should providers send patient information by e-mail

1: 1 Should Providers Send Patient Information By E-mail? Gail Graham David Douglas, MD Gail Belles Stephania Putt

2: 2

3: 3 AGENDA Introduction, Background, Communication & Medical Records (Gail Graham, David Douglas) Current use of e-mail to send PHI, CPRS Alternatives to e-mail, Clinician communication needs (David Douglas) Overview of e-mail transmission, Security Risks of e-mail, VA Policy, Near and Long Term Solutions (Gail Belles) Privacy Presentation (Stephania Putt) Summary Q&A

4: 4 INTRODUCTION Title: Should Providers Send Patient Information By E-mail? Level: 100 Class Type: Lecture Class Length: 120 Minutes on Tuesday 90 Minutes on Wednesday Class Number: 106�Should Providers Send Patient Information By E-mail? Day/Time: Tuesday Afternoon 120 minutes Wednesday Afternoon 90 minutes Class Description: This Health Information Management sponsored class reviews the risks and benefits of sending patient information by e-mail including technical, security, legal, and practical issues. Faculty: David Douglas, Gail Belles, Stephania Putt, Gail Graham

5: 5 Background E-mail is ubiquitous in modern business and this extends to health care. E-mail enables numerous efficiencies but also introduces risks. VA has become dependent on e-mail for business needs but must carefully manage the use of this communication medium so as to protect patient privacy and comply with laws, regulations, and policy. Purpose of this class is to review the risks and benefits of sending patient information by e-mail including technical, security, legal, and practical issues.

6: 6

7: 7 Examples A problem with system configuration at one facility caused unencrypted messages containing PHI to be emailed to providers with email addresses outside �va.gov� An improper exchange of employee performance data between a supervisor and union representative caused work documents containing names and SSNs of numerous veterans to be transmitted unencrypted and without a �need to know� by union representative.

8: 8 Communication andThe Medical Record Definition: A medical record, health record, or medical chart is a systematic documentation of a patient's medical history and care. Purpose: �The medical record also serves as a basis for planning patient care, documenting communication between the health care provider and any other health professional contributing to the patient's care, � and documenting the care and services provided to the patient. Wikipedia

9: 9 History of the Medical Record Early 20th cent Medical Record was primarily a documentation medium 2 developments led the medical record to become a communications medium Change in Dr-Patient relationship Expansion of Team Care

10: 10 Medical Record as a Communication Medium 3 primary uses Rapid access to recent information on a patients condition Ensuring continuity of care Audit tool to assess quality of care

11: 11 7 Key Capabilities of an Electronic Health Record Systemwww.iom.edu Health Information & Data Result Management Order Management Decision Support Electronic Communication & Connectivity Patient Support Administrative Processes

12: 12 Electronic Communication and Connectivity Electronic communication tools, such as e-mail and web messaging, have been shown to be effective in facilitating communication both among providers and with patients, thus allowing for greater continuity of care (Balas et al., 1997; Liederman and Morefield, 2003; Worth and Patrick, 1997) and more timely interventions (Kuebler and Bruera, 2000).

13: 13 Lit Review: Clinicians and E-mail e-mail consultation in health care: Car and Sheikh point out that e-mail use has grown in medicine without the necessary infrastructure to address security issues. On Call and Online: Spielberg compares e-mail with other communications media noting that e-mail may become part of the permanent medical record.

14: 14 Lit Review: Clinicians and E-mail Legal Issues Concerning Electronic Health Information: Hodge et al describe benefits of e-mail coupled with risk to patient privacy. e-Risk Guidelines: Online communications must include privacy and security provisions. Providers and patients must understand privacy and security risks.

15: 15 Lit Review: Clinicians and E-mail Secure e-mail messaging for the Health Care Industry: White paper calls for secure e-mail as a more efficient means of provider-provider communication. HIPAA Email Security Management in Email Communications: White paper notes value from electronic communication in health care but requires risk analysis and mitigation.

