Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Giving Email Addresses to Patients Who Don’t Have Them

Posted on August 21, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In my post, 4 Things Your Patient Portal Should Include, I talked about the thing patients want most in a patient portal is the ability to communicate with someone in the physician office. I still think that’s the most powerful part of a patient portal.

In response to that post, the people at Engaged Care sent me an interesting way that they’re approaching engaging the patient. Their efforts are focused on those patients who don’t have an email address. Check out this video which demonstrates the workflow they offer.

I’m not sure how many patients don’t have an email address, but this is a pretty slick solution to get them signed up for an email address. The other challenge is getting those patients who don’t have an email address motivated and skilled enough to check the newly created email as well. However, maybe access to a well done patient portal might be motivation enough for them to get involved.

The other benefit to these physician provided email addresses is that they are secure. You might remember that native email is not HIPAA secure. The email addresses that Engaged Care provides are HIPAA secure.

I’ll be interested to see how this company does. How many patients actually use the new email addresses and where they take it next. Although, I found the idea of giving patients a secure email address quite interesting.

Email vs Text for Healthcare Communication

Posted on April 8, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The idea of improving communication in healthcare is always a hot one. For fear of HIPAA and other factors, healthcare seems to lag behind when adopting the latest communication technologies. The most simple examples are email and text message. Both are simple and widely adopted communication technologies and most in healthcare are afraid to use them.

At the core of why people are afraid is because native email is not HIPAA secure and native SMS is not HIPAA secure either. Although, there are a whole suite of communication products that are working to solve the healthcare communication security challenges while still keeping the simplicity of an email or text message. In fact, both of the other companies I’ve started or advise, Physia and docBeat, are focused on the problems of secure email and secure text. Plus, there are dozens of other companies working to improve healthcare communication and hundreds of EMR, PHR, and HIE applications that are integrating these forms of communication into their systems.

As we enter this brave new world of healthcare communication, it’s worth considering some of the intricacies of email vs text. The following tweet is a good place to start.

This is really interesting to note and I can confirm those are the general statistics for most email campaigns out there today. I’m not sure of the number of texts that are open, but it’s clear that the number of text messages that are opened is very high.

The reason this is the case is because of the expectation of what’s inside a text message vs an email. When you receive a text, you can be sure that it won’t take up more than a moment of your time. You can consume it quickly and move on with your life. The same is usually not the case with email (especially email lists). Most of the emails that are sent are lengthy because they can be. We try and pack every option imaginable into an email and so people have an expectation that if they start with the email they’re going to need time. I know this is the case because my email subscribers often thank me for my emails because they know they can get something of value quickly.

I think it was Dan Munro that pointed out an exception to the email open rate. His idea was that if the email contains an action item, then open rates are much higher. This was a good insight. There’s little doubt that if an email contains something that you have to do, then more people will open it and do the action. I don’t get a bill in my email and then don’t open it. I have to open it so I can pay the bill. I’m sure this principle can be applied in a number of ways to healthcare.

As we finally bring these common communication technologies to healthcare we need to be thoughtful about which ones we use and when we use them.

Texting is Not HIPAA Secure

Posted on April 17, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I previously posted the somewhat controversial post: Email is Not HIPAA Secure. It was an extremely important post and included 54 incredible comments discussing email security and email in how it relates to HIPAA. Today I want to discuss the security issues related to text (SMS) messages.

The short story is: Texting (SMS) is NOT HIPAA Secure

I recently did a focus group to discuss physician communication. At one point I asked how many of them use text messages to communicate with other doctors. All of them acknowledged that they used it and that they were using it more and more. I then asked how many sent PHI (protected health information) in the text messages that they sent. While the response wasn’t as strong likely because they knew it was a loaded question, they all acknowledged that PHI was sent by text message all of the time.

One doctor even commented, “They’re not going to put us all in jail.”

There is some validity to this comment. They’re not going to go around like an old school lynch mob putting physicians in jail because they sent some patient information in a text message. Although, that doesn’t mean that they couldn’t go around handing out hefty fines for HIPAA violations.

Let me be clear that there are secure text message platforms out there. I’ve actually been thinking about this quite a bit lately since I’ve been advising a local Vegas Tech iPhone app called docBeat that offers this secure text message functionality for free. In fact, there are quite a few companies that are trying to provide this functionality. Although, I like docBeat because it offers a whole suite of Physician Communication Tools and not just secure text messaging. I think there’s value in a doctor only to have to go to one place for all their communication needs. In a future post, I’ll do a full write up on what docBeat’s offering physicians.

At some point, I think doctors are going to turn the corner and realize that the standard SMS text messaging service that every cell phone has these days is not the right way to communicate. Besides the fact that standard text messaging isn’t secured, it’s also stored forever on the server of your cell phone service provider. Most doctors likely haven’t thought that everything they’ve sent over text could be brought back to haunt them forever.

Other problems with standard text messaging is that you don’t really know what happens with the text message once its sent. Did the text message actually send? Did the person you sent the text message actually receive it? If they received the text message have they read it?

The great thing is that we all finally have realized the value of simple communication with a text message. Now we just need to move to these new secure text messaging platforms that solve the security, reliability and tracking issues with standard text messaging.

Email is Not HIPAA Secure

Posted on December 23, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

An interesting discussion happened in the comments about HIPAA secure fax services in regards to the security of email. Being a tech person who formerly managed a few different corporate email systems, sometimes I forget that many people don’t understand some of the details about the security (or lack of security) that’s provided by email.

