ahima2008 summer presentatione mail kohn

© 2007

MANAGING eMAIL FOR THE LEGAL EHR

CONCURRENT SESSION

Monday, August 18, 2008

1:15 pm –2:15 pm

© 2007

Faculty

Deborah Kohn, MPH, RHIA, FACHE, CPHIMSPrincipalDak Systems ConsultingSan Mateo [email protected]

© 2007

Faculty Disclosure

All faculty participating in Continuing Education programs provided by AHIMA are expected to disclose to the audience any real or apparent commercial financial affiliations or other conflicts of interest related to their presentations and materials.

Deborah Kohn has no real or apparent commercial financial affiliations or other conflicts of interest related to this presentation and materials.

© 2007

Learning Objectives

• Differentiate between legal, “business record” eMail messages and other types of eMail messages

• Manage Protected Health Information (PHI) contained in eMail messages

• Develop a strategy for legal EHR eMail message management that best suites the organization

• Understand why eMail messages must be managed in the development of the Electronic Health Record (EHR)

© 2007

Discussion Items

• Brief History of eMail• eMail = a Business Record• eMail = a Patient Record• eMail Strategy• eMail Management• eMail and the Legal EHR• Audience Questions

© 2007

Brief History of eMail

• Simple Mail Transfer Protocol (SMTP), more commonly known as “eMail”, is one of the Internet’s four, high level protocols

– internationally agreed-upon formats or standards for transmitting data over the Internet.

– File Transfer Protocol (FTP), Network News Transfer Protocol (NNTP), and Hyper Text Transfer Protocol (HTTP), more commonly known as the “(World Wide) Web”, are the other three protocols.

© 2007


• The SMTP or eMail protocol was the Internet’s first high-level protocol.

• From SMTP, “discussions” were carried on in group settings using text-based eMail. As such, listservs, mail groups, and mail lists were developed.

• To read eMail messages, an organization or individual must acquire an electronic mail program, such as Microsoft’s Outlook.

© 2007


• Today, when one goes onto the Internet to

– access the Web, sometimes one must still type in HTTP or www (http://www) on the toolbar.

– send eMail, no longer must one type in

SMTP.• However, SMTP is embedded in all eMail messages and

can be seen in eMail message headers.

© 2007


• Around the mid 1980s

– Large companies began to install eMail on their private networks.

– The Electronic Communications Privacy Act (1986) allowed employers to monitor messages on their company networks.

© 2007


• By the early 1990s, Internet-based eMail was used

– in healthcare provider organizations – primarily large, university and community-based hospitals.

– by thousands of individuals who had accounts with commercial services, such as CompuServe and America Online.

© 2007


• eMail was considered a “messaging system” or the electronic equivalent of the Post-it note.

• eMail replaced paper office memos, postal mail, and telephone messages.

• eMail was an inexpensive and easy way to help people get over their fears of technology.

• eMail messages were short and crisp because people had to type the messages themselves.

© 2007


• Today, eMail has replaced many organizational analog business processes.

• Today, eMail is used for a number of non-traditional eMail activities:

– Sending secured, digital reference lab results to the unit

– Attaching secured, digital discharge summaries to the physician’s office

© 2007


• Today, eMail has become

– a “communication system”

and

– a “record-generating system”

essential for an organization’s business processes.

© 2007

Consideration Points

• For which of the following purposes does your organization use eMail?

• Negotiating contracts and agreements• Discussing Protected Health Information (PHI)• Discussing Human Resources issues, such as

evaluations and performance• Discussing operational or product strategies• Responding to regulators• Answering inquiries from customers• Exchanging invoices, statements, and payment

information• Responding to litigation• Other

© 2007

eMail = a Business Record

• Today, eMail is one more “official”, organizational, business record.

– What is an “official” business record?

© 2007


• A record that is electronically and / or manually created and retained

– for:

• Legal purposes, reflecting the business objectives of the organization

– such as: • Patient medical, administrative, and / or financial records

• Employee medical, administrative, and / or financial records

• Departmental administrative records

© 2007


• Therefore, organizations must:

– establish record creation, retention, destruction (i.e., records management) policies and procedures

– assure the record’s completeness

– assure the accuracy of the data within the record

© 2007


• Example records management policies:

– Create and maintain record retention and disposition schedules based on administrative, legal, fiscal, and historical requirements

– Establish documented procedures for the scheduled destruction of obsolete records and retain proof of such destruction

– Develop and implement efficient filing systems

– Locate and organize the records

© 2007


• Example records management policies:

– Train office personnel in the use and function of established records management procedures

– Maintain the confidentiality, security and integrity of the records

– Monitor the completeness of the records

– Monitor the accuracy of the record content

© 2007


ARE YOU DOING THIS FOR eMAIL??