16: 16 Lit Review: Clinicians and E-mail Use of e-mail curbside consultation: Bergus et al report Family Practitioners and Consultants highly satisfied with e-mail consult service. Curbing the curbside consult: Dyer cautions that online consultation may not be a �formally peer-reviewed or evidence based clinical resource.�

17: 17 How is PHI currently being sent via e-mail? Provider-Provider communication Curbside Consultation Discuss Diagnosis and treatment Provider-Ancillary Staff communication Scheduling Transportation Care Coordination VISN and VACO communication Congressional Complaints HINQ requests

18: 18 How is PHI currently being sent via e-mail? EPRP Reviews Medical Record delinquency notices Medical Record error notification Death notices Ward Secretary Communication Demographic Change notification Address Phone # Next of Kin

19: 19 How is PHI currently being sent via e-mail? Inter-ward transfer coordination Social Work assistance Lodging coordination Assistance with scheduling a test, procedure, or operation Debugging Vista errors such as Results reporting Many, many other examples�

20: 20 Advantages of sending PHI via E-mail Asynchronous communication More efficient than phone or FAX Creates a searchable record Can be Later�ed Message can be crafted on your time and your schedule. Dialog not suited for progress notes or clinical documents Allows communication with recipients outside VA including Congressional Offices and VA Business Partners Can include attachments or parts of other e-mail strings. Shipley/Schwalbe

21: 21 Disadvantages of Sending E-mail SPAM Difficult medium for resolving complex, delicate, or emotionally charged issues Searchable record Forwarding and addressing errors Can be sent/forwarded to larger audience than those with �need to know�

22: 22 CPRS alternatives to sending PHI via E-mail Clinical Documents Additional Signer Intra-facility consults Inter-facility consults Non-Visit Consults Add a Comment Orders Notifications and View Alerts

23: 23

24: 24

25: 25

26: 26

27: 27

28: 28

29: 29

30: 30

31: 31 CPRS Notifications

32: 32 Some e-mail risks� E-mail may be accidentally auto-forwarded to non-VA e-mail systems E-mail may be forwarded to a mailgroup or distribution list Recipient selection errors Providers may treat progress notes like e-mail Printed email containing protected health information (PHI) may be vulnerable to unauthorized access or inappropriate disposal (recycle bins vs. locked shredder bins)

33: 33 Auto-forwarding Select MailMan Menu Option: PP Personal Preferences Select Personal Preferences Option: ? GML Enroll in (or Disenroll from) a Mail Group Personal Mail Group Edit Forwarding Address Edit Select Personal Preferences Option: Forwarding Address Edit FORWARDING ADDRESS: <INSERT VA ADDRESS> How likely is it that PHI will be auto-forwarded across the internet? Per Mr. McFarland�s memo dated May 24, 2004 entitled �Limits on the Use of Certain E-mail Features and Configurations�, auto-forwarding of e-mail to an address outside of VA is not acceptable.

34: 34 Mailgroups Select MailMan Menu Option: s Send a Message Subject: please reschedule appt Send mail to: DOUGLAS,DAVID M// G.MH 1 MH CONSULT 2 MH P2 (64 employees) 3 MH P2 SCHED APPT (3 admin support staff) How likely is it that a message intended for the 3 scheduling staff will get misdirected (and amplified) to the entire 64 member MH P2 mailgroup?

35: 35 Recipient Selection Errors Send mail to: // ZZTEST-EMPLOYEE, ONE 1 ZZTEST-EMPLOYEE, ONE FACILITIES MANAGEMENT SVC - V Last used MailMan: 07/06/07@15:09 2 ZZTEST-EMPLOYEE, TWO PRIMARY CARE DIVISION Last used MailMan: 07/20/07@15:26 Leave Jun 18-19, 2007. How likely is it that FMS employee will receive e-mail intended for the Primary Care Physician?

36: 36 What if the earlier example were written in the form of an e-mail?