The short story is: Email is NOT HIPAA Secure (at least in 99% of cases)

There is a way to encrypt email sent between 2 email systems, but so far a standard and mechanism for encryption between all the vast number of email providers has not been established. I won’t go into the details of why this is the case (cost of encryption, standards for encryption, etc), but suffice it to say that almost none of the email systems send encrypted email that would satisfy the HIPAA requirements.

In fact, most times when an EMR, PHR or other patient portal wants to send a secure email/message to someone they send an email which contains a link to an encrypted website that has a unique login. The reason they do this is because there’s no recognized and adopted standard for encryption of email. However, presenting Protected Health Information (PHI) through an encrypted webpage where someone has a unique login is HIPAA compliant and doesn’t require the receiving email system to understand the encryption. It’s a pain, but it’s the reality of privacy of health information right now.

One of the major reasons that many people think that email is secured is that a number of email providers (Gmail being the most famous for this) turned on encryption for all of their users. The misunderstanding is that this encryption is just for users logging in to check, read and send their email. It does not encrypt the email as it it sent from Gmail to the destination email system. Aleks, from Sfax described it similar to a postcard. It’s open where anyone listening can see what’s in the email with no traces left behind.

The only security email partially offers in this manner is the volume of emails that are sent. There’s such a huge volume of useless emails that there’s some security by obscurity benefits. Although, that security doesn’t meet well with the HIPAA requirements. Plus, remember that one thing that computers are great at doing is crunching large amounts of data.

One minor exception that I might make is that if you’re sending email in an internal email system, then it’s possible to set up email encryption. This is possible because you control the email system for the sender and the receiver and so there are ways to do this. However, I know very few people that have actually set this arrangement up. Probably because if they are on your internal email system they usually have access to your EMR and all the PHI can remain in the EMR instead of your email system.

Now many have said that you shouldn’t use the free email providers like Gmail. After reading this it should be clear. You shouldn’t use ANY email provider for sending PHI. So, whether you use Gmail or some other free email provider it shouldn’t matter since I’m sure you won’t be sending any PHI through email any more.

Of course, I’d recommend you use the free Google Apps version of Gmail since DrSmith@yourpractice.com is so much more professional than DrSmith985373@gmail.com. Although, that’s kind of a topic for a different discussion.

Discharge Summaries by Email from an EMR

Posted on March 21, 2008 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Think about how wonderful the ability to send a discharge summary by email to a patient straight from your EMR. I think it’s pretty easy to see the tremendous benefits of this type of communication. Send the patient information to one place they probably visit every day and where they can read and process the information away from the hustle and bustle of the clinic. Certainly many doctors have been doing this with little pamphlets or handout sheets with clinical information. Unfortunately, too many of these sheets never get read. Certainly that same thing could happen with an email, but at least the next generation of patients are going to want this information in their email box.

Of course, the problem with sending this information in an email is that email is not secure. Email encryption hasn’t taken hold fast enough to make it encrypted. Is a user’s email box really a secure location where they want their health information? I personally don’t have a problem with it, but I would expect that many people wouldn’t want their health information in their email any more than their regular mailbox. Either way, without the encryption it wouldn’t be difficult for someone to sniff out what’s being sent in an Email containing for example a patient’s discharge. It would be going across the internet in basically plain text.

This situation actually happened in Austrailia a little while back in an article I read called “Unsecured email sparks dispute.” I know I wouldn’t be happy if a clinic just decided to send these unsecured emails. Not so much because I was personally worried about my information being lost. I personally have nothing to hide (yet anyway). However, I would feel uncomfortable patronizing an organization that would deal so flippantly with my information.

I’m sure that someone will chime in that this is the whole purpose of a Patient Portal or EHR interface that allows people a secure method to receive and send protected health information. This is all well and good, but from what I’ve seen this usually requires the doctor’s EMR company to support this type of interaction. Plus, even more serious of an issue is that you’re giving your patients one more login and password that they’ll need to remember. Certainly not a deal breaker, but one more inconvenience for our users and the staff that have to support our users when they forget their password. Unfortunately, I think that this is the future of secured messaging, but I can always hope that there’s something better that we’re just missing.

We should also realize that this isn’t going to get any easier. In fact, I think we can reasonably say that this is going to get harder and harder. Don’t be surprised if soon some patient would like their health information somehow incorporated into some site like Facebook. It’s really only a matter of time until some developer creates a health interface into Facebook.

It might not make sense to most people, but the next generation of patients are going to grow up living and breathing their online life in some sort of social network (Facebook is just one example of these). They are very comfortable with transparency and will be interested in being able to track and compare health information with other people. Not to mention interact in a social network with other people who have similar conditions. It seems like this isn’t a question of if, but when this type of interaction will happen.

Even if you think that health information on a social network like Facebook is far fetched, we are already seeing health information propagating to the web in Microsoft’s HealthVault and Google Health. Is this going to be ok? Will it become as synonymous as online banking has become to the banking world? It’s not that far of a stretch to think that Google Health could easily be tied into Google’s OpenSocial platform which would allow a patient’s health information to do all sorts of cool things.

The convergence of Health Care and IT is going to be really interesting. It’s taken health care a while to get going with IT, but I think almost everyone agrees that IT could do amazing things to better the health care a person receives.