SecureCommunication.md

NHIN Direct Project – National Health Network

The Nationwide Health Information Network (NHIN) Exchange offers real world value. In addition to the Kaiser Permanente and Veterans Administration networks, others are being built out today.

The Morris-Somerset IPA (MSIPA) is an Independent Physician Association made up of 590 Physicians. MSIPA recently signed a contract with  eCast Corporation of Raleigh, NC  and max.md of Fort Lee, NJ to provide a SaaS HIE which includes an operational NHIN solution.  While eCast has offered EHR products for nearly 20 years, they looked to max.md to provide the NHIN Direct piece of the infrastructure.

max.md pioneered the development of this NHIN infrastructure four years ago.  The push technology uses a segment of the internet, the .md top level domain, as a secure transport layer to link all of the constituencies.  Physicians, patients, hospitals, and business associates can communicate in full uncompromised security.

The platform maintains ePHI integrity via several technologies. This approach is entirely consistent with the idea of organizing locally, and standardizing globally. max.md already has clients in 30 countries and within 22 healthcare business segments.  The solution scales to meet any local, regional, or statewide effort; while providing a global health information network which satisfies HIPAA, HITECH, NHIN and FTC Privacy by Design standards and guidelines.

This proven and streamlined national health information network offers an operational solution to the 744,000 small, medium, and large businesses, which comprise the US healthcare market. Small healthcare groups can access the secure network with familiar communications programs already on their desktop. Larger organizations, such as the Orthopedic Institute of South Dakota, have tied into the platform with less than two hours of installation time.

Based on the SaaS model, the lease cost works out to pennies per user per day. An immediate positive ROI is immediately achieved by moving towards a “fixed cost” electronic mail model which can also handle structured data, such as a CCR. Large enterprises with internal  HIT infrastructure are given provision for maintaining admin controls. The transition is invisible to end users as the ramp up does not disrupt workflow.

The science project phase of NHIN Direct was five years ago – well before the Direct Project was conceived. A significant global healthcare constituency has already adopted the uncompromised security of the max.md technology portfolio.

Privacy vs. Identity Theft

Remember when identity theft brought thoughts of stolen credit card numbers? The range of online identity theft is now so overwhelming, that the federal government is attacking it head on, as well as from two flanks. The latest Federal Trade Commission approach is meant to mirror the existing security measures developed by the European Union.

Four years ago – and well in advance of healthcare reform, the EU’s rules, or the FTC’s reaction, max.MD developed a system for uncompromised privacy.  The engineers created the .md secure transport layer for the movement of protected health information. They also created an encrypted push technology, which simultaneously speeds the workflow of electronic communications. Because the clinical data does not reside at a web 1.0 physical address where hackers, scrapers, trackers, or sniffers can attack; the integrity of health identity is protected.

The federal department of Health and Human Services can levy penalties as large as $1.5 Million for breaches and infractions resulting in the loss of protected health information. The federal government is also working with the healthcare industry under the NIHN Direct banner to achieve enforceable standards for safeguarding patient information.

Most noteworthy is the new FTC Privacy by Design Initiative. It seeks a normative framework to improve consumer privacy. The desire is to produce parity with the EU’s standards.

Microsoft is upping the ante with the next Internet Explorer  “Do Not Track” feature. Users will be able to subscribe to lists of offending web sites, known to gather personally identifiable data. The Tracking Protection Lists (TPL) can be updated and distributed in a manner similar to antivirus software definitions.

Online identity theft is now making front page news on a daily basis. While others are struggling to find a solution, the max.MD secure communications platform has already been established in 30 countries and 22 healthcare segments. Operational. Proven. Robust. No other group can claim this level of achievement.

Finding Efficiencies in the Healthcare Evolution

Everyone from broadcast news reporters to the next door neighbor  complain about today’s health care. Name a topic. Waiting rooms. Cost of care. Trying to obtain follow up information.

Read the headlines. $2 Trillion for healthcare reform. What is the benefit? Who benefits? Will federal funding solve all of our problems?

