Having problems with message search?
I have attached templates for provider-patient e-mail P&P and a document that may be used to inform patients that are approved for provider-patient e-mail on how the provider CE will use provider-patient emails and the risks involved with using e-mail to communicate with their provider. Your organization may have determined that unencrypted e-mail is too much of a security risk and that the requirements for HIPAA prohibit unencrypted e-mail with patients. If so, this would not be an appropriate P&P for you. If you are interested in discussing this issue, please feel free to join the companion discussion listserv to ShareHIPAA, ShareHIPAA2. ShareHIPAA2's home page is http://groups.yahoo.com/group/ShareHIPAA2 . You can join the group from ShareHIPAA2's home page.
The question about email between provider and patient comes under both the Privacy and Security Rules. It falls under the Privacy Rule because it deals with:
1) minimum necessary, section 164.502(b)
2) a privacy right (alternate communications) section 164.522(b)
It falls under the Security Rule, technical safeguards section 164.312 Encryption and Decryption (addressable)
You may want to take a look at the transcript of the 7th CMS HIPAA Implementation Roundtable, which you can read in its entirety by going to
http://www.cms.hhs.gov/hipaa/hipaa2/education/Feb2003RoundTrans.pdf
Encryption was a big topic of interest, as this was the first roundtable after the Final Security Rule was published in the Federal Register.
Here are some of quotes from this roundtable that directly address encryption and email:
page 9 last paragraph
"Other changes that we made in the final regulation over the proposed rules are encryption over an open network is now an addressable specification instead of being required. And we did that in order to not cause problems with internet communications, email communication
between physicians for example."
Page 17 Q&A
Question: " You mentioned in the first part of the meeting about encryption of e-mail. Could you go over that again or just the need to not encrypting e-mail?
Karen Trudel: Yes, I can answer that. Initially the proposed rule required that all transmission over an open network be encrypted. We have since decided that - and the Final Rule reflects this - that is not required to encrypt transmissions over an open network. It is something that the covered entity needs to assess to determine whether that is appropriate for them and under what circumstances. For instance, Medicare does not even accept transmissions over the internet at all. So that is something that each covered entity needs to think about.
What I said about encrypting e-mail was that one of the considerations that we had was that especially for small health care providers who are communicating among each other via e-mail to discuss patient care, requiring that those transmissions be encrypted could have a chilling effect on patient care. And therefore, that was one of the considerations that caused us to make this an addressable implementation specification. Therefore, the general rule is encryption over an open network is addressable. The covered entity needs to look at whether they need to do it, make a decision as to whether it is right for them or wrong, and then either implement or document what else they're going to do to keep communications over an open network like the internet safe and secure.
And one thing - someone who's a provider told me that what they, when they do internet email communication with their patients, is that they tell the patient ahead of time, if your going to email me, you must understand that the internet is inherently an unsecure medium.
And if you're going to use it, you need to accept that risk. And essentially that is one of the other things that they've put in place is increase the awareness of the part of the patient as to whether they want to accept that risk or not."
HIPAA Privacy Rule requirements were not addressed at this roundtable and the right to alternate communications was not a topic of discussion.
You can never have total security, i.e. you can never be void of risk entirely. Cost/benefit is a consideration in every industry when considering security risks. In health care there are two additional concerns that must be included in the risk assessment:
1. patient privacy rights
2. impact on the provision of care
What is acceptable risk? Each CE will have to determine that for themselves. For some the
decision will be easy (they may have the technical infrastructure to set up a web interface for patients, or they may have sophisticated email users that can handle encrypted email), for others the decision will be hard. I doubt if anyone cares about my medical condition. I would imagine that Dick Cheney's physician does not send him unencrypted email.
1) minimum necessary, section 164.502(b)
2) a privacy right (alternate communications) section 164.522(b)
It falls under the Security Rule, technical safeguards section 164.312 Encryption and Decryption (addressable)
You may want to take a look at the transcript of the 7th CMS HIPAA Implementation Roundtable, which you can read in its entirety by going to
http://www.cms.hhs.gov/hipaa/hipaa2/education/Feb2003RoundTrans.pdf
Encryption was a big topic of interest, as this was the first roundtable after the Final Security Rule was published in the Federal Register.
Here are some of quotes from this roundtable that directly address encryption and email:
page 9 last paragraph
"Other changes that we made in the final regulation over the proposed rules are encryption over an open network is now an addressable specification instead of being required. And we did that in order to not cause problems with internet communications, email communication
between physicians for example."
Page 17 Q&A
Question: " You mentioned in the first part of the meeting about encryption of e-mail. Could you go over that again or just the need to not encrypting e-mail?
