e-Communication: Using email, texting, recordings, and portals to promote patient communication
Electronic communication (e-communication) has increased significantly and is no longer limited to e-mail on the desktop. Smart phones and tablet computers make it possible to access information and send and receive messages anywhere there is a cell signal or wireless network. Mobile communication technologies have spread with remarkable speed.
e-Communication is possible using a variety of platforms including e-mail, text messaging and private patient portals.
Risk managing patient-provider electronic communications
Text messages, public e-mail and voice over internet with video protocols (Skype) are the least secure methods for e-communication as they are not encrypted. With no encryption, this makes them vulnerable for breaching protected health information. Patient portals and private networks are much more secure when well designed and carefully managed.
- E-mail has been available for years and many organizations such as the American Medical Association, American Health Information Management Association and the American Academy of Pediatrics have position statements, talking points and guidance on the use of e-mail to communicate with patients.
Risks: Unless the e-mail is encrypted and secure, it is not appropriate for sending electronic protected health information (ePHI) over public networks. The exception to sending unsecured ePHI is by patient request. According to HIPAA, the patient has the right to request their PHI to be transmitted to them in the medium they select or request. E-mail is discoverable and may be recovered from hard drives even after deletion.
- Text Messaging (also known as SMS) is a common platform on cell phones, smart phones and some tablet computers (mobile devices). It is possible to attach photographs, video and embed links in text messages. Depending on the type of phone plan, there may be a cost to both the sender and receiver for each message.
Risks: Text messages are also very difficult to encrypt. The ability to attach images and embed links and the fact that most mobile devices do not have antivirus protection installed creates a significant risk of malware contamination. Text messages are discoverable without a separate text management platform, there is no direct way to incorporate text communications with patients directly into the patient record they must be transcribed. Failure to document important clinical text messages into the medical record can create problems down the line if the record is needed to defend a claim or Board complaint. As of December 2016, The Joint Commission had deemed text messaging inappropriate for physician orders. CMS reiterated this position also in December 2017 and further clarified “that texting patient orders is prohibited regardless of platform, however, members of the healthcare team may text patient information through a secure platform” (DHHS, 12/28/2017 Memo, “Texting of Patient Information among Healthcare Providers).
- Patient Portals are password protected web pages that facilitate the exchange of information. Portals are very secure; users must be authenticated before they can access/use the portal. They may be integrated with the organizational EHR, which facilitates medical record documentation of communications and facilitate sharing patient health information electronically. Some organizations provide patient's access to their own EMR via the portal; others limit use to messaging and sharing of diagnostic test results.
- Recording patient/physician communication: Patients may request to record directions, instructions, or conversations with providers. It is important to have parameters around these requests. The patient may need to share this information with a loved one or they may need to hear instructions again. It is important to have conversations with patients regarding the use of their electronic devices for communication purposes.
Privacy and Security Recommendations
- Conduct electronic communication with patients over a secure network. Encrypt electronic protected health information from the point of creation, through transmission to the point of receipt. Instruct providers not to transmit protected health information over public networks such as airport, hotel or coffee shop Wi-Fi hotspots. Patient portals are one of the most secure methods of communicating.
- Establish clear mechanisms to authorize and authenticate patient users.
- For patient portal and private network access, require a user name and password. Deliver the user name and password to patients in a secure manner. Ensure the system can automatically lock an account after several failed attempts to access.
- For e-mail and text messaging, pre-register patients including their e-mail address and cell/smart phone number. Require them to include a second identifier, such as date of birth, in e-mails and text messages.
- Require passwords and current antivirus (malware) protection for all devices (pads, laptops, desktops, smart phones) including providers' personal devices.
- Develop and enforce password requirements.
- For example: require a set minimum number of characters including a capital and a non-alphabet character.
- Instruct providers to avoid simple passwords such as 1234 or QWER on their personal devices.
- Change passwords regularly.
- Establish a mechanism to ensure user access termination in a timely manner when appropriate (patient or provider leaves organization, uses technology inappropriately, etc.).
- The portability of smart phones and pad computers makes them highly vulnerable to theft, loss and electronic snooping. Inventory all portable devices used by providers to communicate protected health information. Ensure the ability to lock or remote wipe the devices if lost or stolen.
- Include a disclaimer on all outgoing messages. For example: This communication may contain health information that is private and solely for the use of the intended recipient.
- Include a disclaimer on portal and private network sites. For example: This site may not be read every day and should not be used for sensitive or urgent issues.
According to Crittenden Research, the annual number of healthcare breaches increased from 160 to 333 between 2010 to 2014. The number of records exposed grew from approximately 1.8 million to 8.2 million during the same timeframe. According to Ponemon Institute, the cost of a per-record data breach in healthcare is approximately $359 per record. These costs are associated with notification, credit-monitoring, forensic accounting, public relations, legal and losses related to customer/patient loss and re-acquisition. Steps which can be taken to mitigate include:
- Educate staff on cyber risks
- Protect mobile devices
- Maintain good computer habits, computer maintenance
- Use a firewall
- Control access to PHI
- Use strong passwords, change regularly
- Limit network access
- Control physical access
Policies and Procedures
- Evaluate current confidentiality and information security policies and update to reflect e-communication with patients.
