Previous month:
February 2011
Next month:
May 2011

April 2011

Help Available For Small Physician Practices to Overcome Technology Challenges

American Medical Association (AMA) President, Cecil B. Wilson, M.D., said in an AMA Commentary this week, "Physicians should take the time to explore their practice needs, assess their practice's readiness to adopt health IT and select the right system for the practice --and its patients".    This is wise advice that I wholeheartedly agree with.

I also agree that the successful adoption and meaningful use of electronic health records (EHRs) impose many new challenges onto physician practices and that overcoming these barriers is especially difficult for physicians in small practices or solo practices that are constrained by limited resources.   My only disappointment with Dr. Wilson's message to physicians is that it failed to highlight how Regional Extension Centers (RECs) can be leveraged by physicians to address these issues with EHR adoption and use.

The HITECH portion of the 2009 Reinvestment Act (ARRA) included over $677 million in grant funds to establish RECs across the nation to cover every geographic region.   The purpose of each REC is to provide consulting services to physicians that help them overcome many of the described barriers to the adoption and use of EHRs.   It is important for physicians to know that the RECs receive federal subsidies specifically based on and proportionate to the number of primary care physicians in solo or small group practices (<10 physicians) that they successfully help adopt, implement and meaningfully use an EHR.  In other words, RECs are financially dependent on providing effective health IT consulting services to a segment of physicians who have the greatest need for such services.

In Texas there are four RECs including the North Texas REC (NTREC) for which I volunteer time as Board Chairman.    Other Texas physicians volunteer their time to comprise 50% of the governing boards for each of the four RECs.   Our goal is to ensure that our RECs are physician-friendly and remained focused on providing high quality services that meet the technology needs of small physician practices in each region.   Texas RECs collaborated with each other to create a common business plan that leverages the federal subsidies to charge Texas physicians a token fee of $300 for IT consulting services worth over $5,000.    

NTREC will receive 100% of their allotted subsidies if we successfully help 1,500 physicians adopt EHRs and achieve meaningful use.   Since last October more than 500 North Texas physicians have enrolled for NTREC services; over half of them have already successfully implemented an EHR and are now working on the achieving meaningful use of their investment.

My hope is that physicians in other states will emulate our efforts by actively engaging in the governance of their region's RECs to ensure that they are physician-centric and remain focused on addressing the unmet needs of the small physician practices.

 


Private E-mail Communications Between Physicians and Patients—Identity proofing, Authentication and Encryption

Case study:   A plaintiff claims that his physician sent him an e-mail with poor medical advice that led to an adverse medical event.  The defendant physician agrees that the e-mail in question provides grossly negligent advice, but claims that she never sent such an e-mail.   Unfortunately, the physician had been using her own, personal home e-mail program to communicate with patients without using encryption or authentication software.  A costly investigation eventually proved that the e-mail had originated from an unknown third-party spammer who used a technique called “spoofing” to insert the physician’s e-mail address into the "From" field in the e-mail that was sent to the patient.

Although this physician avoided a malpractice suit, she bore the financial burden of a technical investigation to prove the e-mail was not from her. This is only one example of a number of privacy and security issues with physician-patient e-mail. But these problems are avoidable and e-mail can be safely used if the physician can be sure of four things:

  1. They are using the authentic e-mail address of the patient
  2. A message received from the patient has actually been sent from their authentic e-mail address
  3. Each message (sent or received) has not been changed while traversing across the Internet
  4. Only the physician and the patient are able to read each other’s e-mail messages

E-mail encryption programs and secure messaging programs both provide safeguards that ensure this level of privacy and security needed for physician-patient e-mail.   From a legal perspective, these technologies, when combined with appropriate procedures of use, make it very difficult for someone to successfully repudiate (deny sending or receiving) an e-mail in a legal situation.   As noted in this case, regular home and business e-mail programs do not typically include such safeguards.

The Texas Medical Board (TMB) specifically requires physicians to “authenticate” patients prior to initiating e-communications, and to only use e-communications with established patients.   Although the TMB does not specify how this is to be accomplished, the procedure typically involves “identity proofing” patients during an office visit.   Patients physically present themselves to an office staff member who is authorized to register new “users” into the physician’s secure e-mail system.   After being registered in the system, the patients will receive the “credentials” that allow them to receive and send messages through that system.  The type of e-mail system used by the physician determines the type of “credentials” the office will provide.  The credentials may be a password, a biometric feature (i.e. finger print), or a physical device such as a CD, smart card, or thumb drive that contains a password “key”.

After the patient is identity proofed, secure e-mail systems are able to use built-in “authentication” technologies to ensure:

  • a message received has actually been sent from the credentialed patient’s mailbox
  • a message sent or received has not been changed while it traveled over the Internet
  • a message sent can only be received and decoded by the credentialed patient.

Taking care to set up authentic e-mail accounts with identified patients and using an e-mail program (encrypted e-mail or secure messaging) that includes "authentication" technologies are necessary to establish the trust needed when engaging in private medical conversations.   In addition, these work flow procedures and technologies will help the physician stay within HIPAA regulations that require encryption when PHI is sent over the Internet.