Karen Trudel: Yes, I can answer that. Initially the proposed rule required that all transmission over an open network be encrypted. We have since decided that - and the Final Rule reflects this - that is not required to encrypt transmissions over an open network. It is something that the covered entity needs to assess to determine whether that is appropriate for them and under what circumstances. For instance, Medicare does not even accept transmissions over the internet at all. So that is something that each covered entity needs to think about.
What I said about encrypting e-mail was that one of the considerations that we had was that especially for small health care providers who are communicating among each other via e-mail to discuss patient care, requiring that those transmissions be encrypted could have a chilling effect on patient care. And therefore, that was one of the considerations that caused us to make this an addressable implementation specification. Therefore, the general rule is encryption over an open network is addressable. The covered entity needs to look at whether they need to do it, make a decision as to whether it is right for them or wrong, and then either implement or document what else they're going to do to keep communications over an open network like the internet safe and secure.
And one thing - someone who's a provider told me that what they, when they do internet email communication with their patients, is that they tell the patient ahead of time, if your going to email me, you must understand that the internet is inherently an unsecure medium.
And if you're going to use it, you need to accept that risk. And essentially that is one of the other things that they've put in place is increase the awareness of the part of the patient as to whether they want to accept that risk or not."
HIPAA Privacy Rule requirements were not addressed at this roundtable and the right to alternate communications was not a topic of discussion.
You can never have total security, i.e. you can never be void of risk entirely. Cost/benefit is a consideration in every industry when considering security risks. In health care there are two additional concerns that must be included in the risk assessment:
1. patient privacy rights
2. impact on the provision of care
What is acceptable risk? Each CE will have to determine that for themselves. For some the
decision will be easy (they may have the technical infrastructure to set up a web interface for patients, or they may have sophisticated email users that can handle encrypted email), for others the decision will be hard. I doubt if anyone cares about my medical condition. I would imagine that Dick Cheney's physician does not send him unencrypted email.
While I was working on this policy and procedure, there were eleven others who volunteered their time to contribute to its development. One of those is hearing impaired, and another was mute. Both of them were highly motivated to inform others that e-mail between provider and patient, especially when the patient is handicapped, should be given serious consideration because allowing provider-patient e-mail may provide a wonderful opportunity for improved communications between the provider and the patient.
I have provided some abstracts of material that I found on the internet while I was researching this issue below my signature block. You might find this information useful as you consider how you design your own policies and procedures and what type of information and instruction you provide to those patients who are approved for provider-patient emails.
Barbara McGowin, CPC
Executive Recruiter
HIT Recruiting
(843) 824-8537
mcgowins@...
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.
*************
Type 1 Provider-patient e-mail is defined as electronic messaging between clinicians and client in which the health care provider has a pre-existing clinic-based relationship with client and has taken on an explicit measure of responsibility for the client's care. Type 1
is the smallest percentage of patient-provider electronic messaging currently.
Type 2 Provider-patient email is electronic messaging between clinicians and client in which the health care provider has taken on a measure of interest in the client's care and where no clinic-based relationship exists. Type 2 is the largest percentage of present
patient-provider email, but in the advent of spamming curbs, the trend is toward asp web access.
Why would a typical CE provider use email?
It is more spontaneous than letter writing;
offers more permanence than oral conversations;
words in e-mail can be more carefully chosen than in telephone conversation;
prevents "telephone tag";
avoids the interruptions associated with telephone calls or electronic pages;
E-mail follow-up allows retention and clarification of advice provided in clinic,
a url can be embedded in the message, allowing consumer to click to recommended sites for information, or if provider has web site, for referrals;
provides a written record that may remove doubt as to what information was conveyed;
enhances memory for the patient that would have to commit to writing if it were given orally;
less likely than telephone messages to accidentally fall through the cracks;
copies of e-mail can be printed or attached to the patient's electronic record;
may minimize repercussions of malpractice claims as many such claims can be traced to faulty communication;
demand for e-mail access to a consumer's health care provider is accelerating;
low-cost Internet access;
provides the first medium to offer patients a way to easily contribute directly to their own records;
even though individual organizations may not officially sanction provider-to-patient e-mail, chances are it's happening;
virtual doctors are emerging as an unexpectedly valuable resource for internet-savvy consumers and this emergence of ehealth usage may cause problems with communications between patient and their actual care provider.
Why would a typical provider not use email?
It is a one way communication, asynchronous in nature (volleying back and forth over hours or days);
presents confidentiality concerns, especially when e-mail access is gained through the patient's employer;
un-encrypted email provides as much privacy as a postcard;
patients may not use it appropriately, with the result that important messages may be missed or treatment of acute conditions delayed;
forwarding and sharing messages allow e-mail users to send and receive information at the touch of a button, and errors in transmission can occur;
use of email may require providers to educate the patient about electronic security;
potential for ehealth to consume time that is non-billable;
email is discoverable for legal purposes;
HIPAA calls for detailed attention to security issues of e-mail;
additional policy and procedures and technical infrastructure may be required to support it;
adding e-mail to patient records may be a challenging administrative task to integrate in to the day-to-day operations of managing patient record systems;
provider may not be an effective email communicator;
triage of patient emails may be required; and/or
potential for provider or patient to misinterpret the tone of the email communications.