It does not take too much effort to deduce that America’s chief healthcare problems are specific to service and communication and data sharing. Walmart has capitalized on efficiencies and now offers 13 common medical services. Cost of the visit is advertised at $65. Their message is clear: fast, easy and less expensive alternative to traditional medicine. Speak with a trained healthcare pro when you want.

Walgreens, Rite Aid, CVS, Duane Reade, and others are also now competing with traditional family physicians for a share of the clinical service market. Add MinuteClinic, Aurora Healthcare and other walk-in clinics to the mix. If this is where common emergency and wellness care is headed, what is the message to family physicians?

In the era of iPhones and Blackberries, why can’t physicians communicate securely and efficiently?

Patients want the same regard for their time which other service providers offer. The internet has created educated consumers. Individuals need to know the bottom line before making any decision. Communication is as important to medicine as it is to Wall Street.

With the .md platform of secure electronic communication, physicians and their staff member can now streamline their communication while reducing overhead expenses. Why wait for an overnight letter when you can receive the attachment via mdEmail now?

If quality of patient care is enhanced with proactive communication, medical staff should be building loyalty and patient satisfaction with improved electronic communication. Add the following to the list: scheduling, schedule reconfirmation, follow up care – including points of action and medications, inter-office consults, clinical data transfer, and patient record updates. Most important is compliance with both the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). All of the above fall under the umbrella of MaxMD’s communications tools.

There is no need to wait for Electronic Medical Record implementation. The communications suite is available at a cost below that of one overnight letter per week. The investment covers a staff of six! Several EMR companies are integrating the mdEmail tools into their products so that staff can communicate with the same efficiencies common to every other industry.

These EMR companies recognize that the most protected way to transfer patient forms is not through web portals, but rather using the .md transport system. Firewall defenses become more robust as routine traffic is segregated outside of the perimeter. Recent news articles of “scraped” patient information, attacks on hospital databases, and errors in medical database administration, have all lead to HITECH fines and penalties.

One of the primary vulnerabilities for protected health data is the exploitation of “patient portals”. These are web pages used both by patients and by medical staff for exchange of personal information, health recommendations, health records, and financial transactions.

Scraping is the assimilation of a broad description of an individual’s personal information gathered while crawling through improperly secured web sites. The combination of bits of data to create a larger picture of each person’s buying habits, health, family information and other demographic details are worth millions of dollars to corporations investing in research, development, marketing, and sales of products or services.

Other kinds of data gathering are more malicious. Identity theft with medical data leakage is a huge concern. That is why HIPAA / HITECH has the power to levy penalties reaching $1.5 Million for breaches and infractions in data handling.

Only MaxMD offers top level domain architecture containing a secure transport layer specifically designed for the healthcare profession. In simple terms, the solution is truly secure because it is not built on an old paradigm. Wired Magazine draws attention to this concept of repurposing the internet for data sharing,“one of the most important shifts in the digital world has been the move from the wide-open Web to semiclosed platforms that use the Internet for transport” ¹

The innovative MaxMD product suite covers a complete range of needs. The tools are easy to use – and they stand up to the most rigorous scrutiny of Electronic Medical Record (EMR) solutions providers, healthcare enterprises, as well as individual physicians. With high user satisfaction in each of these areas, the HIPAA secure platform sets a new standard for electronic healthcare communications.

MaxMD’s desire to provide better healthcare solutions has already been proven. It efficiently helps patients, doctors, and staff while also improving quality of care. This is a significant advance over the web 1.0 patient portal scheme. Our platform is a modern bridge over which critical communication can travel.

¹ “The Web Is Dead. Long Live the Internet”

By Chris Anderson and Michael Wolff , August 17, 2010

http://www.wired.com/magazine/2010/08/ff_webrip/

The AMA, Social Networking, and What You May Not Know

In a November 8 announcement, the American Medical Association suggested controls on social networking. http://www.ama-assn.org/ama/pub/news/news/social-media-policy.shtml While the framework is critically needed, the statement is blatently minimalistic. It does not provide the kind of detail which physicians need in order to abstract a benchmark.

I would like to assist by providing some of the critical information which should have been found in an appendix:

List of terms and corresponding definitions:

Dominant Social Networking Sites: Facebook, Twitter, LinkedIn, and Plaxo

Secondary Social Networking Sites: Blogs, Forums, and Special Interest Group Web Sites

Professional Networking: Business address and description. Answers the question, “How do clients find me”?

