Ahima2008 Summer Presentatione Mail Kohn


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ahima2008 Summer Presentatione Mail Kohn

  1. 2. MANAGING eMAIL FOR THE LEGAL EHR <ul><li>CONCURRENT SESSION </li></ul><ul><li>Monday, August 18, 2008 </li></ul><ul><li>1:15 pm –2:15 pm </li></ul>
  2. 3. Faculty <ul><li>Deborah Kohn, MPH, RHIA, FACHE, CPHIMS </li></ul><ul><li>Principal </li></ul><ul><li>Dak Systems Consulting </li></ul><ul><li>San Mateo CA </li></ul><ul><li>650.345.9900 </li></ul><ul><li>[email_address] </li></ul><ul><li>www.daksystemsconsulting.com </li></ul>
  3. 4. Faculty Disclosure <ul><li>All faculty participating in Continuing Education programs provided by AHIMA are expected to disclose to the audience any real or apparent commercial financial affiliations or other conflicts of interest related to their presentations and materials. </li></ul><ul><li>Deborah Kohn has no real or apparent commercial financial affiliations or other conflicts of interest related to this presentation and materials. </li></ul>
  4. 5. Learning Objectives <ul><li>Differentiate between legal, “business record” eMail messages and other types of eMail messages </li></ul><ul><li>Manage Protected Health Information (PHI) contained in eMail messages </li></ul><ul><li>Develop a strategy for legal EHR eMail message management that best suites the organization </li></ul><ul><li>Understand why eMail messages must be managed in the development of the Electronic Health Record (EHR) </li></ul>
  5. 6. Discussion Items <ul><li>Brief History of eMail </li></ul><ul><li>eMail = a Business Record </li></ul><ul><li>eMail = a Patient Record </li></ul><ul><li>eMail Strategy </li></ul><ul><li>eMail Management </li></ul><ul><li>eMail and the Legal EHR </li></ul><ul><li>Audience Questions </li></ul>
  6. 7. Brief History of eMail <ul><li>Simple Mail Transfer Protocol (SMTP), more commonly known as “eMail”, is one of the Internet’s four, high level protocols </li></ul><ul><ul><li>internationally agreed-upon formats or standards for transmitting data over the Internet. </li></ul></ul><ul><ul><li>File Transfer Protocol (FTP), Network News Transfer Protocol (NNTP), and Hyper Text Transfer Protocol (HTTP), more commonly known as the “(World Wide) Web”, are the other three protocols. </li></ul></ul>
  7. 8. Brief History of eMail <ul><li>The SMTP or eMail protocol was the Internet’s first high-level protocol. </li></ul><ul><li>From SMTP, “discussions” were carried on in group settings using text-based eMail. As such, listservs, mail groups, and mail lists were developed. </li></ul><ul><li>To read eMail messages, an organization or individual must acquire an electronic mail program, such as Microsoft’s Outlook. </li></ul>
  8. 9. Brief History of eMail <ul><li>Today, when one goes onto the Internet to </li></ul><ul><ul><li>access the Web, sometimes one must still type in HTTP or www ( http://www ) on the toolbar. </li></ul></ul><ul><ul><li>send eMail, no longer must one type in SMTP. </li></ul></ul><ul><ul><ul><li>However, SMTP is embedded in all eMail messages and can be seen in eMail message headers. </li></ul></ul></ul>
  9. 10. Brief History of eMail <ul><li>Around the mid 1980s </li></ul><ul><ul><li>Large companies began to install eMail on their private networks. </li></ul></ul><ul><ul><li>The Electronic Communications Privacy Act (1986) allowed employers to monitor messages on their company networks. </li></ul></ul>
  10. 11. Brief History of eMail <ul><li>By the early 1990s, Internet-based eMail was used </li></ul><ul><ul><li>in healthcare provider organizations – primarily large, university and community-based hospitals. </li></ul></ul><ul><ul><li>by thousands of individuals who had accounts with commercial services, such as CompuServe and America Online. </li></ul></ul>
  11. 12. Brief History of eMail <ul><li>eMail was considered a “messaging system” or the electronic equivalent of the Post-it note. </li></ul><ul><li>eMail replaced paper office memos, postal mail, and telephone messages. </li></ul><ul><li>eMail was an inexpensive and easy way to help people get over their fears of technology. </li></ul><ul><li>eMail messages were short and crisp because people had to type the messages themselves. </li></ul>
