-for email provision (with the added benefit that it will make you look more professional too).

“What can I do if my email provider isn’t GDPR compliant?”

It’s imperative that you switch if you’re in this situation. In Andrew’s case, we migrated his email over to a GDPR compliant email provider – Microsoft Office 365. We did it all in the background, and there was no interruption in his email service. Microsoft includes a data processor to data controller agreement in their terms of service, so you don’t even need to approach them directly.

Even if you’re using an add-on email encryption service (such as Egress who are GDPR compliant), if your email provider isn’t GDPR compliant, then you’re still not fully GDPR compliant.

This is why you can’t make your email set up fully GDPR compliant by combining free, personal email (such as personal Gmail) with an email encryption system.

“Must I encrypt my emails to be GDPR compliant?”

The ICO doesn’t explicitly state that you have to use email encryption, but it may as well do.

The ICO says: “you should have security that is appropriate to: the nature of the information in question; and that harm that might result from its improper use, or from its accidental loss or destruction”.

In other words, medical data (the nature of information) if accidentally lost (e.g. when an email ends up in the wrong hands), could lead to significant harm (i.e. a breach of patient confidentiality).

If you need any further clarification, Dame Elizabeth Denham (she’s the Information Commissioner, a.k.a. ICO head honcho) has stated her opinion on email encryption in the clinical setting. When asked about in it a webinar, she emphatically said “yes, you should”.

If you’ve not yet experienced a data breach in your practice, it’s only a matter of time until you do.

Nothing’s scarier than being mid-clinic and receiving news that an angry patient is kicking off because they’ve received another patient’s MRI report, and now they’re spitting feathers over where theirs has ended up (yep, it’s a true client example).

It’s made even scarier if you don’t use email encryption (and we recommend Egress as our preferred encryption provider).

Be aware that no kind of email encryption gives you bullet proof underpants protection against human error.

But, Egress does make it extremely unlikely that your emails can be hacked. Plus, if you’re using Egress, you can instantly log in and revoke an email that’s not yet been opened (if you balls-up and accidentally send it to the wrong person). Phew!

Egress logs it all, so if you do end up having to have a chat with the ICO as a result of a breach, they’ll know you’ve done what you could to follow best practices.

If you’re not currently using email encryption and you have an email related data breach of confidential information, then good luck with that tricky ICO chat.

If Andrew (our tech-luddite osteopath) can use Egress, and confidently know how to revoke an email, so can you.

“Is there anything I can do to speed up opening and reading encrypted emails?”

If you’re only sending a few emails a day to patients, you may feel entirely happy with logging into an online portal to open and send emails. It’s perfectly suited to lower volumes of email.

But if your Private Practice is anything like my Private Practice (we send and receive over 300 emails a day), I’m guessing that you’d kill to only have to deal with one or two emails a week.

Maybe you’re like Dr Justine Kluk; she and her admin staff were sending many patients emails a day. They wanted a faster solution to logging into an online portal each or using an app on a smartphone, in order to read the email.

Egress offers several solutions for this:

One of these is their Desktop App, that integrates smoothly with Outlook for Windows. Another solution is their Egress Gateway solution, which could be good option if you’re running a larger, multi-clinician practice. Both of these enable the user to automatically encrypt and decrypt outgoing and incoming emails.

But what if you’re a solo practitioner? That’s the question we asked ourselves.

That’s why we came up with a solution which means we can offer automatic encryption and decryption of email at a cost- effective price, for individual or smaller multi-clinician practices.

The secure and robust technology is ‘powered’ by Egress, and we can provide you with a ‘slice’ of this fantastic solution for less than it would cost to purchase your own dedicated solution. Plus, we’re here to support you with any queries you have regarding your encrypted email.

It’s worth noting that if you are a larger practice, then we can still assist with implementing a GDPR compliant email system, that interfaces with a solution you would purchase from Egress directly.

“My patients complain about email encryption. What can I do about it?”

This is the number one concern (or is that ‘excuse’) that clinicians have about implementing email encryption in their practices. The good news is, it’s entirely possible to train your patients to get onboard the email encryption train.

Firstly, the advent of the GDPR thankfully means that patients are getting more and more used to email encryption as a part of their everyday lives; they may have been sent mortgage or legal documents via encrypted email or have used it at work.

Secondly, Egress have a really useful video that you can point patients to, to swiftly learn how to use it (even if you’re a self-confessed tech luddite).

Opening a Switch secure email with Egress Switch Web Access.

Thirdly, if you’re using Office 365 as your email provider, and you’re using an Egress gateway solution (such as one we can provide), it’s possible to put useful instructions to explain how to open the encryption email, in the body of the email that the patient receives.

This can be customised to your preferences – here’s an example of the one I use in my own Private Practice…

Finally, when new patients come to see me in clinic, I take thirty seconds to explain how to access the Egress app on their smartphone, so they’re clear on how to read the automatically encrypted emails that my practice sends them.

I say to the patient “have you figured out how to use Egress on your phone yet?”. If they’re not up to speed, I get them to open up their phone, go to the app store, and get started. I’ve found this really helps patients to see how easy it is to use Egress.

If you need to get your email GDPR compliant, then get in touch and let’s get it sorted. Even if you’re a tech-luddite…

Help me with Egress

Now it’s time for you to grow your’ Private Practice.




email or call us 0207 993 6425 http://www.instagram/privatepracticeninja