- Determine whether providers will be limited to organization provided devices for e-communication or will be permitted to bring their own devices (BYOD).
- Develop and enforce clear policies if personal devices are permitted.
- For example, prohibit the storing of protected health information on personal devices.
- Prohibit sharing of personal devices.
- Work with information technology support to determine if creating barriers between work-related and personal information on the device (sandboxing) is an option.
- Determine the types of e-communication that will be used and establish guidelines.
- Determine the purpose of the program: is it strictly for patient communication or will e-visits be permitted?
- For e-visits: differentiate between simple consultations related to existing problems and diagnosis and treatment of new conditions (which requires a face-to-face visit). Do not permit e-visits across state lines unless the provider is licensed to practice in both states and both states permit virtual visits.
- Require signed informed consent between the provider and patient. Include a discussion of the platform (e-mail, patient portal), the risks of e-communication, appropriate use guidelines/conditions of participation, and user authentication.
- Develop standardized responses for situations such as requests from non-authorized patients, failure to follow system guidelines and inappropriate use.
- Establish expected turnaround time for responding to messages. Include responsibility for coverage when the provider is off.
- Establish clear guidelines for appropriate use based on the platform. For example, specially protected diagnoses (HIV, mental health, substance abuse), abnormal test results, bad news, new diagnoses and anything urgent are not appropriate for any e-communication platform. Appointment reminders may be appropriate for text messages and e-mails.
- Include e-communication in current documentation policies. Clinical e-communication exchanges should be incorporated in the patient's medical record.
- Determine whether attachments such as photographs or videos are supported by the platform (portal, private network, mobile device) and if use will be permitted. For example: patient photographs of skin rashes and video of behavioral outbursts or seizure activity. Specify how the images will be stored and made part of the medical record.
- Provide regular job-specific education for physicians and staff on the e-communication policies and procedures. Include discussion of professional boundaries including the establishment of a clear delineation between personal and professional use of e-communication.
- Include e-communications in the organization's "legal hold" policy. When a claim is anticipated and/or a request for information or subpoena includes electronic communications, specific action is required to preserve electronically stored information (such as e-mails). Notify users of the potential claim and direct that all patient communications and documentation (including e-mails) may not be deleted or modified. This may include cell phone text messaging.
- Set aside specific times each day to respond to e-communications.
- Ensure your responses are professional and appropriate. Use plain language and avoid over-familiarity.
- End each e-communication with a signature block that includes provider name, contact information, response time and instructions for what to do if the response time is not met.
- Avoid group messaging. If used, make sure certain messages are blind cc'd so that intended recipients see only their own name.
- Ensure the communication mechanism sends message received notification. This is important for both the provider and the patient.
- Do not give personal e-mail addresses and phone numbers to patients. Patients may text, call or send pictures to provider cell phone unless parameters for communication are outlined with the patient.
- Maintain professional boundaries and limit communication to care and treatment related issues.
- Do not e-communicate with new patients who haven't been seen in the office.
- Do not use e-communication to evaluate and treat new problems.
- Smartphone/mobile device specific guidance:
- Keep OS (operating system) and software up-to-date at all times.
- Install a device-specific mobile security application.
- Do not circumvent the built-in security in your smart phone (jailbreak).
- Do not download applications from sites other than the manufacturer. Third party applications are common sources of malware and increase the risk of electronic snooping and information loss.
- Be cautious regarding the access that applications request on your portable device. For example, access to SMS (text messages), device memory (SD card), cameras and microphones can give application makers access to sensitive personal information. Avoid free and ad-supported applications.
- Notify management/IT immediately if your device is lost or stolen.
- Use discretion when e-communicating on mobile devices in public areas such as elevators, waiting rooms and cafeterias, to reduce the risk of others seeing/reading the interaction.
- Leave Wi-Fi and Bluetooth connections off when not in use.
- Do not leave devices unattended and program a short inactivity log off.
- Establish clear guidelines for appropriate use such as prescription refills, non-urgent medical advice, simple lab results and appointment management, and inappropriate use such as emergencies, complicated or sensitive questions.
- Establish a process to prepare patients for e-communication that includes authentication, informed consent and education.
- Instruct patients to specify the purpose of the communication in the subject line for email communication. For example, "refill request", "reschedule appointment", "medication question".
- Encourage use of the Patient Portal for e-communication for all of the above as available to the practice.
It is important for practices, providers and patients to understand the risks and benefits of communicating health care information electronically and to mitigate and manage the risks appropriately. Communicating and reinforcing the importance of these communication methods with patients and staff is necessary to assure consistency of use.
ECRI. Communication and Patient Safety. 4/1/09
ECRI. Covert Affairs: Recording Conversations in Physician Offices. 2015
ECRI. Personal Electronic Devices in Healthcare. 2015
Top 10 Tips for Cybersecurity in Health Care. HealthIT.hhs.gov
Medical Mutual Insurance Company of Maine's "Practice Tips" are offered as reference information only and are not intended to establish practice standards or serve as legal advice. MMIC recommends you obtain a legal opinion from a qualified attorney for any specific application to your practice.