Emailing MDs for orders

Nurses HIPAA

Published

  • Specializes in Quality, Cardiac Stepdown, MICU.

We have a system where we can "airmail" the nocturnist when we have a question, and it's basically an email to their phone that appears like a text message. I am told this is a secure messaging system, and I use an address book feature so the correct number is always entered; no chance of sending it to the wrong place.

We will use this to say, "A435 requests a sleeping pill please," or "BP improved for B375, now 110/70." We have electronic order entry, so if it's a simple request the MD will often just input the order, for the sleeping pill or whatever, and not need to call me.

Sometimes I will be more specific, esp if it's a new admit. "C548, Allen, J., new admit for CP, requests something for anxiety. Not currently on his med rec but he says he's taken 0.25 xanax in the past. VSS, oriented, no pain now. Thanks, NurseDelphine, ext 12345." I've been told by some nurses that I absolutely can't use the pt's name in the page, but that's how the MD's look them up (not by room number) and it's secure messaging. The hospital does NOT have a written policy on how this system should be used. I'm trying to save certain docs time; some I know will always call me to look up info over the phone with me, while others want to address my request and go on to the next thing.

Thoughts?

toomuchbaloney

12,662 Posts

Specializes in NICU, PICU, Transport, L&D, Hospice.

In my experience text messages are not secure enough to include any protected information unless they have an additional layer of encryption added to protect the content.

Esme12, ASN, BSN, RN

1 Article; 20,908 Posts

Specializes in Critical Care, ED, Cath lab, CTPAC,Trauma.

I found this....

Unfortunately, traditional SMS messaging is inherently nonsecure and noncompliant with safety and privacy regulations under the Health Information Portability and Accountability Act (HIPAA). Messages containing electronic protected health information (ePHI) can be read by anyone, forwarded to anyone, remain unencrypted on telecommunication providers’ servers, and stay forever on sender’s and receiver’s phones.

In addition, senders cannot authenticate the recipient of SMS messages (ie, senders cannot be certain that the message has been sent to and opened by the right person). Studies’ have shown that 38 percent of people who text—including me—have sent a text message to the wrong person.

As a result, The Joint Commission has effectively banned physicians from using traditional SMS for any communication that contains ePHI data or includes an order for a patient to a hospital or other healthcare setting. A single violation for an unsecured communication can result in a fine of $50,000; repeated violations can lead to $1.5 million in fines in a single year, not to mention the reputational damage done to an organization and its ability to attract patients.

A recent case, for example, resulted in a $50,000 fine to the provider. In addition, the provider was required to “implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level for ePHI in text messages that are transmitted to or from or stored on a portable device.”

HIPAA‐compliant texting

The Joint Commission did not ban all text messaging solutions, however. Instead, it established Administrative Simplification Provisions (AS) that serve as guidelines for developing secure communication systems. Under the AS guidelines, the following four major areas are critical to compliance:

  • Secure data centers—Healthcare organizations typically store patient information in either onsite or offsite (cloud) data centers. HIPAA requires these centers to have a high level of physical security as well as policies for reviewing controls and conducting risk assessment on an ongoing basis.
  • Encryption—AS stipulates that ePHI must be encrypted both in transit and at rest.
  • Recipient authentication—Any communication containing ePHI must also be delivered only to its intended recipient. A texting solution should allow the sender to know if, when, and to whom a message has been delivered.
  • Audit controls—Any compliant messaging system must also have the ability to create and record an audit trail of all activity that contains ePHI. For a text messaging system, this includes the ability to archive messages and information about them, to retrieve that information quickly, and to monitor the system.

Standard consumer-based messaging systems fail most of these requirements. The data centers are often not designed with the highest levels of physical and data security. Messages can be intercepted and are not encrypted. Recipient authentication is not available and, although messages and delivery details may be stored indefinitely, they are not designed to provide a fully functional audit trail.

