Weitere ähnliche Inhalte Mehr von Microsoft Private Cloud Mehr von Microsoft Private Cloud (20) Kürzlich hochgeladen (20) Microsoft Unified Communications - Messaging in Healthcare Industry Whitepaper1. Messaging in the Healthcare Industry
Executive Summary
Messaging is becoming more important in the healthcare
industry for a variety of reasons. The ability to communicate
via email with healthcare providers, payers and patients can
dramatically improve the quality of healthcare, can lower
healthcare costs by reducing adminstrative overhead and
can improve the overall quality and accuracy of
communications. Further, Osterman Research has found
that the use of email can influence a significant percentage
of patients to switch from one provider to another because
of the convenience that this communication medium
provides. This can result in a significant competitive
advantage to providers that make better use of these
technologies.
That said, messaging for healthcare-related organizations
imposes significant demands on users, their employers and
the vendors that supply their infrastructure. Certain types of
messages must be encrypted in order to satisfy both best
practice and statutory obligations for data confidentiality
and integrity. Further, it is a best practice for healthcare-
related organizations to maintain an easily searchable
archive of messages in order to satisfy the provisions of the
Health Insurance Portability and Accountability Act (HIPAA)
and other requirements, such as to conduct random
searches or reviews of emails sent to patients and others.
Failure to adequately protect confidential information can
result in significant civil or criminal penalties, as well as a loss
of reputation and other problems.
This white paper examines some of the key issues to consider
when evaluating or planning an upgrade of messaging
capabilities in a healthcare-related organization. It also
discusses Microsoft/FrontBridge’s offerings that are focused
on companies that manage healthcare-related information,
including providers of medical services, payers, life sciences
firms and others.
© 2006 Osterman Research, Inc. Page 1
2. Messaging in the Healthcare Industry
Key Issues in the Healthcare Industry
The use of messaging by healthcare-related organizations
can provide tremendous value to a variety of individuals
and organizations, including hospital staff, physicians, nurses,
payers, benefits administrators and patients. However,
perhaps in no other industry is the need for robust and
secure messaging more critical than in healthcare given the
consequences of poorly executed messaging practices.
Healthcare Requirements for Messaging are Numerous
There are a wide variety of requirements for messaging in
the healthcare industry that impact healthcare providers,
employers, vendors of messaging solutions and others:
• Regulatory requirements
Key among these requirements is the fact that emails
and instant messages must comply with a variety of
regulatory provisions regarding both the security of
transmission for emails, as well as the retention of records
contained within these communications. HIPAA,
discussed later in this paper, focuses on both the
confidentiality and integrity of the transmission of
electronically transmitted Protected Health Information
(ePHI).
• Legal considerations
Perhaps more so than in any other industry, healthcare
information is subject to a variety of legal considerations
because of the enormous potential for misuse of this
data and the damaging impact that it can have for
patients and providers alike. As a result, messaging-
related data must be protected from inappropriate use,
requiring that adequate controls are placed on the
delivery and retention of medical data sent through
email systems.
• Secure/encrypted communications
Related to both the regulatory and legal aspects of
managing email is the critical need to send and receive
encrypted messages. For example, any email that
contains both a personal identifier, such as a Social
Security Number, and a description of a health condition
must be encrypted so that a patient’s ePHI cannot be
intercepted or altered by an unauthorized party.
© 2006 Osterman Research, Inc. Page 2
3. Messaging in the Healthcare Industry
• Archiving requirements
Archiving is an important requirement for email in the
healthcare industry. For example, HIPAA requires that a
variety of documents, including emails, be kept for six
years. Medicare requires that medical records be
retained for five years as they relate to radiological and
nuclear medicine services, as well as inpatient and
outpatient services, among others. The Medicare
Conditions of Participation requires hospitals to retain
medical records for five years. Medicare and Medicaid
reimbursement to rural health clinics requires that these
clinics maintain medical records for six years, while
psychiatric hospitals must retain a variety of medical
records for five years.
It is important to note that the majority of Covered
Entities1 do not store medical records, per se, in
messaging systems. However, a significant and growing
proportion of these organizations transmit and store ePHI
in messaging systems and this data must be archived.