© 2007


• Like all business records, eMail is subject to the same course of evidentiary discovery.

• The “e” in eMail = EVIDENCE!

© 2007

Question

My organization had to find and provide an eMail record as documentation in a patient record-based lawsuit, investigation, or audit.

1. Yes2. No3. Don’t know4. Not applicable

© 2007


• Like all business records, eMail has a life cycle.

– eMail is:• created• indexed• searched• retrieved• routed• stored / archived• secured• purged / destroyed

© 2007


• Today, eMail is one of an organization’s largest and most vital information assets!

© 2007

• Therefore, eMail messages and the information or data contained within, must be managed with the same thought and attention that have gone to managing:

– other byproducts of other communications systems– other record-generating functions– other business processes (analog or digital)– other legal EHR documents.


© 2007

• Does the eMail record contain PHI or other individually identifiable health information?

– Health information is subject to special legal protection to the extent that it can be traced to an individual patient.

eMail = a Patient Record

© 2007

• What does Patient Record eMail with PHI look like?

– Care providers communicating with each other

• About a referral• Regarding a diagnosis• About a shared patient


© 2007

• What does Patient Record eMail with PHI look like?

– Patients communicating with their care providers (and vice versa)

• Asking questions• Clarifying medications• Scheduling appointments


© 2007

• Sample eMail Message

Subject: Shared patient

Here’s the info you requested on patient Jane Doe, MR# 12345678

She began tamoxifen approximately 05/15/08.


© 2007

• If the eMail record contains PHI or individually identifiable health information, is this information protected?


© 2007

• HIPAA does not DIRECTLY address eMail in any of its standards.

• However, because eMail can contain PHI in electronic form, both the privacy and security standards apply!


© 2007

eMail Strategy

Things to do, questions to ask

© 2007

eMail Strategy

• Is my organization able to archive eMail messages / records and attachments containing PHI – and associated address and routing information – in original electronic form?

© 2007

eMail Strategy

• Does my organization print eMails containing PHI to paper with requests to file them in the paper record??????

© 2007

eMail Strategy

• Has my organization decided how long it must keep eMail messages containing PHI?

– If paper records and EHRs are kept for 7 years, 21 years, etc., then do the same with eMail records containing PHI.

© 2007

eMail Strategy

• Purging / destroying eMail messages containing PHI

– Erase the eMails from magnetic storage (not just deleting their directory listings)

– Remove the record from all eMail archive backups made since the eMail was sent or destroy all backup copies made of the archive.

– If your organization backs up to nonvolatile media, such as CD-R or WORM, destroy the media.

© 2007

eMail Strategy

• Purging / destroying eMail messages containing PHI

– Note: Every time a healthcare organization sends an eMail containing PHI without the appropriate safeguards to another party, a record of the event might remain indefinitely on the recipient’s eMail server or in its archives!

© 2007

eMail Strategy

• Does my organization create and execute disposition instructions for each folder of eMail messages?

• Does my organization enforce its policies?

© 2007

eMail Strategy

• How does my organization protect the eMail archives against unauthorized access?

– Organizational roles-based access guidelines, such as those created for HIPAA, apply to eMail.

© 2007

eMail Strategy

• Is my organization able to provide auditing of access to archived eMails so that administrators cannot tamper with audit records?

© 2007

eMail Strategy

• Has my organization made business continuity / disaster recovery plans for its eMail with replication and automated recovery?

• Can my organization backup and recover its eMail server while it is online, so that system downtime is minimized?

© 2007

eMail Management

• eMail management is an enormous and complex problem.

• The problem is expected to get worse as the number and type of senders and receivers increase exponentially.

© 2007

eMail Management

• Step #1

– Manage eMail messages / records containing PHI within an organizational, electronic content management strategy.

