E-mail as a Provider-Patient Electronic Communication Medium and its Impact on the Electronic Health Record (AHIMA Practice Brief)

Background

Provider-patient electronic communications, such as e-mail and text messaging, are healthcare organizational business records and are therefore subject to the same storage, retention, retrieval, medicolegal, privacy, security, and confidentiality provisions as any other patient-identifiable health information.³ As such, organizations need to develop policies to manage e-mail records just as they manage any other medical records.⁴

Approximately 19 percent to 38 percent of providers currently use electronic communications with their patients.⁵ Growth in e-mail use is being hampered by the lack of reimbursement for these types of communications for Medicare patients. However, some third-party payers have begun to reimburse in some instances, with demonstrated improvements in both cost and workflow. If Medicare reimbursement for electronic provider-patient communications occurs, electronic communications between provider and patient are likely to increase.⁵

Examples of provider-patient e-mail applications include

• Appointment scheduling
• Prescription refill
• Transferring lab reports or results
• Patient education

Although e-mail communication is most common, other means of provider-patient electronic communications include

• PDA text messaging
• Online consultations
• Online prescribing
• Web messaging
• Digital transfer of lab reports or results

Benefits

Improved quality of care: E-mail can improve communication between provider and patient by documenting instructions, educational materials, or interpretation of lab results, or it can allow for more timely communication of test results to patients. E-mail allows both the provider and the patient more options than traditional face-to-face, written, and telephone interaction so communication is enhanced.

• Cost efficiencies: Using e-mail for provider-patient communications can result in cost savings as compared to a face-to-face encounter.
• Provides a business record of the conversation and transaction: Unlike face-to-face conversations or telephone conversations, e-mail communication provides a ready-made record of the communication.
• Liability protections: An e-mail message documents the precise communication between provider and patient.
• Convenience: Providers and patients can schedule time to send or answer e-mail messages.

Risks

• An e-mail message may be intercepted and threaten patient privacy. E-mail message content can be altered and/or forwarded to unintended recipients.
• Numbers and letters in an e-mail address can be easily transposed, and e-mail may be delivered to the wrong person or not delivered at all.
• Difficulty can arise in establishing or confirming the identity of the patient in an e-mail request. A patient name without other identifiers may be insufficient to establish the identity of the patient. Accepting e-mail mes-sages containing only the patient name and/or e-mail address without other identifiers can result in confusion with other patients with like names and e-mail addresses. The individual sending the e-mail may not be the patient, but an imposter using the patient's e-mail.
• Group e-mail messages present a risk for loss of confidentiality. Individual confidentiality is not protected when recipients are able to see the names and/or e-mail addresses of other group e-mail recipients.
• Word documents sent as attachments that stay on a hard drive present a risk for unauthorized access and breach of confidentiality.
• Clinicians answering patient e-mail messages from an unsecured location such as home computers could present a problem. Protected health information would be retained on private personal computers and in files maintained by Internet service providers.
• Opening an attachment with a virus may cause serious damage.

• Delays in turnaround time could nullify the benefits of the electronic medium. Work flow efficiencies potentially gained from e-mail are lost if a patient does not receive a response and initiates either further e-mail messages or telephone calls that require a response as well. E-mail can serve as a protection against liability because precise communication between the provider and patient is documented. This can become a liability, however, if the provider's documentation is not complete or lacks timeliness.
• Misfiles or lost communications can nullify the benefit of an electronic medium. E-mail messages provide precise documentation between the provider and patient only if the documentation can be easily referenced and retrieved.
• Electronic communication can be misinterpreted due to lack of verbal and nonverbal cues. Electronic communication requires a certain level of patient e-mail/ health literacy. It may be difficult for the provider to determine if the patient is able to understand the medical terms and concepts contained in the e-mail messages.
• Web pages used as links that are not "active" or contain information that is not credible present problems.
• E-mails are returned to the sender when addresses are incorrect or outdated.
• There is a lack of documentation that the intended recipient received and read the e-mail message sent by the provider.
• E-mail may overburden provider schedules.
• Laws may vary between states on use of e-mail for patient care or provider licensure requirements.
• Inappropriate utilization by patients, such as an emergency situation, could result in an adverse outcome for patients.