For example, if ePHI is communicated via email, an
archive and audit trail should be maintained in order to
protect organizations from patients and others altering
these records.
• Outbound content filtering
A key requirement for any Covered Entity is the ability to
manage the content of outbound emails. Because
information like ePHI can be accidentally disclosed quite
easily through email, it is important for organizations to
either block or monitor emails that might violate HIPAA
requirements if sent improperly. For example, a Covered
Entity should have in place a system that can monitor the
content of each outbound email in real time and, if
these emails contain ePHI, automatically encrypt them,
block them or copy them to a HIPAA Privacy/Security
officer. Similar capabilities should be implemented for
other organizations, such as life sciences firms, whose
employees might accidentally or otherwise transmit
intellectual property or other proprietary information
through email.
• Finely tunable spam filtering
Providers, insurance carriers, benefits administrators and
others in the healthcare industry send and receive email
content that will trigger most spam filters and generate
an unacceptable level of false positives. For example, it
1
A ‘Covered Entity’ is any organization subject to HIPAA requirements.
© 2006 Osterman Research, Inc. Page 3
4. Messaging in the Healthcare Industry
would not be uncommon for an email message sent
from a physician to an insurance carrier to include the
word ‘breast’, a word that would be far less commonly
used in most other industries. Consequently, spam
filtering systems used for healthcare providers must be
finely tunable to allow certain words to pass through
without generating false positives. Further, these filters
must be tunable so that certain individuals or functions
are allowed to send and receive content that contains
these words, while other functions in healthcare
organizations not related to patient care can have these
words filtered out.
A Variety of Industries are Impacted
The ‘healthcare industry’, at least in the context of
messaging issues, includes a large number of organizations
and a variety of industries. For example, messaging issues in
the context of healthcare focus not only on medical care
providers like hospitals, clinics and physicians’ offices; but
also on insurance companies, benefits administrators,
government agencies, universities and employers of all
types. As a result, there should be consideration of the
healthcare-related regulatory and legal considerations
associated with messaging for virtually all entities, since most
organizations will at one time or another send or receive
medical information that may be covered by a statute like
HIPAA or that may otherwise need to be encrypted,
archived or managed according to a legal requirement or
best practice.
Key Considerations When Using Messaging
HIPAA
One of the most important and far-reaching US federal
government requirements focused on healthcare is HIPAA.
This requirement addresses a number of different areas and
one of its primary goals is to reduce the administrative costs
and other burdens in the healthcare industry, as well as the
costs of programs like Medicare. However, the result for
many organizations has actually been an increase in the
regulatory burden and bureaucracy associated with
providing and managing healthcare.
The US Congress included provisions in HIPAA that specify
the use of standard electronic formats for the transmission,
processing and exchange of administrative and financial
data regarding healthcare transactions. Further, HIPAA
© 2006 Osterman Research, Inc. Page 4
5. Messaging in the Healthcare Industry
established standard electronic data interchange formats
for transactions and records like health plan premium
payments, benefit enrollment forms, medical claims and
medical reimbursements. HIPAA also establishes standard
code sets for medical diagnoses and procedures as they
are coded for claims and billing.
HIPAA also created requirements around the privacy and
security of PHI. The HIPAA Privacy Rule focuses on
maintaining the confidentiality of PHI, among other
provisions. The HIPAA Security Rule is designed, among other
things, to ensure that Covered Entities take measures to
ensure the confidentiality, integrity and availability of ePHI
during transmission and storage.
The Impact of HIPAA on Messaging
HIPAA has two important implications for messaging. First,
messages that contain PHI must be encrypted so that the
confidentiality, integrity and availability of ePHI is
maintained. As mentioned earlier, this means, for example,
that an email that contains PHI, in order to be compliant
with the requirements of HIPAA, must be encrypted if it is to
be sent outside an organization. Second, it is an important
best practice for Covered Entities to retain emails in a readily
accessible archive if they contain PHI or other records.
