Microsoft Unified Communications - Messaging in Healthcare Industry Whitepaper
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Microsoft Unified Communications - Messaging in Healthcare Industry Whitepaper

on

  • 1,020 views

Messaging is becoming more important in the healthcare industry for a variety of reasons. The ability to communicate via email with healthcare providers, payers and patients can dramatically improve ...

Messaging is becoming more important in the healthcare industry for a variety of reasons. The ability to communicate via email with healthcare providers, payers and patients can dramatically improve the quality of healthcare, can lower healthcare costs by reducing adminstrative overhead and can improve the overall quality and accuracy of communications. Further, Osterman Research has found that the use of email can influence a significant percentage of patients to switch from one provider to another because of the convenience that this communication medium provides. This can result in a significant competitive advantage to providers that make better use of these technologies.

Statistics

Views

Total Views
1,020
Views on SlideShare
1,020
Embed Views
0

Actions

Likes
1
Downloads
7
Comments
1

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • 1. To read more case studies on Microsoft Unified Communications Server click here:
    http://www.microsoft.com/everybodysbusiness/en/in/products/unified-communications.aspx

    2. To get more information on other products and services:
    http://www.microsoft.com/everybodysbusiness/en/in

    3. Contact us for any requirement or Feedback at msitpro@live.com
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Microsoft Unified Communications - Messaging in Healthcare Industry Whitepaper Document Transcript

