This is a typical reaction I get from my colleagues when suggest using the new-fangled communication tool called email. The palms sweat, the speech stumbles, and the awkwardness is thick in the air. It’s as if I am suggesting they join me in an evil conspiracy, or as if I am asking them to join my technology nerd cult. There is a culture of fear in our healthcare system; it’s a wall against change, a current of stubbornness, a root of suspicion that looks at anything from the outside as a danger. Instead of embracing technology, doctors see it as a tool in the hands of others intent on controlling them. They see it as a collar on their neck that they only wear because others are stronger than them.
via distractible.org
Email, Fax, and HIPAA
Comments on the blog suggested that the objections might be based in part on security concerns. The consultant may prefer fax over email as a better way to protect patient privacy.
Sadly, many folks think that faxes are somehow encrypted and therefore secure, but they are not. Their advantage over email in this respect is that faxes contain image data, which would be harder to mine for useful information than the plain text of most email. Transmitting HIPAA PHI in either is a violation of the HIPAA Security and Privacy Rules.
There are ways of encrypting both fax and email transmissions. The former requires a commercial product of some sort, the latter either a commercial solution or arcane and cumbersome freeware technologies.
It seems like a better approach would be a shared system that uses HTTPS for all communication. GMail can do this, and HTTPS is now GMail's default transport layer for its user interface, but whether or not communication with any remote mail system is secure is situation-dependent and opaque to the sender and receiver. It is unclear whether the GMail databases are HIPAA Security compliant. Our Health System uses Groupwise for internal communications, which is encrypted both in transport and storage, with all storage maintained inside the data centers and behind the firewalls of the covered entity.
PHR systems like Google Health and Microsoft HealthVault offer another alternative. In both cases the information is "owned" by the patient, who must grant access explicitly to others; all inter-system communication over public channels is encrypted. DOD's MiCARE system (http://bit.ly/dlz2iW) interfaces with both PHRs, providing relatively painless and secure sharing of health information between and among primary, secondary, and tertiary care providers, consulting clinicians, and non-clinical care providers. The only catch is that the patient must trust the MiCARE system to identify, authenticate and authorize external systems that need to read from or write to the PHR.
Whether Google Health and HealthVault are truly secure is an open question. I have found no explicit assertion from either that their back-end databases are encrypted, though both employ extensive physical and administrative controls at their data centers. Not providing any details of their technical controls (e.g. encryption of databases) is probably wise, since any information at all would be potentially useful to hackers. Still, an assertion that the back-end database are encrypted would be appreciated by patients and by liability-sensitive providers accessing their systems.
The Real Issue
All that said, the most substantive objections to the use of email in the minds of healthcare providers are probably social and psychological rather than legal or technical. Use of email may be perceived as a slippery slope to being lured or compelled into more extensive IT adoption. Primary care physicians in particular are late adopters of technology, and with the lack of emphasis on usability in many systems currently available, it is difficult to blame them for their reluctance in this regard.
I recently sat through a vituperative diatribe from a family physician whose employer adopted one of the major EMR provider's systems over a year ago, and she stated that the system actively interfered with her ability to provide care. Her objections were multiple, but most prominent were twofold.
First, the system demanded excessive navigation due to inflexible and poorly designed user experience design and information architecture, leading to severe reduction of direct contact with the patient and broken concentration. Second, the system overwhelmed her with prompts and reminders she had long since determined were irrelevant for a given patient. The system provided no way to suppress them, which she was told was due to liability issues.
Another physician I overheard in the YMCA locker room was lamenting the fact that computerization had led to a requirement that he spend more than half of what had previously been his lamentably small amount of free time on nights and weekends updating the EMR. This was in his view better than attempting to use the EMR system in situ.
I know there are many success stories in primary care EMR adoption. Dr. Rob is one of them, and I personally know of a number of others, including my own family physician. The Federal initiative to computerize primary care is laudable, even though the road ahead will be rocky for some time to come.
Hopefully the systems that end up dominating the primary care EMR marketplace will succeed based on usability, quality, and workflow flexibility rather than on company name. The enterprise-system vendor offerings in the primary care arena tend to be dumbed-down, check-the-box knockoffs whose designers seem oblivious to the unique and highly variable requirements of primary care clinics and practices. Which vendor(s) will succeed, and on what basis, and with what ultimate effect on the public health, only time will tell.
Comments