Personal Networking: Joins groups around common interests including: community, sports interest, recreational interest, arts, mentoring.

Screen Name: Substitute identity for purpose on anonymity. i.e. “joeB”, “Larry6spd”

I would suggest that the separation of professional and personal networking structure should be far greater than the AMA outlined.

A professional presence has the primary purpose of marketing to a target client audience. A professional website which is branded to the physician’s practice is the best approach. A physician’s WebCard is a second approach which is equivalent to an online yellow page listing.

Physicians who actively follow an interest in golf, cars, art or other specialty groups might limit exposure by using a “screen name”. When obscured in this fashion, personal comments can not be construed to be specific to a given physician or to a medical practice.

Bear in mind that all social networking sites are based on the business model of gathering personal information for resale or promoting advertising specific to the individual’s interests. That level of snooping is invasive, if enough personal information is made available.

An entire industry has evolved from correlating public records, personal information scraped from various blogs, forums and social sites, as well as information lifted from supposedly secure locations. The composite identity developed for each person can be damagingly accurate. The data has been used for developing marketing demographics as well as for malicious purposes with current sales valued in the multi million dollar range.

The key element in the AMA guidelines is described, “Recognize that actions online and content posted can negatively affect their reputations among patients and colleagues, and may even have consequences for their medical careers.”

Because Google and other search engines can locate almost any comment ever posted on a social networking site, there is no way to delete or destroy the record of that statement. Look at how many politicians have been called to task for teen aged indiscretions. A haunting history is searchable, should it exist on the internet.

Therefore the gulf between social networking and professional medical practice needs to be regarded with the same integrity used by diplomats protecting their countries. Any weakness can become a potentially large lever in the future. Or as my dad used to say, “When in doubt, don’t!”.

Tracking 2010 Privacy Failures

Based on this year’s reports*, 189 HIPAA / HITECH failures and penalties have been made public. These numbers do not reflect the unreported incidents, or those involving identity losses below a 500 person threshold.

Noteworthy are 15 Unauthorized Access/Disclosures Incidents, 11 Hacker Incidents, and 1 CD Theft. Factored over a nine month period, this number averages three failures per month.

Analysis indicates that the 26 cases related to hacker incidents and unauthorized access could largely have been prevented by closing patient portals.

Portal issues can be divided into two columns. 1) Faulty code which allows hackers an opportunity to explore weaknesses in security. 2) Failure to safeguard identities, including user names and passwords.

Why do individuals save protected health information to CDs? Electronic transmission is both expedient and more secure. On the back side, CD destruction is an additional waste of time and effort.

With penalties reaching as much as $1.5 million, the cost of exposure is huge. As many try to avoid the penalties and litigation costs, the numbers cited are only those who self-reported or were found out. No one knows the true magnitude of identity loss or the corresponding costs.

Can your data be compromised as well?

MaxMD has engineered a Web 2.0 solution, which offers military grade security critical to protecting health records. This technology has been adopted as a standard within three Electronic Health Record (EHR) / Electronic Medical Record (EMR) solutions and by thousands of individual users.

There have been no .md security breeches because every transaction takes place at the end-user’s inbox, not behind the group’s firewall!

Each practice using mdEmail saves significant postage costs. The printing, CD burning, packaging, and address label processing contribute to additional labor and overtime waste. What is your monthly postage expense?

The take-away is simple: For pennies a day, the group can buy ease-of-use, security, and productivity. The alternative costs are heavy with fines, increased office overhead expenses, and time loss.

The MaxMD platform of secure communications products is unique because it has gained strength from its top level domain vantage. As a capital efficient solution, it has revolutionalized the communication of healthcare information across the web.

MaxMD has architected a fresh and complete solution within the .md domain. The mdEmail product range is HIPAA / HITECH compliant. The tools are easy to learn and user friendly. No patient Web 1.0 portal administration is required.