I was surprised at the scarcity of information on the internet about provider-patient email. Most of it was written in 1999 or earlier.
If you are interested in researching this issue, here are some references:
Guidelines for the Clinical Use of Electronic Mail with Patients
http://134.174.100.34/AMIA%20E-mail%20Guidelines.pdf
Written by Beverly Kane MD, and Daniel Z. Sands, MD MPH, for the AMIA
Internet Working Group, Task Force on Guidelines for the Use of
Clinic-Patient Electronic Mail 1998
AMA Guidelines for Physician-Patient Electronic Communications
http://www.ama-assn.org/ama/pub/category/2386.html
Kaiser Permanente Northern California Physician-Patient Email policy
revised 1999 http://134.174.100.34/Kaiser/email_rules.doc
Patient-centered E-mail: Developing the Right Policies
http://134.174.100.34/AHIMA/JAHIMA_Murphy.htm
eHealth Code of Ethics
http://www.ihealthcoalition.org/ethics/ehcode.html
is the smallest percentage of patient-provider electronic messaging currently.
Type 2 Provider-patient email is electronic messaging between clinicians and client in which the health care provider has taken on a measure of interest in the client's care and where no clinic-based relationship exists. Type 2 is the largest percentage of present
patient-provider email, but in the advent of spamming curbs, the trend is toward asp web access.
Why would a typical CE provider use email?
It is more spontaneous than letter writing;
offers more permanence than oral conversations;
words in e-mail can be more carefully chosen than in telephone conversation;
prevents "telephone tag";
avoids the interruptions associated with telephone calls or electronic pages;
E-mail follow-up allows retention and clarification of advice provided in clinic,
a url can be embedded in the message, allowing consumer to click to recommended sites for information, or if provider has web site, for referrals;
provides a written record that may remove doubt as to what information was conveyed;
enhances memory for the patient that would have to commit to writing if it were given orally;
less likely than telephone messages to accidentally fall through the cracks;
copies of e-mail can be printed or attached to the patient's electronic record;
may minimize repercussions of malpractice claims as many such claims can be traced to faulty communication;
demand for e-mail access to a consumer's health care provider is accelerating;
low-cost Internet access;
provides the first medium to offer patients a way to easily contribute directly to their own records;
even though individual organizations may not officially sanction provider-to-patient e-mail, chances are it's happening;
virtual doctors are emerging as an unexpectedly valuable resource for internet-savvy consumers and this emergence of ehealth usage may cause problems with communications between patient and their actual care provider.
Why would a typical provider not use email?
It is a one way communication, asynchronous in nature (volleying back and forth over hours or days);
presents confidentiality concerns, especially when e-mail access is gained through the patient's employer;
un-encrypted email provides as much privacy as a postcard;
patients may not use it appropriately, with the result that important messages may be missed or treatment of acute conditions delayed;
forwarding and sharing messages allow e-mail users to send and receive information at the touch of a button, and errors in transmission can occur;
use of email may require providers to educate the patient about electronic security;
potential for ehealth to consume time that is non-billable;
email is discoverable for legal purposes;
HIPAA calls for detailed attention to security issues of e-mail;
additional policy and procedures and technical infrastructure may be required to support it;
adding e-mail to patient records may be a challenging administrative task to integrate in to the day-to-day operations of managing patient record systems;
provider may not be an effective email communicator;
triage of patient emails may be required; and/or
potential for provider or patient to misinterpret the tone of the email communications.
I was surprised at the scarcity of information on the internet about provider-patient email. Most of it was written in 1999 or earlier.
If you are interested in researching this issue, here are some references:
Guidelines for the Clinical Use of Electronic Mail with Patients
http://134.174.100.34/AMIA%20E-mail%20Guidelines.pdf
Written by Beverly Kane MD, and Daniel Z. Sands, MD MPH, for the AMIA
Internet Working Group, Task Force on Guidelines for the Use of
Clinic-Patient Electronic Mail 1998
AMA Guidelines for Physician-Patient Electronic Communications
http://www.ama-assn.org/ama/pub/category/2386.html
Kaiser Permanente Northern California Physician-Patient Email policy
revised 1999 http://134.174.100.34/Kaiser/email_rules.doc
Patient-centered E-mail: Developing the Right Policies
http://134.174.100.34/AHIMA/JAHIMA_Murphy.htm
eHealth Code of Ethics
http://www.ihealthcoalition.org/ethics/ehcode.html
Offline 
Send Email