37: 37

38: 38 Progress notes are not e-mail

39: 39 Don�t put in e-mail anything you wouldn�t say in front of the patient "Patient suffers from paranoia""Vexatious complainant""Reads too many textbooks""Keeps a filthy house""Alcoholic""Drug abuser""Suffers from memory lapses""Over anxious""In need of psychiatric help""Imaginary symptoms" Sufferers of Iatrogenic Neglect

40: 40 Non-CPRS Alternative Communications(These carry their own risks) Letters or Hard Copy Documents FAX Secure network folders De-identified e-mail Text or Instant Messaging In-Person Communication Silence

41: 41

42: 42 Secure Network Folders require significant administrative support

43: 43 Text Messaging

44: 44

45: 45 De-Identified e-mail can take on the appearance of I�ve Got a Secret Select Provider Menu Option: Mailman Menu VA MailMan 8.0 service for DOUGLAS.DAVID_M@PORTLAND.MED.VA.GOV You last used MailMan: 07/22/07@09:24 You have no new messages. Select MailMan Menu Option: S Send a Message Subject: PLEASE CALL TRANSPORTATION The veteran that we were talking about this morning needs medical transport to OHSU at 11:30. Can you please set this up?

46: 46

47: 47

48: 48 The VistA Patient Representative Tracking System has been replaced by the Patient Advocacy Tracking System (PATS). Whereas you used to receive Alerts in CPRS, to respond to a Patient Complaint or view a Compliment, you will now receive a link in your Outlook e-mail.

49: 49 These Outlook e-mail notifications are known as Action Request Notifications (ARNs). These will be either informational emails (FYI) or action required emails.� FYIs are just that, no action is required or we have already solved it. The action required emails will have short statements defining the case and a statement from the Patient Advocate asking for a specific item from you.� �

50: 50

51: 51

52: 52 After you log in it should either take you to a Informational Notification (FYI) of the ROC or the action Item required.

53: 53

54: 54 VHA HANDBOOK 1003.4 b. Patients Must Have Their Complaints Addressed in a Timely Manner (1) There must be sufficient staffing devoted to the Patient Advocacy Program to ensure timely resolution of complaints, identification and resolution of system issues, and tracking, trending and reporting to appropriate areas. Response to complaints occurs as soon as possible, but no longer than 7 days after the complaint is made. Should the complaint require more than 7 days, staff are responsible for continuously updating the patient on the status of the complaint and/or resolution. NOTE: Privacy complaints are to be processed in accordance with VHA Handbook 1605.1, Privacy and Release of Information.

55: 55 Clinician Needs Role based messaging built into CPRS Ability to securely communicate outside clinical documents Auditing capabilities Latering Delivery, Read Confirmation and the BOOMERANG safety feature. Transparent security Transparent e-discovery assurance Ability to securely communicate to non-VA providers

56: 56 �Mail To� Functionality linked to CPRS Progress Notes Message directs recipient to the CPRS Note rather than copying its contents. Message contains minimum necessary information Comments functionality allows dialog outside of CPRS. Message can be: �Latered� Set up for Read Receipt Copied to Senders Inbox Made Priority Made Information Only

57: 57

58: 58

59: 59

60: 60 Overview of E-Mail Transmissions Secure Network Transmissions Vista MailMan VistA Directive and Waiver Attachmate Microsoft Office Outlook Public Key Infrastructure (PKI) Rights Management Services (RMS) Exchange Email Archive Services (EAS) Outlook Web Access (OWA) Virtual Private Network (VPN) � Remote Access Remote Enterprise Security Compliance Update Environment (RESCUE) Internet Gateway Secure Email

61: 61 Security Risks of Email Authenticity Clear text transmission Role of intermediate ISPs, servers and routers Multiple copies and backups � paper and electronic Data mining Physical and virtual eavesdropping Compromised passwords Erroneous addresses Forwarding and amplification Can be used as evidence in court Attachments � viruses and worms

62: 62 VA Policies/Directives VA Directive 6001, Limited Personal Use of Government Equipment Including Information Technology, July 2000 VA Directive 6103, VA Electronic Mail System, March 1998 VA Directive 6213, VA Public Key Infrastructure, June 2001 VA Directive 6301, Electronic Mail Records, April 1997 VA Directive 6500, Information Security Program, August 2006 VA Directive 6504, Restriction on Transmission, Transportation and Use of and Access to VA Data Outside VA Facilities, June 2006 VA Memorandum, Limits on the Use of Certain E-mail Features and Configurations, May 2004 IT Directive 06-5, Use of Personal Computing Equipment, October 2006

63: 63 Email Policy Requirements Distilled Certain VA email systems are subject to the Privacy Act Email will be used where it provides a cost-effective means for employees to conduct official business and improve delivery of services to veterans Email messages are records when they are made by VA under Federal law or in connection with public business; and are preserved or are appropriate for preservation as evidence of�because of the information value of the data in them. VA will establish and maintain a comprehensive program to provide cost-effective security controls needed to protect VA information, in any media or format, and VA information systems.