  12. 13. Brief History of eMail <ul><li>Today, eMail has replaced many organizational analog business processes. </li></ul><ul><li>Today, eMail is used for a number of non-traditional eMail activities: </li></ul><ul><ul><li>Sending secured, digital reference lab results to the unit </li></ul></ul><ul><ul><li>Attaching secured, digital discharge summaries to the physician’s office </li></ul></ul>
  13. 14. Brief History of eMail <ul><li>Today, eMail has become </li></ul><ul><ul><li>a “communication system” </li></ul></ul><ul><ul><li>and </li></ul></ul><ul><ul><li>a “record-generating system” </li></ul></ul><ul><ul><li>essential for an organization’s business processes. </li></ul></ul>
  14. 15. Consideration Points <ul><li>For which of the following purposes does your organization use eMail? </li></ul><ul><ul><li>Negotiating contracts and agreements </li></ul></ul><ul><ul><li>Discussing Protected Health Information (PHI) </li></ul></ul><ul><ul><li>Discussing Human Resources issues, such as evaluations and performance </li></ul></ul><ul><ul><li>Discussing operational or product strategies </li></ul></ul><ul><ul><li>Responding to regulators </li></ul></ul><ul><ul><li>Answering inquiries from customers </li></ul></ul><ul><ul><li>Exchanging invoices, statements, and payment information </li></ul></ul><ul><ul><li>Responding to litigation </li></ul></ul><ul><ul><li>Other </li></ul></ul>
  15. 16. eMail = a Business Record <ul><li>Today, eMail is one more “official”, organizational, business record. </li></ul><ul><ul><li>What is an “official” business record? </li></ul></ul>
  16. 17. eMail = a Business Record <ul><li>A record that is electronically and / or manually created and retained </li></ul><ul><ul><li>for: </li></ul></ul><ul><ul><ul><li>Legal purposes, reflecting the business objectives of the organization </li></ul></ul></ul><ul><ul><li>such as: </li></ul></ul><ul><ul><ul><li>Patient medical, administrative, and / or financial records </li></ul></ul></ul><ul><ul><ul><li>Employee medical, administrative, and / or financial records </li></ul></ul></ul><ul><ul><ul><li>Departmental administrative records </li></ul></ul></ul>
  17. 18. eMail = a Business Record <ul><li>Therefore, organizations must: </li></ul><ul><ul><li>establish record creation, retention, destruction (i.e., records management) policies and procedures </li></ul></ul><ul><ul><li>assure the record’s completeness </li></ul></ul><ul><ul><li>assure the accuracy of the data within the record </li></ul></ul>
  18. 19. eMail = a Business Record <ul><li>Example records management policies: </li></ul><ul><ul><li>Create and maintain record retention and disposition schedules based on administrative, legal, fiscal, and historical requirements </li></ul></ul><ul><ul><li>Establish documented procedures for the scheduled destruction of obsolete records and retain proof of such destruction </li></ul></ul><ul><ul><li>Develop and implement efficient filing systems </li></ul></ul><ul><ul><li>Locate and organize the records </li></ul></ul>
  19. 20. eMail = a Business Record <ul><li>Example records management policies: </li></ul><ul><ul><li>Train office personnel in the use and function of established records management procedures </li></ul></ul><ul><ul><li>Maintain the confidentiality, security and integrity of the records </li></ul></ul><ul><ul><li>Monitor the completeness of the records </li></ul></ul><ul><ul><li>Monitor the accuracy of the record content </li></ul></ul>
  20. 21. eMail = a Business Record <ul><li>ARE YOU DOING THIS FOR eMAIL?? </li></ul>
  21. 22. eMail = a Business Record <ul><li>Like all business records, eMail is subject to the same course of evidentiary discovery. </li></ul><ul><li>The “e” in eMail = EVIDENCE! </li></ul>
  22. 23. Question <ul><li>My organization had to find and provide an eMail record as documentation in a patient record-based lawsuit, investigation, or audit. </li></ul><ul><li>Yes </li></ul><ul><li>No </li></ul><ul><li>Don’t know </li></ul><ul><li>Not applicable </li></ul>