Every Covered Entity must ask itself two key questions
regarding the use of email sent outside of its network:
1. Is it acceptable to send a particular email that contains
PHI according to HIPAA Privacy regulations?
2. If the answer to the above question is ‘Yes’, did we take
the steps necessary to ensure the confidentiality, integrity
and availability of this data during transit, such as
encrypting the information?
Requirements for the Use of Messaging in Healthcare
There are a variety of requirements for the use of messaging
in healthcare-related organizations and in those
organizations that deal with healthcare-related information:
• Encryption
PHI is among the most sensitive types of data that can be
sent through email or instant messages. As a result, best
practice, as well as statutory requirements like HIPAA,
require that certain types of information be encrypted in
order to protect the confidentiality of this data. It is also
© 2006 Osterman Research, Inc. Page 5
6. Messaging in the Healthcare Industry
important as a best practice that archived data be
protected from tampering or violation of confidentiality.
• Disaster recovery
Organizations that maintain ePHI must implement a
disaster recovery plan to protect this data and should
include as a key component of this plan the protection
of email systems and their associated message stores.
• Solutions must be easy to use
One of the fundamental requirements for the use of any
messaging system in the context of healthcare is that it
must be easy to use. The tunability of spam filters, the
encryption and decryption of messages, and other
capabilities must be easy to set up and maintain given
that messaging infrastructures will often be managed by
small organizations without dedicated IT staff, such as
physicians’s offices or small businesses.
• Messaging must be reliable
Messaging capabilities used in the healthcare field must
be reliable given the time sensitivity of much of the
communications in this field and the inability to tolerate
delayed message delivery times, an unacceptable level
of false positives, and so forth.
• Flexible deployment capabilities
The healthcare field includes a wide variety of
organizations, from large hospitals and insurance
companies with large IT staffs that can easily manage
internal messaging systems, down to individual
physicians’ offices with a staff of only a few people and
no dedicated IT resources. As a result, these
organizations need flexible deployment options,
including the ability to use software-based messaging
systems, appliances and managed service offerings,
often within the same organization.
• Long-term archiving
Archiving is a critical requirement for a significant
proportion of the data sent and received by
organizations even peripherally related to healthcare.
For example, healthcare providers, such as hospitals,
must retain medical records under various laws and
regulations – for five years in some cases, for six years in
others, for two years after a patient’s death, for the life of
the patient, etc. Some of these records are subject to
HIPAA privacy rules and so archives that contains PHI
© 2006 Osterman Research, Inc. Page 6
7. Messaging in the Healthcare Industry
must be maintained in such a way that the integrity of
the data is preserved.
About Microsoft Exchange Hosted Services
Microsoft Exchange Hosted Services offer a cost-effective
way for enterprises to actively ensure the security and
availability of their messaging environment, while instilling
confidence that their messaging processes satisfy internal
policy and regulatory compliance requirements. A seamless
extension of Microsoft Exchange that operates over the
Internet as a service, the complete set of services includes
hosted filtering for spam and virus protection; hosted
archiving to satisfy compliance requirements and internal
policies; hosted encryption to preserve e-mail confidentiality;
and, hosted continuity for ongoing access to messaging
systems during and after disasters. Microsoft Exchange
Hosted Services provide value to corporate customers by
eliminating upfront capital investment, freeing up IT
resources, and removing incoming e-mail threats before
they reach the corporate firewall. For more information, visit
http://www.microsoft.com/exchange/services
© 2006 Osterman Research, Inc. Page 7
8. Messaging in the Healthcare Industry
© 2006 Osterman Research, Inc. All rights reserved.
No part of this document may be reproduced in any form
by any means, nor may it be distributed without the
permission of Osterman Research, Inc., nor may it be resold
by any entity other than Osterman Research, Inc., without
prior written authorization of Osterman Research, Inc.
THIS DOCUMENT IS PROVIDED “AS IS”. ALL EXPRESS OR
IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES,
INCLUDING ANY IMPLIED WARRANTY OR FITNESS FOR A
PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE
EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE
ILLEGAL.
© 2006 Osterman Research, Inc. Page 8