Recommendations

• Security is a primary concern. The e-mail system security must be sufficient to ensure, to the highest degree possible, the following
  -Nonrepudiation
  -Messages are read only by their intended recipients
  -Verification of delivery/receipt
  -Labeling of sensitive material
  -Control of access by those other than the provider
  -Security of computer hardware
  -Completeness
  -Trustworthiness⁴
• Strive to retain the integrity of the message and authentication of source.
• Whenever feasible, instruct users to copy and paste addresses or use the e-mail reply button.
• The availability of secured (encrypted) e-mail transmission will be the determining factor limiting the content and use of e-mail.
• Browser-based communication with patients has advantages because it provides additional security as compared to e-mail. For example, log-ins are required and audit trails are accessible. Security/encryption, physical security, structured messaging, approval/revocation options, and group access versus single access are more characteristics of browser-based communication.
• Maintaining a secure mail server is an ongoing process. A critical role in a secure mail server is an extensive network infrastructure (firewalls, routers, intrusion detection systems). Internet/intranet issues must be addressed. E-mail may be secure on an intranet and not secure on the Internet.
• Encryption software is available for wired and wireless communication. Configuration management is an essential part of maintaining a secure system. The complex mathematic algorithms involved in the highest levels of confidentiality increase e-mail size and slow servers. Also, encryption may interfere with virus scanning and mail content filtering. Administrative overhead is often required. Software must be monitored even after installation for upgrades, patches, and correct versus default settings, especially after a server crash.
• The HIPAA security rule provides guidelines as to the appropriate use of transmission security.⁶ The associated risk to electronic protected health information should drive the decision to use transmission security tools. Following is the Department of Health and Human Services response to comments and questions regarding the use of encryption tools to secure protected health information transmitted from one point to another.⁷

  Response: In general, we agree with the commenters who asked for clarification and revision. This final rule has been significantly revised to reflect a much simpler and more direct requirement. The term "Communications/network controls" has been replaced with "Transmission security" to better reflect the requirement that, when electronic protected health information is transmitted from one point to another, it must be protected in a manner commensurate with the associated risk.

  We agree with the commenters that switched, point-to-point connections, for example, dial-up lines, have a very small probability of interception.

  Thus, we agree that encryption should not be a mandatory requirement for transmission over dial-up lines. We also agree with commenters who mentioned the financial and technical burdens associated with the employment of encryption tools. Particularly when considering situations faced by small and rural providers, it became clear that there is not yet available a simple and interoperable solution to encrypting e-mail communications with patients. As a result, we decided to make the use of encryption in the transmission process an addressable implementation specification. Covered entities are encouraged, however, to consider use of encryption technology for transmitting electronic protected health information, particularly over the Internet.

  As business practices and technology change, there may arise situations where electronic protected health information being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities. Where risk analysis showed such risk to be significant, we would expect covered entities to encrypt those transmissions, if appropriate, under the addressable implementation specification for encryption.

  We do not use the term "open network" in this final rule because its meaning is too broad. We include as an addressable implementation specification the requirement that transmissions be encrypted when appropriate based on the entity's risk analysis.

  From Sec. 164.312, Technical Safeguards:

  (e)( 1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

  (2) Implementation specifications:
  (i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

  (ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

• Cryptosystems provide a means to ensure confidentiality, authenticity, nonrepudiation, and integrity of e-mail messages. Three common types of cryptographic hardware and/or software systems are:

-Symmetric cryptography: A single key is shared by the sender and the recipient. The encryption algorithm (e. g., data encryption standard [DES], 3DES) is much simpler and thus faster.

-Asymmetric cryptography (e. g., public key infrastructure): Each user owns a pair of keys, one public and one private. The public key is given to the sender to encrypt the messages, and the corresponding private key is used by the recipient to decrypt messages. The encryption algorithm (e. g., Rivest-Shamir- Aldeman, a public-key cryptographic algorithm that hinges on the assumption that the factoring of the product of two large primes is difficult) has to match the decryption algorithm, which makes it very complex and thus much slower.

