It's a frustration I'm sure everyone has experienced: you have a medical question. You want to follow the advice in those pharmaceutical commercials and "ask your doctor," but the next clinic appointment is three months away and it seems silly (and expensive) to schedule an appointment just to ask a simple questionShow full article

Hide full article

It's a frustration I'm sure everyone has experienced: you have a medical question. You want to follow the advice in those pharmaceutical commercials and "ask your doctor," but the next clinic appointment is three months away and it seems silly (and expensive) to schedule an appointment just to ask a simple question. You try calling, but you end up on hold, or talking to a receptionist, or maybe you even get your doctor's voice mail but you have trouble explaining the problem to a recording.

Wouldn't it be great if you could just email your physician? You could compose your thoughts carefully and at leisure, then send the correspondence immediately without listening to hold music or explaining personal problems to a secretary or a recording machine. Using email to communicate with our doctors mirrors the vision many of us have of using information technology to recapture some of the personal experience that mass-market commercialization has taken away.

The Doctors' Side -- Using email is a tempting proposition for the physician as well. Patients might be surprised at the conditions under which many doctors practice in our high-pressure, managed care world. For example, you might think your doctor has a plush office with a large desk, telephone, computer, and a clerical staff to handle filing, correspondence, and the like. Reality can be far different. My family practice clinic - at a prestigious university medical center - has a single large workroom (euphemistically called the "doctor's lounge") that serves as an office for nearly the entire practice. About forty doctors share three telephones and four small desks (no drawers, lockers, or other space for personal files or supplies). We have no clerical staff - I personally handle every phone call, letter, prescription refill, fax, or government form for my patients. There are a few Windows 95 computers in the lounge, but they are maintained by the university's Information Services Department and have a downtime approaching an astonishing 80 percent. Worse, all medical records are kept on paper in a central warehouse. Reviewing a record requires that you request that it be delivered to the clinic, where it often gets lost long before it finds you in the crowded workroom.

Time is another constraint. Our salaries are based on a forty hour workweek, but to meet minimum productivity requirements and other mandatory commitments while providing a decent level of patient care often requires over seventy hours per week. Our schedules have no time allotted for "non-reimbursed patient contact," which generally means answering telephone calls.

Physicians in the clinic use various strategies to cope with these primitive conditions. The most common is to limit patient contact to a scheduled office visit, when records are available and some time (often ten minutes or so) is specifically allocated for patient contact. This approach ensures some resources are available, but I feel as though it places a burden on patients, who cannot even ask "Should I take this daily medication in the morning or at night?" without scheduling a visit, waiting weeks their appointment, waiting hours in the germ-infested waiting room, and handling the costs of parking and a copayment.

Several of us have tried addressing these shortcomings with handheld computers. I was an early adopter of Newton technology, and migrated to Psion machines running the EPOC operating system when Apple killed the Newton.

<http://db.tidbits.com/article/04735>
<http://db.tidbits.com/article/04760>
<http://www.risley.net/comp.comm/newton/ dayinthelife.html>
<http://www.risley.net/psion/>

With a computer in my pocket, I could have some basic information about my patients with me at all times. I could log voice mail and calls so I have a record of what was said, and I could receive and send email practically anyplace using my Psion and GSM mobile phone (except, as luck would have it, from the family practice clinic, which has very poor GSM reception).

The Benefits of Email -- If all my patients would communicate by email, I could handle much of my patient correspondence from my home office. I could quickly triage messages and concentrate on the more urgent ones, as opposed to voice mail where I might waste an entire break listening to a few messages (more likely than not, long-winded administrative ones) without leaving time to return calls. I cannot return calls from home because it is generally late by the time I get there, and it is disruptive to my family for me to carry on medical and psychiatric conversations at home. Returning calls from work is difficult, as there is no place to sit and speak privately.

Even more important, email gives me a written record of exactly what a patient told me and what steps I took in reply. I can refer back to that at a later date if we're trying to figure out when a symptom first occurred and whether it's worsening or improving. The patient, too, benefits from written instructions that can be referred to, and has an open pipeline for clarification if my instructions aren't clear.