Outbound and inbound healthcare data are protected – from any source, to any destination. The product suite includes: group branding, secure web hosting, protected electronic communication, on-the-fly messaging, and medical record encryption / decryption. Cost savings are gained both by eliminating hard copy postage and reducing work load. The solution is scalable from the needs of single individuals to the demands of an enterprise healthcare provider.

*http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Comments on Physician Inertia re: Email

Last week an article published by the KevinMD.com blog, http://www.kevinmd.com/blog/2010/10/physician-email-implementation-inertia.html#comments , received several responses. I would like to address both the questions posed by the responses as well as to ask a few questions myself.

The context of the article explained that while physicians are slow to adopt email technologies, the office staff is in critical need of both better communication tools and HIPAA compliant security. The piece states that while about 30% of any medical practice’s communication with a patient is from a physician, the needs of the 70% staff volume are not properly being addressed.

Examples of improved health status due to better communication, reduction in overhead costs, and responding with immediacy through secure email, all point to advantages gained using today’s technologies. Somehow many of those responding to the blog either missed the content of the article or wanted to draw attention to personal experiences which were tangent to the message.

Observation 1: Compensation

The concept of eVisits or eConsults is gaining ground with many insurance companies. They are willing to fund time spent in providing better patient care. From their perspective, wellness care is less expensive than the costs of episodic major health intervention.

A couple of those responding were not familiar with this paradigm shift. It may be that it has not reached the regions where their practices are based. Thomas Miller added this information, “20 states have addressed this concern with legislation. (http://www.transformed.com/e-Visits/e-Visits_There_Yet.cfm) “

We would like to hear from you in learning more detail of your geographical vantage. Have any of you contacted each of the insurance companies you work with to learn if they are funding eVisits?

Observation 2: Reduced Overhead Expenses with EMR / EHR adoption

While there are plenty of articles published indicating that the first year of electronic record implementation can be full of twists and trials, those are by and large straightened out within 12 months. The return on investment typically occurs over that first year with an improved bottom line during year 2 and moving forwards.

Rather than depending solely on these published articles, we would like to hear from you. We are not looking for second hand information. Please limit all comments to personal experience with an installation beyond the 12 month threshold.

It would be interesting to obtain comparison data of 2, 3, 4, and 5 year implementation maturity. Your willingness to provide insights will potentially aid the community in achieving actionable information.

In summary, this forum is meant to foster both group interaction as well as providing value to the community. Your participation will progress the common good. If you are using mdEmail in your practice, please let us know how it has addressed the following list of topics:

-       Time Management

-       Overhead Costs

-       Patient Loyalty / Retention

-       Staff Morale / Job Satisfaction

-       Wellness Improvements / Patient Health Trends

-       Peace of Mind and Legal Issues: HIPAA / HITECH

-       Ease of Use / Learning Curve

-       Migration toward Reduced Paperwork

What is Data Scraping?

Data Scraping technology allows companies to hunt down demographic and personal data found anywhere on the web, including social networking sites, forums, blogs, resume/employment sites, or marketing sites owned by other entities. The search technology puts every bit of improperly secured data at risk of being misused by both the search company as well as the end users who purchase this information.

The practice of selling this found data is expected to rise from the 2009 figure of $410 Million to a 2012 estimate of $840 Million, according to Winterberry Group LLC. If performed on a large scale, obscure user identities can be cross referenced to other posts found elsewhere. This allows the perpetrator to piece together a range of personal identity information.

The Wall Street Journal on October 12, 2010 released an article entitled, ‘Scrapers’ Dig Deep for Data on Web.

http://online.wsj.com/article/SB10001424052748703358504575544381288117888.html

The writers found that the Nielson Company media research firm had penetrated a forum called PatientsLikeMe.com

One 33 year old contributor to the forum wrote under a pseudonym. His identity was compromised when a blog at a separate location was tied to PatientsLikeMe.com. Contributors were notified of the breach and given opportunity to remove personal data.

The Wall Street Journal writers uncovered additional information in Nielson’s history. “In 2001, the venture-capital arm of the Central Intelligence Agency, In-Q-Tel Inc., was among a group of investors that put $8 million into the business” which later evolved into NM Incite under a Nielson / McKinsey and Co. joint ownership venture.