-Hybrid cryptography (e. g., pretty good privacy [PGP]): This is a combination of symmetric and asymmetric cryptography. A session key is randomly generated for each message. The plain text is then encrypted with this session key. The public key-encrypted session key is then transmitted, along with the session key-encrypted cipher text, to the recipient. In this method, the encryption (session) key is securely distributed by the public key and the plain text is encrypted by faster symmetric cryptography.

• Virtual private networks (VPN) allow use of the public Internet to securely connect remote offices and employees at a fraction of the cost of dedicated, private telephone lines such as frame relay. A VPN supports at least three different modes of use:

-LAN-to-LAN internet working connects two or more geographically separated networks, such as those at a main office and a remote branch office.

-Remote access client connections allow telecommuters to safely log into company networks.

-Controlled access within an intranet can also use VPN technology to implement controlled access to individual subnets on the private network.

The most important component of a VPN is the gateway. The symmetric encryption (e. g., 3DES) is done between gateways of two networks.

With the hype that has surrounded VPNs historically, the potential pitfalls or "weak spots" in the VPN model can be easy to forget. These four concerns with VPN solutions are often raised:

1. VPNs require an in-depth understanding of public network security issues and taking proper precautions in VPN deployment.

2. The availability and performance of an organization's wide-area VPN (over the Internet in particular) depend on factors largely outside of the organization's control.

3. VPN technologies from different vendors may not work well together due to immature standards.

4. VPNs need to accommodate protocols other than IP and existing (" legacy") internal network technology.

• Web e-mail with a domain name and secure socket connection provides a higher level of security than standard secured e-mail messages.⁸ A secure Web server is purchased and managed by system security professionals.
• Hard drives used by providers for patient e-mail communication must be cleaned using a "wipe" utility before the processor is surplused or reassigned to another person.

• Create a policy that establishes criteria for the provider-patient e-mail communication and consent process before initiating electronic communication with the patient. The provider and patient should have an established relationship. Differentiate among preexisting conditions, ongoing treatment, follow-up questions related to a previous discussion, and a new diagnosis and treatment addressed exclusively online. New diagnosis and treatment of conditions addressed exclusively online may increase liability.
• Develop procedures for the patient's authorization/agreement to use e-mail as a communication medium. The procedures must outline where patient authorization will be filed, how it will be retrieved, and what indicators or flags in the patient record, if any, show that the patient wishes to participate in electronic communication with the provider.
• Develop policies addressing issues that require the e-mail documentation to become part of the patient record.
• Establish and enforce retention policies. Original e-mail, with reply, should be filed in the electronic health record or printed for the paper record. The provider should initial and date the paper copy for the paper record.
• Develop policies and procedures to guide the use of group e-mail messages that describe the necessity of protecting the identities of individual group members from other members in the group and provide instructions to users (i. e., blind copy [bcc] feature).
• Develop criteria to determine a patient's health literacy level and ability to use an e-mail application.
• Establish procedures to instruct the patient to follow up in person or by phone for requests that do not meet content guidelines. Lengthy e-mail messages or prolonged correspondence with a patient may necessitate scheduling an appointment with the patient or calling the patient.
• Establish a policy for e-mail turnaround time. The policy should prioritize e-mail messages by type of request, clearly identifying what may constitute an urgent or emergent request. It should also include actions to take when the turnaround time is not met.
• Develop a policy and educate patients about appropriate types of e-mail (e. g., prescription refills, appointment scheduling, lab results).
• Laws regarding e-mail communication may vary between states. Research your state's laws and those of surrounding states regarding the use of e-mail for medical treatment. (Alllaw. com is a Web site for researching state laws regarding the use of e-mail for medical treatment.)
• Develop a policy that addresses security issues when using remote access. Providers must not communicate with patients in the context of their professional relationship using personal e-mail accounts such as America Online, Earthlink, or any other nonemployer e-mail system.
• Develop a policy that addresses the following topics that should not be discussed in e-mail transactions and procedures that include a response to patients whose e-mail addresses these issues:
  -Protected diagnoses or treatments such as mental health or chemical health (based on state or federal privacy regulations)
  -HIV status
  -Workers' compensation injuries and disability
  -Urgent health conditions
• Develop and enforce policies defining and prohibiting emergency e-mail messages.
• Develop procedures addressing a workable documentation mechanism for responding to an e-mail via telephone call and responding to a telephone call via e-mail.
• Develop a policy and procedure to guide termination of a patient from e-mail communication (e. g., patient notice, registration indicator).
• Establish a methodology to audit all e-mail correspondence to ensure appropriate
  -Customer service
  -Quality of care provided via the e-mail communication
  -Quality of the response provided to the patient via e-mail
  -Review for possible legal risk issues
  -Patient privacy and confidentiality
  -Tracking e-mail messages returned because of incorrect address
• Organizational procedures for cleaning computer hard drives must be established and enforced.
• Update current confidentiality policies to incorporate references to e-mail if they are not already in place.