Secure text messaging solutions

By using a private, secure texting network, doctors, nurses, and staff can not only send and receive patient information, but also potentially achieve the following goals:

  • Shorten response times
  • Improve the accuracy of decision making by having better information
  • Allow multiple parties involved with clinical decision making to be looped in on the same message
  • Allow for quicker interventions and improve patient outcome
  • Securely communicate lab results, imaging results, patient procedures, and medical histories, allowing the physician to have more information readily available.
  • Speed up on-call notifications
  • Eliminate the hassle of callbacks
  • Integrate with scheduling systems to create automatic notifications of pending events

In today’s increasingly mobile world, technology will undoubtedly continue to be a massive driver of greater efficiency. Physicians are typically eager to embrace and adapt new technologies. Used properly, texting technology has the potential to revolutionize the quality of how health care is delivered to patients.

Standards FAQ Details | Joint Commission

On Friday, the Joint Commission issued a statement saying that physicians and other health care professionals should not use text messages as a way to share patient health information.

The statement said, "It is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other health care setting," adding, "This method provides no ability to verify the identity of the person sending the text, and there is no way to keep the original message as validation of what is entered into the medical record."

http://www.medscape.com/viewarticle/781061_2

nurseprnRN, BSN, RN

1 Article; 5,114 Posts

Potential problem c bed number only-- when people are moved around. Nocturnist might prescribe for 304A not recognizing that this is not really the patient he saw in 304A this morning, and you might not know it either if you came on at 7pm after a few days off.

At last use initials. "JS, pt of Dr AB, 3rd floor South."

(All assuming your system is HIPAA-compliant and secure)

MunoRN, RN

8,058 Posts

Specializes in Critical Care.

I assume you're using some sort of internal messaging system, and not your personal phone. We've always used full patient names in these messages at everywhere that I've worked, which is fine as long as it's a secure system. This is actually far more secure than communicating by phone involving non-secure systems (such as calling a Doc at home on their home phone).

I don't think it's safe to use the patient's room number although that should get caught in the conversation that actually creates the order, it's an unnecessary step to confuse the conversation.

delphine22

306 Posts

Specializes in Quality, Cardiac Stepdown, MICU.

Maybe I need to do more research into the system. It's called My American Messaging and it's a service we subscribe to, it's web based. Looking at their site and the part that I use, it turns out to be a secure, encrypted form of messaging. I've seen doctors receive these messages and while it comes to their personal phone, not a proprietary device, the web site indicates it's probably through a mobile app (not regular SMS).

If all that is true, and it's secure messaging, then the use of PHI should be OK right? I'm emailing our P&P person now to see if they are working on a policy (and if not, they should be).

dudette10, MSN, RN

3,530 Posts

Specializes in Med/Surg, Academics.

I'm not going to comment on the security of the system, but like others, I'm concerned that some believe it is better to use only room number to avoid a HIPAA violation, rather than using the name for pt safety reasons.

We use a secure text paging system on the intranet to hospital-issued pagers. Thank goodness I always use first initial and last name for my text pages because just the other day a resident called me back and said, "You paged me about John Smith in 1302, right? You put the room number as 1502." I float, it was early morning, and the day before, I had been working the 15th floor.

Lesson: If you continue to use this system, please use a patient identifier other than room number!

MunoRN, RN

8,058 Posts

Specializes in Critical Care.
Maybe I need to do more research into the system. It's called My American Messaging and it's a service we subscribe to, it's web based. Looking at their site and the part that I use, it turns out to be a secure, encrypted form of messaging. I've seen doctors receive these messages and while it comes to their personal phone, not a proprietary device, the web site indicates it's probably through a mobile app (not regular SMS).

If all that is true, and it's secure messaging, then the use of PHI should be OK right? I'm emailing our P&P person now to see if they are working on a policy (and if not, they should be).

American Messaging's system, called "Intellimessage" is a secure HIPAA compliant system where PHI can be communicated, that's actually it's whole purpose. When Physicians receive these messages on their personal phone they aren't actually receiving these messages through their service providers system, it comes through an Intellimessage app they load onto their phone which then applies the same security measures as if the message came to a 'in-system' device.

+ Add a Comment