64: 64 Email Policy Requirements Distilled VA employees are permitted to transport, transmit, access and use VA data outside VA facilities only when such activities have been specifically approved by the employee�s supervisor and where appropriate security measures are taken to ensure that VA information and services are not compromised. Auto-forwarding of email messages to addresses outside the VA network is prohibited; restriction enforced through software modifications and/or configuration changes at the email gateways Use of VA GFE or OE in a mobile environment (laptop, PDA) and VA PI is stored on the computer, file, or electronic storage media, approved encryption software must be used

65: 65 Secure Network Transmissions Compliance with HIPAA and FISMA No clear text Encrypted data transmissions using FIPS 140-2 certified client and server/host software Supports PKI infrastructure and smartcard devices for HSPD-12 Enterprise procurement includes software licenses, engineering, training and maintenance

66: 66 VistA MailMan Changes to infrastructure (RDPCs) impacts email transmissions Automated processes in VistA generate transmissions in clear text across wide area network (e.g., HL7 messaging, nightly transmissions to AAC, ETA data to PAID, HEC eligibility data) PHI transmitted across VA network must be encrypted PKI not compatible with VistA MailMan VHA waiver and associated VHA Directive 2007-003, Application of VistA Mailman

67: 67 VistA MailMan � Terminal Emulation Attachmate WRQ (KEA) provides a security solution by encrypting terminal emulation sessions end-to-end (SSH) Build encrypted tunnels for non-secure applications Protect sensitive file transfers Maintain system compatibility with security standards Leverage existing authentication and authorization methods Safeguard remote access to enterprise applications Secure remote administration of critical servers Simplify password management and cut help desk calls

68: 68 Microsoft Office Outlook - PKI User Certificates � secure electronic mail, digital signatures Server Certificates � server authentication and encrypted sessions for web servers VA Partner Certificates � (email addresses outside VA network) GSA�s ACES (Access Certificates for Electronic Services)

69: 69 Microsoft Office Outlook: PKI Challenges Auto-enrollment Certificate Exchange Training and Compliance Point Solutions (RMS vs. PKI)

70: 70 Microsoft Office Outlook: PKI Improvements Unified Authentication for Windows (auto enrollment) Draft user documentation completed Piloting with limited user base at Hines � began 6/25 Planned deployment in October PKI Infrastructure Rebuild Provides failover and redundancy 3 sites PKI user certificates 120K procurement award by September

71: 71 Microsoft Office Outlook:PKI Resources Local Registration Authorities (LRAs) PKI Helpdesk: 1-866-407-1566, Option 4 or email PKI web site

72: 72 Microsoft Office Outlook: Rights Management Services (RMS) Augments existing technologies to provide persistent protection Enforces organizational policies Provides a platform for value-added solutions

73: 73 Microsoft Office Outlook: Rights Management Services (RMS) Do-Not-Forward Email Requires Outlook 2003 & RMS Reduces internal/external forwarding of confidential information Keeps sensitive email where it belongs Protect Sensitive Files Word 2003: Control access to sensitive content Excel 2003: Set granular permissions per user PowerPoint 2003: Determine length of access Communicate in a Mixed Version Environment Rights Management Add-on for IE (RMA) Users without Office 2003 can view rights-protected files via Internet Explorer Does not provide authoring capability

74: 74 Microsoft Office Outlook:RMS Deployment Deployment in progress (scheduled deployment across all VISNs and Program Offices by 8/30/07) Web-based training materials Blackberry integration Architecture Redundant and disaster tolerant

75: 75 Microsoft Office Outlook: Exchange Email Archive Services (EAS) Business necessity driven by compliance with policy, discovery and oversight Over 45K users currently using EAS across VA Procurements for expansion across VA in process Architecture will mirror final architecture for regionalization of Exchange