E-mail Recommendations

• The provider's e-mail signature block should contain the provider's full name, contact information, response time, instructions for when response time is not met, and instructions for handling patient emergencies.
• Web pages used as links (or given to patients) should be credible, and links should be active. Links should be monitored often and updated as needed.
• One method of controlling misdirected e-mail is to not allow providers to initiate e-mail messages. The patient initiates the e-mail, and the provider responds by using the reply button.
• Use e-mail system functionality (e. g., automatic reply to acknowledge receipt, return receipt to confirm patient receipt, blind copy feature to uphold patient privacy).
• Establish a central patient registration database that will serve as a systemwide directory. A central directory will prevent duplications and errors in the patient's e-mail information. A central directory will allow for greater control, with prompt and easy updating of patient e-mail addresses and identifying information. Verify patients' e-mail addresses during appointment scheduling and/or patient registration.
• Patients must register e-mail addresses and provide identifying information in e-mail messages.
• Patient identifiers other than name are important (duplicate names). Medical record numbers will not be a relevant identifier if e-mail is being forwarded to another healthcare facility (e. g., referral).
• A healthcare entity should have a standardized template for e-mail in place to ensure the appropriate information is communicated and captured. This will also keep e-mail concise.
• Educate staff on appropriate e-mail etiquette. Sarcasm, anger, harsh criticism, and libelous references to third parties in e-mail messages are not appropriate.
• Whenever feasible, instruct users to copy and paste addresses or use the e-mail reply button.
• Patients should be informed of the e-mail policies and procedures in advance. The patient should knowingly authorize to communicate via e-mail in advance.

  (See Appendix B, "Documentation of Authorization to E-mail Discussion" and Appendix C, "Patient Authorization for E-mail Communication."

• When communicating confidential medical information via e-mail, a banner similar to the one below should be displayed prominently at the beginning of the e-mail message:

  THIS CONFIDENTIAL COMMUNICATION CONTAINS INFORMATION PROTECTED BY PROVIDER-PATIENT PRIVILEGE.

• A statement of confidentiality should be posted on all e-mail correspondence such as:

  The contents of this e-mail message and any attachments are confidential and are intended solely for addressee. The information may also be legally privileged. This transmission is sent in trust, for the sole purpose of delivery to the intended recipient. If you have received this transmission in error, any use, reproduction, or dissemination of this transmission is strictly prohibited. If you are not the intended recipient, please immediately notify the sender by reply e-mail or (area code) (phone number) and delete this message and its attachments, if any.

• Inform patients regarding practices of screening e-mail (e. g., if office personnel screen e-mail for the provider). Point out the need for the patient to develop privacy practices. Point out that patients are charged with the responsibility to handle their information in a secure manner.
• Instruct patients regarding the type of information that must be included in the e-mail message. The subject line should include the category or type of request to facilitate prioritizing and routing messages (e. g., appointment, prescription refill, lab results). The specific provider's name should be included as well.
• Define patient identifiers, besides the patient's full legal name, that will be used to verify patient identity and facilitate filing in the electronic or paper medical record. Suggested patient identifiers are
  -Date of birth
  -Last four to six digits of social security number
  -Phone number
  -Mother's maiden name
  -Password created by the patient