While the technology was high tech, it can now be found in no cost software from a Utah based company. Scrapers are operating in a gray area not specifically covered by the law. The lesson learned is simple, any information entered into a web form is at risk.

.md Secure Transport Layer

MaxMD has engineered a system for electronic communication of Protected Health Information and Continuity of Care data via their secure transport layer. This is the first massively protected system which offers real time communication and data sharing specific to HIPAA and HITECH standards.

Collaboration between individual physicians, medical practice locations, clinical data repositories, patients, referrals, and business associates is guarded by MaxMD’s military grade product suite. Other solutions are advertised as being HIPAA / HITECH compliant, while hackers have broken into them. The significance of our impenetrable security can not be overstated.

It sounds complicated, however the user experience is friendly – WITH ALMOST NO LEARNING CURVE. The technologies can be set up in a matter of minutes.

Every spoke on the communications hub has been addressed. Outbound, inbound and internal messaging each require specific security considerations. MaxMD has a solution for every need – with none of the risks associated with portal type solutions.

mdEmail offers peer to peer secure messaging with the ease of use expected in traditional email. All users are under a common protected environment. The workflow maintains an uncluttered and friendly approach, free of third party portals and redirected correspondence. This most powerful of firewalls sets the market standard for security and intuitive workflow.

SendAnywhere allows a user inside of the protected environment to maintain security over messages and documents sent outside of the domain. The on-the-fly encryption puts a padlock around the message and attached data. This is transparent to the sending user with no extra effort required. The receiving party may be a peer, a patient, or a business associate.  That person simply unlocks the information with a unique user name and password. The recipient is notified via Email or Smartphone.

mdSecureSend can be provided  medical patients, business associates and others who do not have accounts within the secure domain. It provides an elegant approach to sending private information without the encumbrance of a web portal administration plus corresponding learning curve.

SecureInternetMessenger operates on any Windows platform computer for intra-office patient status updates. Those who are familiar with IM, Facebook messaging or iChat will find this tool to be a huge time saver. Time otherwise spent with phone calls and emails can be reduced with this productivity solution.

Manufacturers of EMR / EHR, PACS, or Practice Management software will find that the MaxMD offering addresses both communications and support responsibilities for many kinds of connectivity between healthcare nodes.

Healthcare providers may take advantage of these tools immediately, in advance of any future movement towards a paperless office. The cost of installation for a six person office is less than the cost of one overnight letter per week. Furthermore the productivity improvements reduce the cost of labor and overtime expenses by several thousand dollars per year. The solutions meet all HIPAA / HITECH criteria.

Response to HSC Data on Low Physician eMail Implementation

Looking at the industry response to the recent study released by the Center for Studying Health System Change, Physicians Slow to E-mail Routinely with Patients – Issue Brief No. 134 ( http://www.hschange.com/CONTENT/1156/ ) it appears that a piece of the puzzle is missing. Both the study, and the analysis, put the physician at the center of the email debate. In reality, about 30% of a medical practice’s communication is from the doctor.

The comment that, “only 6.7 percent of office-based physicians routinely emailed patients in 2008” should not become the headline, or even the summary.

The key statement should read, “HIPAA compliant secure email statistically improves healthcare, saves overhead expenses due to efficiencies, and responds to the requirements of legislated healthcare reform.”

It may be that the physician is responding to a survey question that is not properly structured.  The analysis postulates that physicians assumed each is individually communicating with patients, peers, and business associates.

When examining a practice’s existing workflow, analysis indicates that it is the staff who will best benefit from secure electronic mail. A physician’s role is not to take time for routine communications, but rather to oversee the quality of patient health.

Rather than simply looking at email for personal use, the physician might better view encrypted email as a tool that can improve care, save labor costs, and improve job satisfaction by allowing the staff to communicate asynchronously.

Think about the last time you visited a doctor’s office. The staff were each on the phone, writing notes, filing information, or responding to patient questions. MaxMD’s survey of their encrypted email users indicates that some 70 percent of secure electronic communications are initiated by office staff, not by the physician themselves.

