How many times have you read an article about patient frustration over the fact that doctors won’t communicate with them by e-mail? Even though consumers can use e-mail to communicate with just about every other business organization these days, the practice of using e-mail to speed communications between healthcare providers and their patients remains stuck in first gear.
Of course, there are some very good reasons why doctors and hospitals aren’t wild about e-mail. Many doctors resist because they don’t get paid for doing e-mail with their patients. Doctors usually only get paid when a patient is physically “seen” in the exam room. However, for physicians who are employed by a hospital or clinic, or those working for health maintenance organizations, the payment issue isn’t the barrier that it used to be. Also, as health reform rolls out, healthcare providers will increasingly be paid for keeping people well and for the value of the care they provide instead of the volume. This means that tools that add greater efficiency to healthcare delivery, like e-mail, are likely to be embraced by doctors s far more than is typical today. However, there is yet another very important reason why doctors won’t do e-mail, and it’s not about payment systems. It’s about the privacy and security of your health information.
Information about you and your health is protected by federal law (HIPAA). Health organizations that create and store your healthcare data, and any entity that does business with those organizations that involves transport, storage, or use of your health information, are subject to huge fines should that information get compromised. So imagine that you are a physician communicating with a patient using e-mail over the open Internet. What if that e-mail contains protected health data and it gets in the wrong hands? Under HIPAA, that could turn into a very expensive mistake. There are ways around this. Most often these days when electronic communication is done between doctors and their patients it involves what I like to call a “meet in the middle” portal solution. You are notified that a message from your doctor is available. You log on to a secure web site or portal and retrieve your message. It’s not the most elegant of solutions, but it does help protect the privacy and security of personal health information in the message from your doctor.
As software becomes a “service” and data storage moves to the cloud, there are now additional, very attractive options that are making such things as e-mail communication between doctors and patients far more feasible, less costly, and less complicated than before. One of those is a cloud-based solution called Microsoft Office 365. Not only does it meet the most stringent data handling and storage requirements mandated by HIPAA, it also now provides something known as Exchange Hosted Encryption. This makes it possible for doctors and health organizations to send encrypted messages to organizations and patients outside of their network. It doesn’t matter if the destination is Outlook.com, Yahoo, Gmail, Lotus Notes, Groupwise, Squirrel Mail or you name it—sensitive information can be sent with an additional level of protection against unauthorized access. With Office 365 Message Encryption, e-mail administrators can easily set up transport rules to match specified criteria. Once the admin sets up the rules, whenever anyone if the organizations sends a message that matches the conditions, the outgoing message is encrypted before it is delivered to the outside mail server. This prevents any spoofing or misdirection of the message.
If you would like to learn more about Message Encryption in Office 365, please read this communication from the Office 365 Team. I think this is very good news for many health organizations and physicians who've been perplexed about e-mail communication with patients. I also think this will be great news for patients who increasingly expect to have e-mail communication with their healthcare providers.
UPDATE (2-19-14): I received news today that Office 365 Message Encryption has now been released for general availability. Additional information is available here.
Bill Crounse, MD Senior Director, Worldwide Health Microsoft
Great blog post Dr Crounse - and love the update!
I have study this post...it is so interesting; please keep posting this type of blogging regarding Health.
Office 365 Message Encryption looks great, but seems to depend on Azure Active Directory + Azure Rights Management --- which so far don't seem to be covered under the BAA. And the Office 365 trust center doesn't list Office 365 Message Encryption as a covered technology for that BAA.
Can you see if there is going to be any action on getting Office 365 Message Encryption included in the BAA?
Azure Active directory is now covered by the BAA, check out the Azure Trust Center: The following Azure features are covered by the current HIPAA BAA: Cloud Services (Web and Worker Roles), Virtual Machines (including with SQL Server), Storage (Blobs, Tables, Queues), Virtual Network, Traffic Manager, Web Sites, BizTalk Services, Media Services, Mobile Services, Service Bus, Multi-Factor Authentication, Active Directory, and SQL Database