• Inform patients that the provider will terminate e-mail correspondence with patients who repeatedly do not adhere to the written e-mail guidelines.
• It is a commonly accepted axiom that communication is 7 percent words, 38 percent voice, and 55 percent body language. If this axiom is true, e-mail must be considered to be a communication media with limited effectiveness. Providers communicating via e-mail must be aware of its limitations and adjust their communication accordingly.
• Inform patients about the risk of loss of confidentiality when using their employer's e-mail account.
• Inform patients in advance if e-mail messages may be forwarded to other clinics/providers (e. g., referrals).
• Inform patients that e-mail communications are retained as part of the patient's permanent legal medical record.
• Inform the patient about indemnity for information loss due to technical failures.
• Patients should be educated about the appropriate types of transactions for e-mail communications. E-mail templates may be created to assist the patient in identifying the type of request (e. g., check boxes). Examples of when e-mail is appropriate include
  -Prescription renewals
  -Nonurgent medical advice
  -Test results, based on professional judgment
  -Insurance inquiries
  -Benefit information
  -Provider network information
  -Billing information
  -Scheduling/canceling/rescheduling appointments
  -Clinic/provider changes
  -Other nonurgent communication
• Document patient education in the patient's medical record and reference education materials given to the patient.

Electronic Document Management Recommendations

E-mail must be treated like any other healthcare organizational business record (e. g., patient medical record, patient financial record, employee record) because it is subject to the same course of evidentiary discovery and has a life cycle that requires management guidelines (i. e., it is created, indexed, searched, retrieved, routed, stored, and purged).

E-mail management is an enormous, complex problem. This problem is expected to get worse as the numbers and types of senders and receivers (e. g., providers and patients) increase exponentially. Therefore, the following guidelines are recommended:

• Identify existing, enterprise-wide repositories that securely store (or should store) e-mail records and attachments that merit evidentiary handling.
• Develop or acquire an easy-to-use yet functionally robust e-mail management system that includes a centralized archive. The e-mail management system should
  -Have intuitive methods for identifying e-mail classifications and retention rules. For example, one classification might be healthcare-related information that is linked directly to the master patient index. Another classification might be meetings and general business communication information. Different retention rules could be linked to each classification group.
  -Include dependable search capabilities as well as fast and efficient access to archives.
  -Have an "open architecture" allowing for compatibility with popular e-mail systems.
  -Enforce e-mail archiving policies. For example, when an individual closes an e-mail and is ready to discard or save it, a prompt should appear with a yes-or-no choice asking if the user would like to make this a part of any of the healthcare organization's "business" records (e. g., classification of patient medical records). This "opt in/out" e-mail capture function can be eliminated if the healthcare organization declares ahead of time that the e-mail must always be retained to comply with a regulatory, legal, or business need (e. g., an e-mail correspondence between a provider and a patient). In addition, this function can be managed in the background using Web technology so that, for example, each new patient added to the master patient index triggers a domain name, with all inbound and outbound e-mail captured for patientname. com.
  -Include retention rules that are triggered automatically by actions. This includes automatically deleting or encrypting a "patient class" of e-mail after X number of days/months/years so it cannot be accessed. (Note: Never archive encrypted e-mail records for fear of losing the algorithms or keys.)
• Create appropriate rules, policies, and procedures specific to each organization upon system deployment to eliminate the risk of purging e-mail attachments in a storage crisis. These systems quickly become overwhelmed by metadata and attachments.

• Establish a methodology to meet HIPAA's requirement for providing an accounting of disclosures.

(See also Appendix D, "Summary of Best Practices for Provider-Patient E-mail Communication.")