Patients might be given an office identity email address (i.e. dr_who@drwho.md), which internally is recognized as a general office account. The physican’s personal address should be restricted and may take the form of “awho@drwho.md”. This is similar to other industries. The individual will not need to answer a flood of messages arriving on the Blackberry or other smartphone.

Developing efficiencies is simply a matter of applying some of the standard operating procedures employed by today’s business leaders. Selective use of email accounts facilitates good communication while reducing disruption.

Outside of the healthcare profession, every other industry has found major improvements with electronic communication. Current reports indicate that the US Postal Service expects a $6 Billion operating loss this year. The chief competitor is email.

Each person involved with the coordination and administration of medical care should be sensitive to patient needs and reaction time. Secure email for healthcare professionals is a higher priority need for office staff than it is for individual physicians.

When you consider that some 85 % of healthcare practices have flat to declining revenue over the past three years ( the physician foundation study) it only makes sense to look at encrypted email as other industries have. Email is ubiquitous because it is a valuable business tool.

Electronic communication is not simply a cost savings measure. It is truly a better tool for building patient ownership in medical care participation.

In a Kaiser study of 35,423 people with diabetes, hypertension, or both, the use of secure e-mail over the course of a two-month period was associated with a statistically significant improvement in effectiveness of care. Researchers found a 2.0–6.5 percentage point performance improvement, based on Healthcare Effectiveness Data and Information Set (HEDIS) measures such as glycemic (HbA1c), cholesterol, and blood pressure screening.

Compound this data with other recent  findings printed in, “The Annals of Family Medicine” which estimated, “health care costs would likely decrease by 5.6%, resulting in national savings of 67 billion dollars per year”, based on simply communicating patient health information between professionals on an improved basis.

Rather than discussing the inertia of physican adopted email, we should be looking at supporting every other piece of the communications puzzle including EMR / EHR document, Continuity of Care Data, Health Information Exchanges, Clinical Data Repositories and Patient Response. mdEmail is a portable solution which is ready to be  inserted into other software products. Several manufacturers have already standardized on the .md secure transport system.

HIPAA compliant secure email statistically improves healthcare, saves overhead expenses due to efficiencies, and responds to the requirements of legislated healthcare reform.

Email usage by doctors in 2010

In a report released October 2010 by the Center for Health System Change, the observers commented that, “only 6.7 percent of office-based physicians routinely e-mailed patients”. This stands in stark contrast to all other forms of business where close to 100 percent of all individuals maintain at least one email account. One report indicates that most accounts average 110 messages per day.

CNN Tech reports, “In 2009, worldwide e-mail traffic amounted to 247 billion messages per day”. If the rest of the world is centered on email communication, why are doctors lagging so far behind? The HSC report points out that among other reasons, the two most notable issues relate to HIPAA compliance and compensation.

The federal government mandates secure measures for communicating clinical information to a patient or to other health professionals. The study notes that physicians either do not have secure communication methods or are not comfortable with the electronic communications tools available to them. It seems that few locations have invested in automated encryption of email.

If communication concerns can be addressed by integrating a scalable, nondisruptive MaxMD solution which offers a shallow learning curve, then medical practices should be able to increase efficiency and improve bottom line profits.

Following the financial picture, compensation opportunities are evolving. The HSC report notes the following three trends.

1. Aetna and CIGNA are reimbursing providers nationwide for virtual visits, or “eVisits,” including the use of secure messaging on a per-visit basis.
2. Another option is to reimburse providers on a set fee per patient, basis for engaging in a broader set of care coordination activities described as a Patient Centered Medical Home
3. Another approach is to charge patients annual fees for access to eVisits. Patients might be willing to underwrite the additional cost in return for time and travel savings and increased convenience.

The report summary encourages health practices to seek secure email options. The MaxMD suite of tools best fits that recommendation. The suite offers HIPAA / HITECH conforming solutions including:

mdEmail – peer to peer secure communication

SendAnywhere – mdEmail to any email client encrypted messaging

mdSecureSend – patient or third party secure transmission of messages and attachments to mdEmail users

Each email tool provides a very easy nondisruptive solution for the flow of health communications. In every business time is money. Today’s technology demands better time accountability. Will your group tap into the potential revenues derived from eVisits?