It sounds great, and it can work well, but there are some characteristics of email which might not be obvious to the average patient and which deserve some extra attention.

Privacy -- Medical records privacy is far, far more important than the average person realizes. It didn't take long after I started medical practice for me to become profoundly uncomfortable with the cavalier way both providers and patients treat private medical information. When most people are sick, they just want to get better. They aren't fully aware of how their treatment records might, on some future day, affect their ability to hold certain jobs, obtain insurance, get credit, or even drive a car.

As health care institutions slowly and reluctantly move away from 19th century style record keeping, privacy advocates have raised the banner of medical privacy to delay the implementation of physician support systems that could improve the quality of care. Never mind that no such hue and cry was heard when billing systems - with equally privileged medical information - were automated back in the last century. Now that technology is being proposed for the benefit of the patient instead of the billing office, extreme caution is being urged.

And it's about time. As frustrating as it is to have to tolerate a double standard - electronic record keeping systems are being held to much stricter controls than paper-based records ever have been - the recent attention to privacy is a good thing. Medical records have become largely the property of insurers, billers, and attorneys instead of a tool maintained by and for the patient to assist the doctor in rendering care. If we truly restore privacy to the records, they will necessarily revert to that latter, more important role.

So what constitutes a private record? Most people are comfortable with the privacy of a telephone call. That's pretty reasonable. Wiretaps exist, legal and otherwise, but phone calls - even digitally switched as they all are now - are ephemeral. Someone pretty much has to operate the tap in real time, and pretty much has to have a human being doing the listening (or reviewing the recording). We have a long tradition, in the United States at least, of not randomly monitoring telephone conversations on a large scale. Unless you're a terrorist, organized criminal, or large-scale street drug importer, chances are your telephone calls aren't monitored.

Next on the list is the fax. Medical records are routinely faxed around the country, from doctors' offices to insurers to government agencies to hospitals and back. The fax has become, far and away, the most common mode of transport for medical information. Though faxes are carried on standard telephone lines, they are less secure than phone conversations. First, it is relatively easy to monitor telephone lines for fax (and modem) signals and record the results. Also, if someone dials a single digit incorrectly, your fax could appear on any random fax machine in the country; this happens on my personal fax machine with amusing frequency. Most importantly, fax machines at the receiving end often dump your private records into a wire basket or onto the floor where they are picked up and (if we're lucky) filed by a clerk with virtually no incentive to keep the information private. Even the building maintenance crew has probably seen your faxed medical records at one time or another.

Opposing editorials in the Psychiatric News a few years back debated the question of email confidentiality (psychiatrists are notoriously picky about confidentiality, such that it is common practice to keep two sets of books: a simple record of visits and treatments for the bean counters and attorneys, and a set of private process notes detailing what patients actually say in therapy). One position was that email was as private as a telephone call. The other was that one might as well publish one's correspondence in the New York Times. As much as I wanted to believe the former position, my experience as a data security consultant forced me to embrace the latter reluctantly. Email is carried by organizations which lack the regulatory and historical incentives to ensure privacy. Email, because of its electronic nature, is very easy to monitor and can be recorded and preserved indefinitely at a very low cost. Unlike either telephone calls or faxes, email is recorded by your ISP (and possibly others) while in transit and awaiting retrieval. That recorded data often makes its way onto backup media where it might be indefinitely archived. In other words, even if no one has any interest in your records now, they could conceivably go digging through archive tapes from AOL or EarthLink ten years from now and find private information.

Another factor in email privacy is that using email seems to create an illusion of privacy. Studies have shown patients are much more willing to divulge information when corresponding by email than when writing a letter or leaving a telephone message. Under current guidelines, though, email correspondence with your physician may become a part of the medical record. Even if email were perfectly private, the result is still only as secure as current medical records. Not reassuring.

What's a Patient to Do? Caveats aside, the benefits of email for most patients will still outweigh the risks. If your doctor is willing to communicate by email, make sure you both have a basic understanding of the limits of confidentiality of email. Doctors who use email should have written policies available for patients to review.