Notes

1. American Medical Association. "Guidelines for Physician-patient Electronic Communication." Available at www. ama-assn. org/ama/pub/category/2386. html.
2. Institute of Medicine. "Key Capabilities of an Electronic Health Record System: Letter Report." Available at http://books. nap. edu/books/NI000427/html/index. html.
3. Kohn, D. "E-mail: Treat It as Just Another Record." Advance for HIM Professionals. Available at www. advanceforhim. com/common/editorialsearch/viewer. aspx? FN= 02oct28_ hip33. html& AD= 10/28/2002& FP= hi.
4. Kahn, R. "Beyond HIPAA: The Complexities of Electronic Records Management." Journal of AHIMA 74, no. 4 (2003). Available in the FORE Library: HIM Body of Knowledge at www. ahima. org.
5. "Handhelds Hot, E-mail Not for US Physicians." Press release issued Nov. 4, 2002, by the Healthcare Information and Management Systems Society. Available at http://www. himss. org/ASP/ContentRedirector. asp? ContentId= 23146.
6. "Health Insurance Portability and Accountability Act of 1996." Public Law 104-191. August 21, 1996. Available at http://aspe. hhs. gov/admnsimp/.
7. "Final Rule for Security Standards." Federal Register 68, no. 34 (February 20, 2003). Available at http://www. access. gpo. gov/su_ docs/fedreg/a030220c. html.
8. Rognehaugh, A., and R. Rognehaugh. Healthcare IT Ter ms. Chicago: Healthcare Information and Management Systems Society, 2001.

References

Bowman, B. "Beyond the Telephone: Electronic Tools for Patient-provider Communications." Group Practice Journal 51, no. 1 (2002). Available at www. amga. org/ Publications/gpj/articles/CoverStories/ coverStoryJan02_ gpj. pdf.

Burrington-Brown, J., and G. Hughes. "AHIMA Practice Brief: Provider-Patient E-mail Security" (Updated June 2003). Available in the FORE Library: HIM Body of Knowledge at www. ahima. org.

California Health Care Foundation. "E-encounters." Available at www. chcf. org/documents/ihealth/EEncounters. pdf.

HealthyEmail. "Email and Clinical Practice." Available at www. healthyemail. org/and www. healthyemail. org/toolkit. php.

Kane, B., and D. Z. Sands. "Guidelines for the Clinical Use of Electronic Mail with Patients. JAMIA 5, no. 1 (1998): 104Ð 111.

Manhattan Research. "The Future of Medicine Is in the Hands of 205,000 Physicians." Available at www. manhattanresearch. com/thepulse. htm.

Medem. "eRisk Working Group for Healthcare: Guidelines for Online Communication." Available at www. medem/com/phy/phy_ eriskguidelines. cfm.

Medem. "eRisk Working Group for Healthcare: Guidelines for Online Communication [Addendum]." Available at www. medem. com/corporate/corporate_ Addendum_ A_ eRi skGuidelines. cfm.

Medem. "Secure Messaging and Online Consultation FAQ for Physicians." Available at www. medem. com/phy/phy_ faq_ physician. cfm.

Murphy, G. "Patient-centered E-mail: Developing the Right Policies." Journal of AHIMA 71, no. 3 (2000). Available in the FORE Library: HIM Body of Knowledge at www. ahima. org.

Patt, M. et al. "Doctors Who Are Using E-mail with Their Patients: A Qualitative Exploration." Journal of Medical Internet Research 5, no. 2 (2003). Available at www. jmir. org/2003/2/e9/index. htm.

Sands, D. Z. "Guidelines for the Use of Patient-centered E-mail." Available at www. mahealthdata. org.

Techencyclopedia. Available at www. techweb. com/encyclopedia/.

Tracey, M., W. Jansen, and S. Bisker. Guidelines on Electronic Mail Security. Washington, DC: National Institute of Standards and Technology, US Department of Commerce.

Prepared by

Marti Adkins, RHIA
Nancy Russell Cardamone, RHIA
Ray Chien, MS
Angela Clark, RHIA
Lynn Crothers, RHIT
Carmella Jackson, MS, RHIA, NMCC
Stephanie John, RHIA
Bassam Kawwass, RHIA
Sandra Kersten, RHIA
Gail Kraft, RHIA
Catherine Krawetz, RHIT, CCS
Lynda Mitchell, RHIA, CPHQ
David Mozie, PhD, RHIA
Deborah Nieves, RHIA
Harry Rhodes, MBA, RHIA, CHP (staff)
David Sweet (staff)
Mary Stanfill, RHIA, CCS, CCS-P (staff)

Acknowledgements