Having been in practice for nearly 36 years, you might assume Austin otolaryngologist James Eskew, MD, might skew old-school in the way he works. That’s somewhat true; in the age of data and tech, his preferred way to communicate with patients is still face to face.
But Dr. Eskew has, in his words, “not refused to join the 21st century.” He’s comfortable texting or emailing other physicians, using secure, encrypted platforms if specific patient information will be involved. And he’s adjusted to what he calls “the biggest boondoggle of this millennium” — the electronic health record (EHR) — employing a scribe who he says has saved him from retirement.
“It wasn’t that I was anti-technology,” Dr. Eskew said of his old philosophy. “It was that I was pro-communication.”
Technology continues to change the way physicians communicate, both with patients and with other health care professionals. But physicians need to understand the pitfalls of any form of communication, notes Abilene family physician D. Allen Schultz, MD, who says he uses basically every technological tool available to him.
Doctor to doctor
The days of doctors relying almost solely on in-person talks, landline phone conversations, and pagers are fading. Those aging tools now share space with digital replacements, like secure text messaging.
In a survey in the July 2017 edition of the Journal of Hospital Medicine, 27 percent of the 620 hospital-based clinicians who responded said “some” were using the secure messaging application their organization implemented; 7 percent reported “most” clinicians used the secure messaging application their organization installed. To view the survey, visit tma.tips/jhmcomms.
One messaging platform to reach other practitioners is DocbookMD. The app for both Apple and Android mobile and desktop users allows physicians to send HIPAA-secure messages to each other, along with any relevant attachments such as patient charts, X-ray images, or EKG strips. DocbookMD is free to TMA members as a benefit of membership. For more information, visit www.texmed.org/docbookmd/.
More than 300,000 practitioners have access to DocbookMD, according to its website. Potential customers who already use secure email and don’t understand why they also need secure text messaging are sometimes skeptical of the product, says Lindsay McLarty, the company’s marketing manager.
“An email is something that you check when you have time, and then follow up at some point, whereas DocbookMD is more real-time … acting in place of unsecure text messages, where it’s quick,” Ms. McLarty said. “I think we’ve really been thriving in [offering] that quick turnaround message.”
Even in an emergency department (ED) setting, where time is critical and nearly all communication is verbal, technology has made patient care talk more instantaneous.
Fort Worth pediatric emergency physician Matt Murray, MD, chair of TMA’s Ad Hoc Committee on Health Information Technology, notes he and other practitioners in his hospital relay messages to each other with a hands-free device similar to a walkie-talkie. Dr. Murray uses it to ask a unit secretary to page a certain specialist and receives immediate notification once the specialist calls back.
“When a patient requires emergent presence of an ED physician, the specific physician is informed verbally and through that device,” Dr. Murray said. “The noise from overhead paging and beeping pagers had been continuous in our ED until we adopted this method of electronic communication. Now, overhead pages are only occasionally used, and no one wears a pager. It makes the ED environment much quieter and calmer. It also reduces confusion and nearly eliminates the plague of missed calls when physicians are in situations where they cannot hear an overhead page or promptly get to a telephone to respond to a page.”
Secure instant messaging has “by far made the biggest positive impact on my workflow,” Dr. Murray adds. Ancillary staff often use that messaging to ask ED physicians questions or provide information that doesn’t require an immediate response. Dr. Murray doesn’t see those messages while visiting with a patient, but they pop up when he enters orders or is documenting in the hospital’s EHR system.
“I’m a big fan of the way we have incorporated instant messaging into our workflow and thrown out the incessant beeping of pagers,” he said.
Doctor to patient
All types of communication involving protected health information, whether with other practitioners or with patients, need to conform to HIPAA and its accompanying privacy and security rules. The U.S. Department of Health and Human Services Office for Civil Rights (OCR), which enforces HIPAA, has issued specific guidance on email communications with patients, although little government
guidance on texting currently exists. (See “HIPAA: Emailing and Texting Patients,” page 29.)
In a memo last December, the Centers for Medicare & Medicaid Services said texting among practitioners at hospitals and critical access hospitals is allowed if done through a secure platform (tma.tips/cmstexting). But CMS said it prohibits texting patient orders regardless of platform.
The July 2017 Journal of Hospital Medicine survey found, however, that 22 percent of respondents received text messages that included detailed, individually identifiable patient information at least once per day, while 41 percent received messages including “some identifiable information” at least once a day, albeit less specific, such as patient initials or room numbers.
If a patient wants to communicate with you by unencrypted emails, OCR states that you should warn him or her first that the method of transmission may not be secure. If the patient understands that and has signed off on ongoing communications via an insecure method, TMA General Counsel Donald “Rocky” Wilcox recommends documenting that in the patient’s medical record.
