Secure Patient-Provider Communication: Risks and Privacy Concerns

Secure, web-based patient–provider communication tools are dedicated systems designed to support patient–provider and provider–provider electronic communication. They require unique log-in procedures and user identifiers to secure the privacy of such communications, and are often augmented by additional features like appointment scheduling, medication refill processing, viewable diagnosis and medication lists, and a means by which patients can view lab data and other parts of their electronic health records (EHRs).

In an earlier post, we described the benefits of such systems for patients and providers. Now, we take a closer look at their downside potential and make some recommendations about how best to mitigate these risks.

Patient and Provider Concerns
Patients are inclined to like secure messaging tools because they have the potential to augment rushed, often unsatisfying face-to-face encounters with their doctors. When patients do raise concerns about such systems, they are usually the result of a mismatch between their expectations and the actual service they provide.

For example, based on their experiences with email and other electronic transactions, many patients expect user interfaces to be quite intuitive and the responses from providers to be “same-day” or better. Others become frustrated with the need for separate log-ins and other measures designed to assure their health information remains secure. This is especially true for patients that have used traditional email in the past to communicate with providers.

Still other patients will be disappointed if the tool does not include a particular feature, for example one that allows them to see their laboratory results, or if the system is plagued by downtime and poor customer support. And most patients are sure to complain if they perceive that physicians are using electronic communication in place of face time, or that people other than their provider have access to their missives.

For their part, providers worry the new medium will interrupt their workflow and open the floodgates to a barrage of new input from patients, especially when their time spent using secure communication tools is rarely reimbursed. They also worry that patients will use secure communication tools for emergencies or complicated problems that are better handled in the office. In addition, providers worry that patients who view their “raw” health data on line will become unnecessarily worried and require lengthy explanations to quell their fears.

Privacy Concerns
While the above mentioned concerns are real, the issue of protecting patient privacy is the top concern for the majority of patients and providers. EHR vendors and providers implementing these tools have a legal obligation, in fact, to assure their systems and organizational policies meet HIPAA requirements and other privacy laws as may be relevant.

The challenge is daunting for several reasons. For example, many patients receive care from providers affiliated with multiple organizations, yet patients may prefer to share only certain parts of their medical history with each one. In addition, providers may have several reasons other than direct patient care to access a patient medical record…to carry out quality reviews or research, for example. An additional complicating factor is that patients may prefer not to share their records with parents or guardians, a problem that crops up when teens discuss sexual activity with their providers, or patients confide issues with substance abuse, infidelity or domestic abuse.

Here are some more privacy-related questions on the subject of secure, patient-provider communication tools that were raised in an excellent review of the subject by Douglas Wakefield and colleagues:

Will providers and patients be required to exclusively use the secure patient–provider communication tool, or will traditional email be allowed in some instances?
Will all clinically related secure message exchanges between patients and providers be retained, and if so for how long?
How will access be handled for adults either caring for or serving as legal guardians of their elderly parents? That is, how will permission for access to the same electronic health record be given to more than one authorized user?

Conclusions and Recommendations
Secure web-based patient-provider communication systems can improve health care outcomes and patient satisfaction with care. The risks associated with such systems can be managed, so long as EHR vendors develop them, and providers implement them thoughtfully.

Implementation tips:

  • Track the volume and type of patient requests, and the timeliness of the response by providers.
  • Make someone accountable for assuring providers respond to patient inquiries in a timely fashion.
  • Implement a policy regarding the use of traditional email (when, if ever, it is appropriate to use this?).
  • Consider alerting patients when new information is entered that they can access.
  • Consider adding features that identify urgent messages from patients.
  • Consider alerting patients when providers cannot respond (e.g. when they are on vacation).
  • Develop cross-coverage strategies for such occasions.
  • Track patient satisfaction with the secure communication tool. Improve the system as necessary.

Glenn Laffel, MD, PhD
Sr. VP Clinical Affairs
Practice Fusion EMR