  23. 24. eMail = a Business Record <ul><li>Like all business records, eMail has a life cycle. </li></ul><ul><ul><li>eMail is: </li></ul></ul><ul><ul><ul><li>created </li></ul></ul></ul><ul><ul><ul><li>indexed </li></ul></ul></ul><ul><ul><ul><li>searched </li></ul></ul></ul><ul><ul><ul><li>retrieved </li></ul></ul></ul><ul><ul><ul><li>routed </li></ul></ul></ul><ul><ul><ul><li>stored / archived </li></ul></ul></ul><ul><ul><ul><li>secured </li></ul></ul></ul><ul><ul><ul><li>purged / destroyed </li></ul></ul></ul>
  24. 25. eMail = a Business Record <ul><li>Today, eMail is one of an organization’s largest and most vital information assets! </li></ul>
  25. 26. <ul><li>Therefore, eMail messages and the information or data contained within, must be managed with the same thought and attention that have gone to managing: </li></ul><ul><ul><li>other byproducts of other communications systems </li></ul></ul><ul><ul><li>other record-generating functions </li></ul></ul><ul><ul><li>other business processes (analog or digital) </li></ul></ul><ul><ul><li>other legal EHR documents. </li></ul></ul>eMail = a Business Record
  26. 27. <ul><li>Does the eMail record contain PHI or other individually identifiable health information? </li></ul><ul><ul><li>Health information is subject to special legal protection to the extent that it can be traced to an individual patient. </li></ul></ul>eMail = a Patient Record
  27. 28. <ul><li>What does Patient Record eMail with PHI look like? </li></ul><ul><ul><li>Care providers communicating with each other </li></ul></ul><ul><ul><ul><li>About a referral </li></ul></ul></ul><ul><ul><ul><li>Regarding a diagnosis </li></ul></ul></ul><ul><ul><ul><li>About a shared patient </li></ul></ul></ul>eMail = a Patient Record
  28. 29. <ul><li>What does Patient Record eMail with PHI look like? </li></ul><ul><ul><li>Patients communicating with their care providers (and vice versa) </li></ul></ul><ul><ul><ul><li>Asking questions </li></ul></ul></ul><ul><ul><ul><li>Clarifying medications </li></ul></ul></ul><ul><ul><ul><li>Scheduling appointments </li></ul></ul></ul>eMail = a Patient Record
  29. 30. <ul><li>Sample eMail Message </li></ul><ul><ul><li>Subject: Shared patient </li></ul></ul><ul><ul><li>Here’s the info you requested on patient Jane Doe, MR# 12345678 </li></ul></ul><ul><ul><li>She began tamoxifen approximately 05/15/08. </li></ul></ul>eMail = a Patient Record
  30. 31. <ul><li>If the eMail record contains PHI or individually identifiable health information, is this information protected? </li></ul>eMail = a Patient Record
  31. 32. <ul><li>HIPAA does not DIRECTLY address eMail in any of its standards. </li></ul><ul><li>However, because eMail can contain PHI in electronic form, both the privacy and security standards apply! </li></ul>eMail = a Patient Record
  32. 33. eMail Strategy <ul><li>Things to do, questions to ask </li></ul>
  33. 34. eMail Strategy <ul><li>Is my organization able to archive eMail messages / records and attachments containing PHI – and associated address and routing information – in original electronic form? </li></ul>
  34. 35. eMail Strategy <ul><li>Does my organization print eMails containing PHI to paper with requests to file them in the paper record?????? </li></ul>
  35. 36. eMail Strategy <ul><li>Has my organization decided how long it must keep eMail messages containing PHI? </li></ul><ul><ul><li>If paper records and EHRs are kept for 7 years, 21 years, etc., then do the same with eMail records containing PHI. </li></ul></ul>
  36. 37. eMail Strategy <ul><li>Purging / destroying eMail messages containing PHI </li></ul><ul><ul><li>Erase the eMails from magnetic storage (not just deleting their directory listings) </li></ul></ul><ul><ul><li>Remove the record from all eMail archive backups made since the eMail was sent or destroy all backup copies made of the archive. </li></ul></ul><ul><ul><li>If your organization backs up to nonvolatile media, such as CD-R or WORM, destroy the media. </li></ul></ul>
  37. 38. eMail Strategy <ul><li>Purging / destroying eMail messages containing PHI </li></ul><ul><ul><li>Note: Every time a healthcare organization sends an eMail containing PHI without the appropriate safeguards to another party, a record of the event might remain indefinitely on the recipient’s eMail server or in its archives! </li></ul></ul>