Dr. Schultz makes his text line available to patients with a pre-warning that messages he receives won’t have guaranteed security. He says his patients are “outstanding as far as not abusing that communication tool between us.”
Dr. Eskew prefers face-to-face talks with patients because of research he’s come across that suggests significantly more information is transmitted in person as opposed to other types of conversations. He only occasionally has text conversations with his patients at Austin Ear, Nose, and Throat Clinic, and he doesn’t give them his email address.
“Think of the last time you had an email exchange with somebody and you weren’t sure exactly what the emotional content of that was,” he said. “Well, you can’t be sure, because it’s just a text, and you don’t have any of the other clues.”
Physicians appear increasingly confident in patient portal use. Use of that technology is on the rise, with small practices seeing greater adoption and usage rates than larger health systems. A 2017 study by athenaResearch of 573 primary care practices found that practices with six or fewer physicians had 45 percent of their patients adopting their patient portal on average. Sixty-five percent of those patients used it within 30 days of an appointment, according to an athenainsight blog (tma.tips/athenaportals). National and regional health systems reported a portal adoption rate of just 30 percent.
Dr. Schultz says physicians who are trying to stay compliant while transitioning to new forms of communication need to “use common sense. And [don’t] get caught up in bureaucracies that try and legislate right and wrong.
“You know what the right thing is to communicate, and you know what the wrong thing is to communicate,” he said. “I really feel like HIPAA has just codified what we should have been doing already.”
Legal articles in Texas Medicine are intended to help physicians understand the law by providing legal information on selected topics. These articles are published with the understanding that TMA is not engaged in providing legal advice. When dealing with specific legal matters, readers should seek assistance from their attorneys.
HIPAA: Emailing and Texting Patients
If you’re going to communicate with patients by email or text, make sure you have the right policies, procedures, and infrastructure in place to conform to the privacy and security rules tied to the Health Insurance Portability and Accountability Act (HIPAA). HIPAA itself doesn’t specifically address these technologies, but here is the most recent guidance from regulators in the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC):
According to OCR:
- Reasonable safeguards: HIPAA’s Privacy Rule allows practitioners to communicate with patients by email if they apply “reasonable safeguards” when doing so. Those reasonable safeguards may include confirming the accuracy of the patient’s email address before sending. Practitioners also should limit the amount or type of information they disclose through an unencrypted email. All transmission of electronic protected health information (e-PHI) must comply with the HIPAA Security Rule.
- Responsibility to warn: Covered entities “are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.”
- Patients can initiate: Patients can initiate communications with a practitioner using email, and the practitioner can then assume that method is acceptable to the patient, unless the patient explicitly states otherwise. However, if a practitioner feels the patient may not be aware of the possible risks associated with unencrypted email, he or she can let the patient know about those risks. In light of this guidance, from a risk management perspective, TMA’s Office of the General Counsel says it’s a good idea to alert patients of those risks even when patients initiate the communication.
According to ONC:
- Rule application: Practitioners must send e-PHI through a secure method, but the HIPAA Security Rule doesn’t apply equally to the patient. “A patient may send health information to you using email or texting that is not secure. That health information becomes protected by the HIPAA Rules when you receive it.”
- Note of caution: Practitioners might want to avoid types of electronic communication like texting “unless you first confirm that the communication method meets, or is exempt from, the Security Rule.”
For more information on HIPAA and health information technology, visit the U.S. Department of Health and Human Services FAQ page at tma.tips/hipaahit. To view ONC’s Guide to Privacy and Security of Electronic Health Information, visit tma.tips/onchipaa.
QUIZ: TEST YOUR HIPAA KNOW-HOW
Think you’re hip to HIPAA? Got a PhD in secure EHR?
Let’s find out. Below are three common questions TMA’s Knowledge Center receives from physicians regarding protected health information. Find the answers on page 40. (See "Is Your Board Certification Safe?")
Contact the TMA Knowledge Center at (800) 880-7955 or email@example.com for TMA resources. Or for more information, visit www.texmed.org/RecordsRelease.
Question 1: How much time do practices have to provide a copy of medical records to patients after receiving a valid written request?
A. 3 business days
B. 5 business days
C. 15 business days
D. 30 business days
Question 2: A fax machine is a permitted method for physicians to send patient medical information to another physician’s office.
True or false?
Question 3: Under Texas law, practices must provide electronic health records to patients who request them, even if the practice doesn’t own an electronic health records system. True or false?
Tex Med. 2018;114(6):26-30
June 2018 Texas Medicine Contents
Texas Medicine Main Page