DOC RABE Media - Fotolia


Experts say secure healthcare communication should function like email

Secure messaging in healthcare can save providers and patients time and frustration, but the security of PHI should always be the number one priority.

Secure communications, such as email or text messaging, can give healthcare providers a convenient way to interact with colleagues and patients in real time. It can save patients the frustration of having to schedule an appointment to receive lab results, or allow them to get nonurgent medical advice from their provider in a timely manner.

But as with any technology that involves the exchange of protected health information (PHI), there are several considerations providers need to keep in mind before implementing a secure healthcare communication system.

"The biggest threat to any healthcare provider is violation of patient privacy," said Brian Levine, M.D., founding partner and practice director of the Colorado Center for Reproductive Medicine. Providers can violate patient privacy by texting about a patient or sending or receiving email messages from an unsecured email location, Levine said.

Patient portals provide better documentation

The biggest threat to any healthcare provider is violation of patient privacy.
Brian Levine, M.D.Colorado Center for Reproductive Medicine

Levine said when he started his practice, he purchased an extra package from GE Centricity to add a patient portal to his electronic medical record (EMR). Patients don't love the portal, Levine said, because it lacks the ease and convenience of email. But once he explained that it was a better way to handle sensitive information that patients would not want their jobs or insurance companies to know and that it was to protect the patients, they began to warm up to it.

The patient portal is utilized by all providers in the practice and documents all conversations between providers and patients. That information is integrated directly into the EMR, which keeps a longitudinal record of the patient's care.

While patients may occasionally send email messages from personal accounts, such as Gmail, this can be a huge security concern, said Bryan Laskin, D.D.S, founder of Lake Minnetonka Dental in Wayzata, Minn.

"Most patients and providers don't know that sending information through Gmail is unsecure; it could be intercepted," Laskin said. "HIPAA guidelines require either a central secure hub that people access or encrypted gateways at each end to safely transfer medical information."

If patients want to be able to send PHI via email, secure email platforms are widely available, Laskin said. Traditional email is neither HIPAA compliant nor secure, but it is still commonly used to send PHI.

Consider ease of use for provider communication

Organizations that want to use a secure healthcare communication system for provider to provider communication should use a platform that is user-friendly and easy to use, said Marianna Prodan, healthcare solutions manager at Accellion, a private cloud company based in Palo Alto, Calif. Choosing a tool similar to one employees are already using can also help increase adoption.

"While security is a priority, unless it's easy to use, users may turn to less secure shadow IT solutions like Dropbox, Evernote and Google Drive --- resulting in PHI stored in a public cloud --- a clear HIPAA violation," Prodan said.

"A secure collaboration solution that looks and functions like email or their other file management tools, while providing trusted access to content wherever it is stored, is much more likely to be adopted by employees."

Ephemerality key for mobile communications

Organizations that plan to use a mobile secure messaging platform should consider using a system that limits the amount of time a message is available to view, said Galina Datskovsky, CEO of Vaporstream, a secure messaging vendor based in Chicago.

"Ephemerality ensures that private information cannot be carelessly stored or used incorrectly at a later date," Datskovsky said. "A single copy of the record is already stored in the EHR to meet compliance requirements, therefore ephemerality ensures that data is not inadvertently mishandled or shared."

Many secure texting apps also have an instant delete feature and send read receipts to the sender, which lets them know whether or not their information was viewed prior to deletion.

"Working with a messaging solution that has these features helps ensure information is kept safe and secure and that lines of communication between patient care teams remain open, ultimately ensuring better patient care," Datskovsky said.

According to Prodan, other features organizations may want to keep in mind for secure mobile communications include:

Consider the patient population, organizational culture

Ultimately, the decision to use a secure healthcare communication system depends on the patient population and the organizational culture.

"Our success with protected patient communication is rooted in the fact that we have a highly motivated patient population," Levine said. You can't force it if patients are unwilling to use the platform. There also has to be a team effort around using the portal within the practice, he said. Organizations should also consider whether they use the EMR from top to bottom.

"If it's not going to work for your practice, don't do it," Levine said. "If you're not using your EMR to do your schedules and everything else, well you're probably not going to be on it enough to actually make communication through the EMR appropriate."

Next Steps

Joint Commission bans CPOE texting

Secure messaging vendor calls for CPOE ban reversal

Patients want real-time communication with physicians

Secure healthcare communication must extend to information systems

Dig Deeper on Health information exchange implementation and management