Thursday, May 03, 2007

I want my doctor to be a spook

Several months ago, I dealt with several aspects of patient confidentiality. To supplement that, here is an interesting website that covers a number of myths about the requirements of HIPAA.

Many people think that the HIPAA regulations prohibit or discourage emails between doctors and patients. They do not. As stated on this website, though, the regulations require providers to use reasonable and appropriate safeguards to “ensure the confidentiality, integrity, and availability” of any health information transmitted electronically, and to “protect against any reasonably anticipated threats” to the security of such information. Therefore, a covered entity is free to continue using email to communicate with patients, but should be sure that adequate safeguards, such as encryption, are used.

I think most of us don't think about the insecurity of email when we send a note to our doctor. Sure, it is unlikely that some stranger out there will be scanning our emails, although I bet some MIT kids could figure out how to do it in a nanosecond. We forget, though, that employers have the right to snoop through our email on our corporate accounts. Also, it is quite common to insert the wrong "To" address when you are sending a note to someone.

That's why we offer and encourage the use of secure portals like PatientSite. All PatientSite messages are encrypted. Our resident geeks tell me that we use 128-bit DES encryption through SSL. I haven't had a chance to check it out with Maxwell Smart, but it sounds all right to me.


Patient Dave said...

For me this issue has absolutely nothing to do with mischievous MIT students giggling at what they might see about someone's intestines. The issue is malice: companies intentionally looking for private information about a specific individual.

Corporate espionage firms do provide such services.

It could be an insurance company, looking for information about a customer. It could be an employer - does anyone remember Wal-Mart's "dead peasant insurance" scandal, where they knew of a manager's heart condition and took out a policy on his life? (He died carrying a customer's TV to a car.)

I'm not asserting that the world is crawling with nasties like this. I am asserting that such nastiness does exist, and I'm asserting that it's very easy (technologically) and *legal* to "listen" to Internet traffic and scoop it up.

And our protection against this is to not use unprotected open email for anything we don't want available to all comers.

Anonymous said...

I like the idea of patientsite but my attending is on it, not my resident; and the resident is the one who knows me, I've never even met my attending........

pintoo said...

PatientSite is one of the better PHRs in the country i have seen (from the online demo). As a geek, it definitely makes me want to change my pcp from PCHI to BIDPO. Though a lot of providers talk about patient satisfaction, they don't do much. Kudos to you and your IT team for doing a wonderful job on the PHR. It totally satisfies what a patient needs to have - control and visibility over his/her data.
However, there are several issues that still need answers.
- how does my data get transferred from another PHR?
- Is it possible to use patientsite for non-BI facilities & patients? I know there are issues of competitive advantage, but look at long term -- more patient loyalty and switching :)
- I have heard that use of the EMR (webOmR?)at BI is not considered mandatory for all docs. How do i know that the doctor I choose will help me set up my PHR (if he/she doesn't use the EMR system)?
- patientsite would be a great place for patient education.
- it would also be great if there could be collaboration with payer based PHRs (aetna offers one)

In this digital age of 'cyberchondriacs', ultimately, the patient needs to be satisfied. You have a great product in patientsite, but awareness needs to be built, a little marketing won't hurt (maybe in the form of comparing features with other provider/payer based PHRs offered in MA!) PHRs and consumer empowerment are the next revolution in healthcare. You are in an ideal position to lead it.

Ben said...

The main issue is not so much whether someone hacks into your email account (although that *is* one worry), it's about what happens to the hard drives, the backup tapes, and all the other storage media on which this private data eventually ends up. Hard drives get thrown out without proper data erasure, backup tapes get lost, etc...

So in fact, while the SSL on PatientSite protects the data in transit, there remains a question as to whether the server's hard drives and backup tapes are properly secured. I'm sure you've got procedures in place for these issues, but the point is that it's not as easy as slapping on SSL, and the problem of keeping this data private is actually quite a difficult one.

HIPAA's got issues, but on this particular point, their requirements actually make sense. The problem is that the technology is too complicated to use, still.

(Oh and to be *really* picky, you're using 128-bit RC4: there's no such thing as 128-bit DES unless you're doing some really wacky stuff.)