76: 76 Microsoft Office Outlook: PKI vs. RMS PKI will be phased out for internal use once RMS is fully deployed and operational across VA PKI will still be used for external communications since RMS doesn�t provide that capability

77: 77 Microsoft Office Outlook: Outlook Web Access (OWA) Provides web-based public access to Microsoft Exchange Server public folders and address book Access via https://webmail.va.gov/exchange/ Provides point and click access to the most popular features of OWA (create, reply, forward, check for new mail, search, move or copy, delete)

78: 78 VPN � Remote Access Challenges Current architecture cannot enforce requirements of VA Directive 6504 and other Federal requirements for remote access Risk imposed by remote users for safeguarding VA data GFE versus OE

79: 79 Remote Enterprise Security Compliance Update Environment (RESCUE) Enforces compliance Virus protection Microsoft patches Firewall Connection options VA-owned equipment (GFE) Non-VA owned equipment (OE) Contractor Personally-owned

80: 80 Remote Enterprise Security Compliance Update Environment (RESCUE) GFE Host Check Device is member of va.gov domain Device is encrypted GFE Integrity Check Device has anti-virus (AV) software installed (McAfee) Device has VA HIPS software installed (Real Secure or Proventia) Remediation compliance check Is AV signature file current; if not � remediate Does device have minimum critical OS patch installed; if not � remediate (minimum acceptable for pilot is SP2) Other checks to be determined

81: 81 Remote Enterprise Security Compliance Update Environment (RESCUE) OE Limits connection to virtual desktop Can�t save/print on local machine Permits saving on VA network shares Malicious code protection Cache Cleaner clears cache prior to session disconnect Required connection type for use by all OE Available for GFE Minimal host integrity checks enforced (AV and Firewall) Requires administrator rights on local machine Prevents access from most kiosk environments

82: 82 Internet Gateway Secure Email

83: 83 Internet Gateway Secure Email Challenges/Solutions Need to transmit SSNs to White House/Congressional staff prior to testifying Encrypted pipe between VA and White House mail servers Can�t distinguish between personal SSN versus and SSN of veterans and employees Policy prohibits transmission of SSNs in clear text Distinguishing SSNs of deceased veterans (NCA) NARA submissions don�t require filtering per SSA NARA added to exception list Contract #s and job announcements formatted like SSNs Addressing issues on a case-by-case basis Test SSN data �666� and �000� added to exception list

84: 84 Privacy Problems with E-mail(wikipedia) Main article: e-mail privacy E-mail privacy, without some security precautions, can be compromised because: e-mail messages are generally not encrypted; e-mail messages have to go through intermediate computers before reaching their destination, meaning it is relatively easy for others to intercept and read messages; many Internet Service Providers (ISP) store copies of your e-mail messages on their mail servers before they are delivered. The backups of these can remain up to several months on their server, even if you delete them in your mailbox; the Received: headers and other information in the email can often identify the sender, preventing anonymous communication. There are cryptography applications that can serve as a remedy to one or more of the above. For example, Virtual Private Networks or the Tor anonymity network can be used to encrypt traffic from the user machine to a safer network while GPG, PGP or S/MIME can be used for end-to-end message encryption, and SMTP STARTTLS or SMTP over Transport Layer Security/Secure Sockets Layer can be used to encrypt communications for a single mail hop between the SMTP client and the SMTP server. Another risk is that e-mail passwords might be intercepted during sign-in. One may use encrypted authentication schemes such as SASL to help prevent this.

85: 85 Privacy and Legal Issues for Provider to Provider E-mail Communications VHA Handbook 1907.01 Guidance Medico-legal Issues Privacy Act Implications System of Records (SOR) Issues E-Mail Retention FOIA E-discovery HIPAA Implications I will only be discussing the privacy issues related to provider to provider communications. There are many emails issues regarding IRIS, the Contact the VA link on the VA home page and WebCIMS.I will only be discussing the privacy issues related to provider to provider communications. There are many emails issues regarding IRIS, the Contact the VA link on the VA home page and WebCIMS.