  • 1. Messaging in the Healthcare Industry Executive Summary Messaging is becoming more important in the healthcare industry for a variety of reasons. The ability to communicate via email with healthcare providers, payers and patients can dramatically improve the quality of healthcare, can lower healthcare costs by reducing adminstrative overhead and can improve the overall quality and accuracy of communications. Further, Osterman Research has found that the use of email can influence a significant percentage of patients to switch from one provider to another because of the convenience that this communication medium provides. This can result in a significant competitive advantage to providers that make better use of these technologies. That said, messaging for healthcare-related organizations imposes significant demands on users, their employers and the vendors that supply their infrastructure. Certain types of messages must be encrypted in order to satisfy both best practice and statutory obligations for data confidentiality and integrity. Further, it is a best practice for healthcare- related organizations to maintain an easily searchable archive of messages in order to satisfy the provisions of the Health Insurance Portability and Accountability Act (HIPAA) and other requirements, such as to conduct random searches or reviews of emails sent to patients and others. Failure to adequately protect confidential information can result in significant civil or criminal penalties, as well as a loss of reputation and other problems. This white paper examines some of the key issues to consider when evaluating or planning an upgrade of messaging capabilities in a healthcare-related organization. It also discusses Microsoft/FrontBridge’s offerings that are focused on companies that manage healthcare-related information, including providers of medical services, payers, life sciences firms and others. © 2006 Osterman Research, Inc. Page 1
  • 2. Messaging in the Healthcare Industry Key Issues in the Healthcare Industry The use of messaging by healthcare-related organizations can provide tremendous value to a variety of individuals and organizations, including hospital staff, physicians, nurses, payers, benefits administrators and patients. However, perhaps in no other industry is the need for robust and secure messaging more critical than in healthcare given the consequences of poorly executed messaging practices. Healthcare Requirements for Messaging are Numerous There are a wide variety of requirements for messaging in the healthcare industry that impact healthcare providers, employers, vendors of messaging solutions and others: • Regulatory requirements Key among these requirements is the fact that emails and instant messages must comply with a variety of regulatory provisions regarding both the security of transmission for emails, as well as the retention of records contained within these communications. HIPAA, discussed later in this paper, focuses on both the confidentiality and integrity of the transmission of electronically transmitted Protected Health Information (ePHI). • Legal considerations Perhaps more so than in any other industry, healthcare information is subject to a variety of legal considerations because of the enormous potential for misuse of this data and the damaging impact that it can have for patients and providers alike. As a result, messaging- related data must be protected from inappropriate use, requiring that adequate controls are placed on the delivery and retention of medical data sent through email systems. • Secure/encrypted communications Related to both the regulatory and legal aspects of managing email is the critical need to send and receive encrypted messages. For example, any email that contains both a personal identifier, such as a Social Security Number, and a description of a health condition must be encrypted so that a patient’s ePHI cannot be intercepted or altered by an unauthorized party. © 2006 Osterman Research, Inc. Page 2
  • 3. Messaging in the Healthcare Industry • Archiving requirements Archiving is an important requirement for email in the healthcare industry. For example, HIPAA requires that a variety of documents, including emails, be kept for six years. Medicare requires that medical records be retained for five years as they relate to radiological and nuclear medicine services, as well as inpatient and outpatient services, among others. The Medicare Conditions of Participation requires hospitals to retain medical records for five years. Medicare and Medicaid reimbursement to rural health clinics requires that these clinics maintain medical records for six years, while psychiatric hospitals must retain a variety of medical records for five years. It is important to note that the majority of Covered Entities1 do not store medical records, per se, in messaging systems. However, a significant and growing proportion of these organizations transmit and store ePHI in messaging systems and this data must be archived. For example, if ePHI is communicated via email, an archive and audit trail should be maintained in order to protect organizations from patients and others altering these records. • Outbound content filtering A key requirement for any Covered Entity is the ability to manage the content of outbound emails. Because information like ePHI can be accidentally disclosed quite easily through email, it is important for organizations to either block or monitor emails that might violate HIPAA requirements if sent improperly. For example, a Covered Entity should have in place a system that can monitor the content of each outbound email in real time and, if these emails contain ePHI, automatically encrypt them, block them or copy them to a HIPAA Privacy/Security officer. Similar capabilities should be implemented for other organizations, such as life sciences firms, whose employees might accidentally or otherwise transmit intellectual property or other proprietary information through email. • Finely tunable spam filtering Providers, insurance carriers, benefits administrators and others in the healthcare industry send and receive email content that will trigger most spam filters and generate an unacceptable level of false positives. For example, it 1 A ‘Covered Entity’ is any organization subject to HIPAA requirements. © 2006 Osterman Research, Inc. Page 3