First, don't send your doctor an email message saying "I have crushing chest, arm, and jaw pain and I'm short of breath; I've taken six nitroglycerine pills and it hasn't gone away, it feels just like my last heart attack; should I call 9-1-1?" Make sure you understand how long it might be before you get a response. If it's important enough that you're worried about response time, consider a more immediate mode of communication. Remember, too, that email can get lost or routed incorrectly in both directions.

Second, put some care into composing your message. As we all know, too often email is overly brief, confusing, or missing relevant details. Don't assume that your doctor will automatically know what you're talking about just because you've been dealing with the pain or illness for a few days. Clarity of communication is paramount if your doctor is to provide a useful response.

Third, the $26 your insurance company paid for your office visit two years ago does not entitle you to a lifetime of free Internet medical advice. Simple questions with uncomplicated consequences are okay, but don't expect your doctor to retrieve your records, call the Center for Disease Control and your insurance company, and read half a dozen journal articles just to assuage you and your friends' medical curiosity. If you ask a question and your doctor tells you to come in rather than answering in depth, consider that it might just be a way of making sure that you get appropriate attention paid to your problem.

In the next installment, we will explore policy and regulations affecting use of doctor-patient email, and discuss some practical strategies doctors and patients can use for improving the privacy of electronic correspondence.

[Ron Risley is a family doctor, psychiatrist, former communications engineer, and inveterate hacker plying his trades in Sacramento, California.]

Hide full article

Pear Note 2: More complete, understandable notes on your Mac.
Typed notes are blended with recorded audio, video, and slides
to create notes that make more sense when you need them most.
Learn more at <http://www.usefulfruit.com/tb>!

In a previous article, I presented some of the reasons why doctors and patients would both benefit from more widespread use of email, along with some of the problems inherent in doing soShow full article

Hide full article

In a previous article, I presented some of the reasons why doctors and patients would both benefit from more widespread use of email, along with some of the problems inherent in doing so. This week I will cover some steps that doctors and patients can take to ensure safety and minimize the risk of miscommunication when corresponding via email.

<http://db.tidbits.com/article/06392>

What's Being Done? Some brief guidelines from the American Medical Association and a more detailed analysis by the Massachusetts Health Data Consortium have begun to address some of the issues inherent in doctor-patient email communication. By understanding and following these guidelines, physicians and patients can use email effectively while appreciating some of its limitations.

<http://www.ama-assn.org/ama/pub/category/ 2386.html>
<http://www.mahealthdata.org/mhdc/mhdc2.nsf/ e214ac63ff65c87e852564580073a9fd/ 4a7c6d398962159785256759006a1113? OpenDocument>

In addition, Federal regulations known as HIPAA (the Health Information Portability and Accessibility Act) will likely put significant constraints on medical use of email in the near future. HIPAA will probably require patients to sign a written agreement to waive confidentiality before a physician can communicate any part of a patient's record by electronic means without using strong encryption. Although the new attention to privacy is welcome, the regulations could also become a barrier to using email to improve patient-doctor and doctor-doctor communications, while making it far easier for institutions like insurers, government agencies, and employers to access and share the same data.

<http://aspe.os.dhhs.gov/admnsimp/>

Personal Encryption -- One solution to email privacy issues is personal encryption. PGP (Pretty Good Privacy) is a venerable suite of public-key programs which can secure email communications channels. It is available free of charge for personal use on Mac OS 8 and 9, various flavors of Windows, and Unix/Linux platforms; commercial versions are offered by Network Associates. Freeware open-source versions are also available. PGP distributions are limited to the United States and Canada because of restrictions on the export of strong cryptography. There is an international version, PGPi, distributed outside the U.S., as well as a fully compatible Gnu public licensed counterpart, Gnu Privacy Guard (GPG or GnuPG) that has been ported to Mac OS X.

<http://www.pgp.com/>
<http://web.mit.edu/network/pgp.html>
<http://www.pgpi.org/>
<http://www.gnupg.org/>

The problem with PGP is that it requires both the sender and recipient to install and comprehend PGP or compatible software, generate keys, and reliably distribute their public keys. Key management and distribution can be a pain. Though recent versions of PGP have come a long way in improving their usability (and are well integrated with a number of modern email clients), PGP is still a long way from being user friendly. Two of my patients have actually gone to the trouble to install it and use it, but they are a distinct minority.