  38. 39. eMail Strategy <ul><li>Does my organization create and execute disposition instructions for each folder of eMail messages? </li></ul><ul><li>Does my organization enforce its policies? </li></ul>
  39. 40. eMail Strategy <ul><li>How does my organization protect the eMail archives against unauthorized access? </li></ul><ul><ul><li>Organizational roles-based access guidelines, such as those created for HIPAA, apply to eMail. </li></ul></ul>
  40. 41. eMail Strategy <ul><li>Is my organization able to provide auditing of access to archived eMails so that administrators cannot tamper with audit records? </li></ul>
  41. 42. eMail Strategy <ul><li>Has my organization made business continuity / disaster recovery plans for its eMail with replication and automated recovery? </li></ul><ul><li>Can my organization backup and recover its eMail server while it is online, so that system downtime is minimized? </li></ul>
  42. 43. eMail Management <ul><li>eMail management is an enormous and complex problem. </li></ul><ul><li>The problem is expected to get worse as the number and type of senders and receivers increase exponentially. </li></ul>
  43. 44. eMail Management <ul><li>Step #1 </li></ul><ul><ul><li>Manage eMail messages / records containing PHI within an organizational, electronic content management strategy. </li></ul></ul>
  44. 45. eMail Management <ul><li>For example, most often, the PHI contained in eMail messages / records is interconnected (e.g., regarding Joe Smith’s diagnosis). </li></ul>
  45. 46. eMail Management <ul><li>Therefore, one must ensure that: </li></ul><ul><ul><li>all the eMail messages / records relating to Joe Smith can be located. </li></ul></ul><ul><ul><li>the organization’s eMail strategy includes identifying all existing, enterprise-wide repositories that securely store eMail records and attachments which merit evidentiary handling. </li></ul></ul>
  46. 47. eMail Management <ul><li>Step #2 </li></ul><ul><ul><li>Work with your organization to develop or acquire an eMail Management System to help realize the strategy. </li></ul></ul>
  47. 48. eMail and the Legal EHR <ul><li>Is a vital Legal EHR issue! </li></ul><ul><li>Requires guidelines and standards for incorporation into the EHR functional outline </li></ul><ul><li>Presents huge opportunities to reduce the EHR’s risks of legal costs in evidentiary proceedings </li></ul>
  48. 49. eMail and the Legal EHR <ul><li>Presents formidable EHR challenges with respect to eMail’s anticipated, continuous, and explosive growth </li></ul><ul><li>Requires new or additional EHR-related business processes, such as informed consent for eMail records containing PHI </li></ul>
  49. 50. eMail and the Legal EHR <ul><li>Allows health information management professionals to oversee and focus on the many, EHR-based repositories, both digital and analog, inside and outside their existing domains </li></ul>
  50. 51. eMail and the Legal EHR <ul><li>Requires that eMail repositories are interfaced with all the other repositories, databases, and systems feeding electronic information into the EHR </li></ul>
  51. 52. Before Audience Questions
  52. 53. eMail Management Systems <ul><li>Sample Functional Requirements </li></ul><ul><ul><li>A centralized, server-based archive </li></ul></ul><ul><ul><li>A classification tool </li></ul></ul><ul><ul><ul><li>with intuitive methods for identifying eMail classifications, such as patients or the Privacy Official’s meeting minutes </li></ul></ul></ul>
  53. 54. eMail Management Systems <ul><li>Functional Requirements (continued) </li></ul><ul><ul><li>A rules-generator </li></ul></ul><ul><ul><ul><li>with intuitive methods for identifying retention schedules or encryption parameters by classifications and sub-classifications </li></ul></ul></ul><ul><ul><ul><li>triggered automatically by actions, such as deleting or encrypting the “patient” class or sub-class of eMail after x number of days / months / years so it cannot be accessed </li></ul></ul></ul>