  • 4. Messaging in the Healthcare Industry would not be uncommon for an email message sent from a physician to an insurance carrier to include the word ‘breast’, a word that would be far less commonly used in most other industries. Consequently, spam filtering systems used for healthcare providers must be finely tunable to allow certain words to pass through without generating false positives. Further, these filters must be tunable so that certain individuals or functions are allowed to send and receive content that contains these words, while other functions in healthcare organizations not related to patient care can have these words filtered out. A Variety of Industries are Impacted The ‘healthcare industry’, at least in the context of messaging issues, includes a large number of organizations and a variety of industries. For example, messaging issues in the context of healthcare focus not only on medical care providers like hospitals, clinics and physicians’ offices; but also on insurance companies, benefits administrators, government agencies, universities and employers of all types. As a result, there should be consideration of the healthcare-related regulatory and legal considerations associated with messaging for virtually all entities, since most organizations will at one time or another send or receive medical information that may be covered by a statute like HIPAA or that may otherwise need to be encrypted, archived or managed according to a legal requirement or best practice. Key Considerations When Using Messaging HIPAA One of the most important and far-reaching US federal government requirements focused on healthcare is HIPAA. This requirement addresses a number of different areas and one of its primary goals is to reduce the administrative costs and other burdens in the healthcare industry, as well as the costs of programs like Medicare. However, the result for many organizations has actually been an increase in the regulatory burden and bureaucracy associated with providing and managing healthcare. The US Congress included provisions in HIPAA that specify the use of standard electronic formats for the transmission, processing and exchange of administrative and financial data regarding healthcare transactions. Further, HIPAA © 2006 Osterman Research, Inc. Page 4
  • 5. Messaging in the Healthcare Industry established standard electronic data interchange formats for transactions and records like health plan premium payments, benefit enrollment forms, medical claims and medical reimbursements. HIPAA also establishes standard code sets for medical diagnoses and procedures as they are coded for claims and billing. HIPAA also created requirements around the privacy and security of PHI. The HIPAA Privacy Rule focuses on maintaining the confidentiality of PHI, among other provisions. The HIPAA Security Rule is designed, among other things, to ensure that Covered Entities take measures to ensure the confidentiality, integrity and availability of ePHI during transmission and storage. The Impact of HIPAA on Messaging HIPAA has two important implications for messaging. First, messages that contain PHI must be encrypted so that the confidentiality, integrity and availability of ePHI is maintained. As mentioned earlier, this means, for example, that an email that contains PHI, in order to be compliant with the requirements of HIPAA, must be encrypted if it is to be sent outside an organization. Second, it is an important best practice for Covered Entities to retain emails in a readily accessible archive if they contain PHI or other records. Every Covered Entity must ask itself two key questions regarding the use of email sent outside of its network: 1. Is it acceptable to send a particular email that contains PHI according to HIPAA Privacy regulations? 2. If the answer to the above question is ‘Yes’, did we take the steps necessary to ensure the confidentiality, integrity and availability of this data during transit, such as encrypting the information? Requirements for the Use of Messaging in Healthcare There are a variety of requirements for the use of messaging in healthcare-related organizations and in those organizations that deal with healthcare-related information: • Encryption PHI is among the most sensitive types of data that can be sent through email or instant messages. As a result, best practice, as well as statutory requirements like HIPAA, require that certain types of information be encrypted in order to protect the confidentiality of this data. It is also © 2006 Osterman Research, Inc. Page 5
  • 6. Messaging in the Healthcare Industry important as a best practice that archived data be protected from tampering or violation of confidentiality. • Disaster recovery Organizations that maintain ePHI must implement a disaster recovery plan to protect this data and should include as a key component of this plan the protection of email systems and their associated message stores. • Solutions must be easy to use One of the fundamental requirements for the use of any messaging system in the context of healthcare is that it must be easy to use. The tunability of spam filters, the encryption and decryption of messages, and other capabilities must be easy to set up and maintain given that messaging infrastructures will often be managed by small organizations without dedicated IT staff, such as physicians’s offices or small businesses. • Messaging must be reliable Messaging capabilities used in the healthcare field must be reliable given the time sensitivity of much of the communications in this field and the inability to tolerate delayed message delivery times, an unacceptable level of false positives, and so forth. • Flexible deployment capabilities The healthcare field includes a wide variety of organizations, from large hospitals and insurance companies with large IT staffs that can easily manage internal messaging systems, down to individual physicians’ offices with a staff of only a few people and no dedicated IT resources. As a result, these organizations need flexible deployment options, including the ability to use software-based messaging systems, appliances and managed service offerings, often within the same organization. • Long-term archiving Archiving is a critical requirement for a significant proportion of the data sent and received by organizations even peripherally related to healthcare. For example, healthcare providers, such as hospitals, must retain medical records under various laws and regulations – for five years in some cases, for six years in others, for two years after a patient’s death, for the life of the patient, etc. Some of these records are subject to HIPAA privacy rules and so archives that contains PHI © 2006 Osterman Research, Inc. Page 6
  • 7. Messaging in the Healthcare Industry must be maintained in such a way that the integrity of the data is preserved. About Microsoft Exchange Hosted Services Microsoft Exchange Hosted Services offer a cost-effective way for enterprises to actively ensure the security and availability of their messaging environment, while instilling confidence that their messaging processes satisfy internal policy and regulatory compliance requirements. A seamless extension of Microsoft Exchange that operates over the Internet as a service, the complete set of services includes hosted filtering for spam and virus protection; hosted archiving to satisfy compliance requirements and internal policies; hosted encryption to preserve e-mail confidentiality; and, hosted continuity for ongoing access to messaging systems during and after disasters. Microsoft Exchange Hosted Services provide value to corporate customers by eliminating upfront capital investment, freeing up IT resources, and removing incoming e-mail threats before they reach the corporate firewall. For more information, visit http://www.microsoft.com/exchange/services © 2006 Osterman Research, Inc. Page 7
  • 8. Messaging in the Healthcare Industry © 2006 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. THIS DOCUMENT IS PROVIDED “AS IS”. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. © 2006 Osterman Research, Inc. Page 8