<http://db.tidbits.com/getbits.acgi?tlkthrd=1044>

The Guerilla Factor -- While institutions drag their administrative feet getting patient care systems running, and government agencies struggle to create byzantine regulations, the Internet, as usual, surges ahead. Instead of fostering instant communication of private personal information between insurers and institutions, the Internet just might make it possible for patients and their physicians to take back ownership of their personal information.

Regular TidBITS readers might recall I was bitten by the server bug a couple of years ago, and set up my own corner of the Internet using a broken PowerBook 5300cs. One of the advantages I saw at the time was that, by hosting my own server, I could at least ensure that email sent to me by patients didn't sit on a commercial server until I picked it up.

<http://db.tidbits.com/article/05995>

I have since recycled a number of old Macs, and my junkyard server farm has grown to six machines. Although most run the Mac OS, I decided that security and privacy issues with medical communication could only effectively be handled using Secure Sockets Layer (SSL), the technology behind secure Web commerce sites. I am on an impossibly tight budget, and there are no free or low-cost SSL servers for the Mac OS (although that is changing with the release of Mac OS X, it requires an expensive machine). So I loaded LinuxPPC on an old Power Mac 7200 and installed Apache-SSL (a process that, despite my experience as a Unix system administrator in the 1980s, revived my respect for the ease-of-use of the Mac OS). I had to fork over $125 to Thawte for a secure server certificate (more than the cost of a complete 7200 from TidBITS sponsor Small Dog Electronics!), but the Guerilla Physician Project now has a secure server.

<http://home.netscape.com/security/techbriefs/ ssl.html?cp=sciln>
<http://www.linuxppc.org/>
<http://www.apache-ssl.org/>
<http://www.thawte.com/>
<http://www.smalldog.com/>
<http://www.guerillaphysician.com/>

What is the Guerilla Physician Project doing? Confidentiality is extremely important in the treatment of Huntington's Disease, an inherited genetic disorder, as it is possible to test as genetically positive yet have no symptoms. Someone who might not develop any problems for decades will nonetheless find themselves unemployable and uninsurable, yet testing can be valuable both in helping patients plan their futures and in preparing for early intervention when problems develop. I have set up an electronic communications network for the Huntington's Disease treatment team here. Since the team is a multidisciplinary group involving state and county agencies as well as the university, it would have taken years to get all their IS people together to design and approve a system for secure communication.

Instead, I was able to bring the system online in a few weeks using the Guerilla Physician server, along with open source bulletin board and chat software, and a lot of sweat equity - but with no budget requirements whatsoever. Users of the system need nothing more than an SSL-equipped Web browser, which means they don't have to load any special software onto machines whose program suites are often tightly controlled. Unlike commercial or corporate systems, the data is never in the hands of anyone who is not a licensed health care provider on the treatment team.

<http://www.hdteam.org/>

The Guerilla Physician is expanding, with new projects to help integrate mental health care in the diverse reaches of rural California. I am also coding a Web-based email system that will enable patients and physicians to communicate using PGP encryption without going through the difficult and sometimes tricky process of installing and using PGP on their own computers. Once this is in place, the potential for a truly private and secure distributed electronic medical record - shared only between patients and their physicians, will be a step closer to reality.

<http://www.risley.net/comp.comm/emr/>

The Future -- The recent release of Mac OS X and the proliferation of broadband Net access might well lower the threshold enough that more doctors will be able to host services like the Guerilla Physician. Medicine is an odd pursuit, in that it can combine the most intimate of personal interactions with some of the world's largest and most impersonal institutions. My hope is that the distributed power of the Internet will be used to restore privacy instead of compromising it.

[Ron Risley is a family doctor, psychiatrist, former communications engineer, and inveterate hacker plying his trades in Sacramento, California.]

Hide full article

READERS LIKE YOU! Support TidBITS with a contribution today!
<http://www.tidbits.com/about/support/contributors.html>
Special thanks this week to John & Nichola Collins, Chris Williams,
John K. Lilley, and Honeymoons By Sunset for their generous support!