© 2007

eMail Management

• For example, most often, the PHI contained in eMail messages / records is interconnected (e.g., regarding Joe Smith’s diagnosis).

© 2007

eMail Management

• Therefore, one must ensure that:

– all the eMail messages / records relating to Joe Smith can be located.

– the organization’s eMail strategy includes identifying all existing, enterprise-wide repositories that securely store eMail records and attachments which merit evidentiary handling.

© 2007

eMail Management

• Step #2

– Work with your organization to develop or acquire an eMail Management System to help realize the strategy.

© 2007

eMail and the Legal EHR

• Is a vital Legal EHR issue!

• Requires guidelines and standards for incorporation into the EHR functional outline

• Presents huge opportunities to reduce the EHR’s risks of legal costs in evidentiary proceedings

© 2007


• Presents formidable EHR challenges with respect to eMail’s anticipated, continuous, and explosive growth

• Requires new or additional EHR-related

business processes, such as informed consent for eMail records containing PHI

© 2007


• Allows health information management professionals to oversee and focus on the many, EHR-based repositories, both digital and analog, inside and outside their existing domains

© 2007


• Requires that eMail repositories are interfaced with all the other repositories, databases, and systems feeding electronic information into the EHR

© 2007

eMail Management Systems

• Sample Functional Requirements

– A centralized, server-based archive

– A classification tool

• with intuitive methods for identifying eMail classifications, such as patients or the Privacy Official’s meeting minutes

© 2007


• Functional Requirements (continued)

– A rules-generator

• with intuitive methods for identifying retention schedules or encryption parameters by classifications and sub-classifications

• triggered automatically by actions, such as deleting or encrypting the “patient” class or sub-class of eMail after x number of days / months / years so it cannot be accessed

© 2007


• For example:

– When an individual closes an eMail and is ready to discard or save it, a prompt should appear with a YES or NO choice, asking if the user would like to make this eMail a part of any of the health care organization’s “official” business records, such as a patient medical record.

© 2007


• Note:

– The previous function can be managed in the background using web technology so that, for example, each new patient added to the MPI triggers a domain name with all inbound and outbound mail captured for patientname.com.

© 2007



– Tried and true search capabilities

– Full text indexing and cataloging capabilities

– Ability to work with existing eMail programs, such as Microsoft’s Outlook

© 2007



– Ability to enforce user-defined eMail archiving policies

• issuing eMail notifications to all authorized users when eMail records #1 – 100 for patientname.com are approaching the seven year retention mark

• issuing eMail notifications when user mailboxes contain more than, for example, 100MB of messages

© 2007



– Ability to search the content of incoming eMail records containing PHI and automatically route the messages based on subject matter or other, user-defined criteria

© 2007



– Ability to scan the text of each eMail prior to sending it to detect key words and phrases indicative of sensitive subject matter, such as “abortion”, “HIV”, “depression”.

– Ability to automatically display a reminder that such

eMail is not appropriate for certain exchanges.

© 2007



– Ability to enforce security policies • with network administration capabilities, such as

managing large files, file types, and attachments, for defending against viruses, spam, and malicious code

• with process management capabilities, such as encrypting eMail messages containing PHI

© 2007


• Sample Technical Requirements

– eMail server management with support for low-cost storage

– Quick and efficient recovery capabilities

– Tamper-proof system capabilities

© 2007


• Technical Requirements (continued)

– Ability to easily clean up a message archive and prevent the loss of information following a virus attack

– Maintaining historical records of backups if there is an external request for information as a result of legal issues

© 2007

Sample Vendor Reference List – eMail Management Systems

• Autonomy (autonomy.com/zantaz)• EMC Software (software.emc.com)• FileTek, Inc. (filetek.com)• Mimosa Systems (mimosasystems.com)• OPENTEXT Corp. (opentext.com/ixos)• Sigaba Corp. (sigaba.com)• Tumbleweed Communications (tumbleweed.com)• Xythos Software, Inc. (xythos.com)• Zix Corporation (zixcorp.com)• ZL Technologies, Inc. (zlti.com)

Vendor Reference List is NOT endorsed by AHIMA or Dak Systems Consulting

ahima2008 summer presentatione mail kohn

Documents

email protocol

business record email

types of email messages

internetbased email

textbased email

email message headers

official business record

record retention