86: 86 VHA Handbook 1907.01 e. Provider to Provider E-mail Communication (1) Electronic mail and information messaging applications and systems can only be used for authorized government purposes and must contain only non-sensitive information unless the data, and are protected with a VA-approved encryption mechanism. (2) For Outlook/Exchange mail, the Office of Cyber and Information Security (OCIS) issues Public Key Infrastructure (PKI) certificates to encrypt communications between a sender and receiver. NOTE: Personnel must follow the national PKI policies and procedures issued by 005. Requests for PKI certificates are to be directed to the local ISO, who typically serves as the Local Registration Authority (LRA) for VAPKI deployment. NOTE: Provider to Patient e-mail communications are not covered in this policy. Mention Provider Patient email communications � Industry practice to use a secure portal for these communications. For VA this will be handled through future iterations of MyHealtheVet.Mention Provider Patient email communications � Industry practice to use a secure portal for these communications. For VA this will be handled through future iterations of MyHealtheVet.

87: 87 Medico-legal Issues Any e-mail documenting care would have to be made part of the official VA medical record through: Scanning; Re-entry of the information into a Progress Note; or Some other mechanism (e.g., paper). E-mails are not currently part of the �Patient Medical Record-VA� (24VA19) Privacy Act system of records

88: 88 Privacy Act Implications System of Records (SOR) Issues VistA Mailman messages covered by �VistA� (79VA19) SOR notice Veterans/Patients have a right to a copy of any e-mail in VistA that is retrievable by their name Messages must be retained in accordance with SOR notice MS Outlook e-mails are not covered by a SOR notice (Some e-mails are not even official VA records) E-mails sent via MS Outlook should NEVER contain the name of the veteran/patient in the subject line even when encrypted. Explain that some emails from IRIS and WebCIMS may have a name in the subject line, which VA will be adressing.Explain that some emails from IRIS and WebCIMS may have a name in the subject line, which VA will be adressing.

89: 89 E-Mail Retention Guidance VA Handbook 6301, Policy and Procedures for Handling Electronic Mail Records Preserving Electronic Mail Messages Memo dated Dec. 23, 2004 VA Notice 06-1, Final Rule on the Disposal of Transitory Email Records IL 19-2006-001 dated July 6, 2006 We realize that we need to develop a single source document for guidance that clearly outlines the requirements for retention and provide some examples to assist in knowing which emails must be retained and for how long.We realize that we need to develop a single source document for guidance that clearly outlines the requirements for retention and provide some examples to assist in knowing which emails must be retained and for how long.

90: 90 E-Mail Retention: Federal Records Messages that support official VA business and/or convey valuable information on VA�s mission are considered to be Federal records. E-mails documenting care or used to coordinate care for a specific patient would be official VA records. Ref. VA Handbook 6301

91: 91 E-Mail Retention E-mails that are official VA records must be retained either in a recordkeeping system or in the e-mail system for the specified NARA retention period For example, an e-mail documenting the care teams discharge plans for a patient need to be placed in the medical record and retained for 75 years. Once the e-mail or information contained in the email has been placed in a recordkeeping system (e.g., CPRS), the e-mail may be deleted. Ref. NARA, General Records Schedule 20, Item 14 Not all emails that are official records would have to be placed in CPRS or other recordkeeping system.Not all emails that are official records would have to be placed in CPRS or other recordkeeping system.

92: 92 Freedom of Information Act (FOIA) As official VA records, e-mail messages including those without PHI are subject to FOIA and may be disclosed pursuant to a signed, written FOIA request.

93: 93 E-discovery Electronic discovery (also called e-discovery or ediscovery) refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. E-discovery can be carried out offline on a particular computer or it can be done in a network. Court-ordered or government sanctioned hacking for the purpose of obtaining critical evidence is also a type of e-discovery.

94: 94 HIPAA Implications Any health information created by VHA health care providers is subject to the HIPAA Privacy Rule, even if not maintained in a Privacy Act SOR. Any e-mail in MS Outlook containing PHI must be appropriately safeguarded under the HIPAA Privacy and Security Rules until destroyed.

95: 95 Summary Should providers send patient information via e-mail? Yes, BUT Not if CPRS is a better alternative Only via secure, VA-approved e-mail systems Only if disclosure is minimum necessary With understanding of the applicable e-mail retention requirements With understanding e-mail may be discoverable With common sense

96: 96 Q&A