  54. 55. eMail Management Systems <ul><li>For example: </li></ul><ul><ul><li>When an individual closes an eMail and is ready to discard or save it, a prompt should appear with a YES or NO choice, asking if the user would like to make this eMail a part of any of the health care organization’s “official” business records, such as a patient medical record. </li></ul></ul>
  55. 56. eMail Management Systems <ul><li>Note: </li></ul><ul><ul><li>The previous function can be managed in the background using web technology so that, for example, each new patient added to the MPI triggers a domain name with all inbound and outbound mail captured for patientname.com . </li></ul></ul>
  56. 57. eMail Management Systems <ul><li>Functional Requirements (continued) </li></ul><ul><ul><li>Tried and true search capabilities </li></ul></ul><ul><ul><li>Full text indexing and cataloging capabilities </li></ul></ul><ul><ul><li>Ability to work with existing eMail programs, such as Microsoft’s Outlook </li></ul></ul>
  57. 58. eMail Management Systems <ul><li>Functional Requirements (continued) </li></ul><ul><ul><li>Ability to enforce user-defined eMail archiving policies </li></ul></ul><ul><ul><ul><li>issuing eMail notifications to all authorized users when eMail records #1 – 100 for patientname.com are approaching the seven year retention mark </li></ul></ul></ul><ul><ul><ul><li>issuing eMail notifications when user mailboxes contain more than, for example, 100MB of messages </li></ul></ul></ul>
  58. 59. eMail Management Systems <ul><li>Functional Requirements (continued) </li></ul><ul><ul><li>Ability to search the content of incoming eMail records containing PHI and automatically route the messages based on subject matter or other, user-defined criteria </li></ul></ul>
  59. 60. eMail Management Systems <ul><li>Functional Requirements (continued) </li></ul><ul><ul><li>Ability to scan the text of each eMail prior to sending it to detect key words and phrases indicative of sensitive subject matter, such as “abortion”, “HIV”, “depression”. </li></ul></ul><ul><ul><li>Ability to automatically display a reminder that such eMail is not appropriate for certain exchanges. </li></ul></ul>
  60. 61. eMail Management Systems <ul><li>Functional Requirements (continued) </li></ul><ul><ul><li>Ability to enforce security policies </li></ul></ul><ul><ul><ul><li>with network administration capabilities, such as managing large files, file types, and attachments, for defending against viruses, spam, and malicious code </li></ul></ul></ul><ul><ul><ul><li>with process management capabilities, such as encrypting eMail messages containing PHI </li></ul></ul></ul>
  61. 62. eMail Management Systems <ul><li>Note: </li></ul><ul><ul><li>Never archive encrypted eMail records containing PHI! </li></ul></ul><ul><ul><li>You might lose the algorithms or keys! </li></ul></ul>
  62. 63. eMail Management Systems <ul><li>Sample Technical Requirements </li></ul><ul><ul><li>eMail server management with support for low-cost storage </li></ul></ul><ul><ul><li>Quick and efficient recovery capabilities </li></ul></ul><ul><ul><li>Tamper-proof system capabilities </li></ul></ul>
  63. 64. eMail Management Systems <ul><li>Technical Requirements (continued) </li></ul><ul><ul><li>Ability to easily clean up a message archive and prevent the loss of information following a virus attack </li></ul></ul><ul><ul><li>Maintaining historical records of backups if there is an external request for information as a result of legal issues </li></ul></ul>
  64. 65. Sample Vendor Reference List – eMail Management Systems <ul><li>Autonomy (autonomy.com/zantaz) </li></ul><ul><li>EMC Software (software.emc.com) </li></ul><ul><li>FileTek, Inc. (filetek.com) </li></ul><ul><li>Mimosa Systems (mimosasystems.com) </li></ul><ul><li>OPENTEXT Corp. (opentext.com/ixos) </li></ul><ul><li>Sigaba Corp. (sigaba.com) </li></ul><ul><li>Tumbleweed Communications (tumbleweed.com) </li></ul><ul><li>Xythos Software, Inc. (xythos.com) </li></ul><ul><li>Zix Corporation (zixcorp.com) </li></ul><ul><li>ZL Technologies, Inc. (zlti.com) </li></ul>Vendor Reference List is NOT endorsed by AHIMA or Dak Systems Consulting
  65. 66. Audience Questions