For providers using Mychart (Pretty much everyone local uses it.) it is normal to send an email stating there is a message in your Mychart instead of sending the actual information via email.Originally Posted by Steve Demuth
Contributor
For providers using Mychart (Pretty much everyone local uses it.) it is normal to send an email stating there is a message in your Mychart instead of sending the actual information via email.
Contributor
I used the Medicare site and switched from Cigna to MedicareBlue Rx Select PDP from 2023 price $52 at Cigna to $17.50 per month.
Retired Guy- Central Iowa.HVAC/R , Cloudray Galvo Fiber , -Windows 10
Contributor
Yes. Epic (the company that built the medical records system for which MyChart is the patient portal) chose to do it that way, because it's the lowest common denominator for h ow to meet the requirements for use of email for communication from doctors and laboratories to patients. By sending such an email, they provide a reasonably convenient way for people to get communications, without running very far afoul of HIPAA. To someone who wanted to make trouble, those emails could in many cases be HIPAA violations. For example, if XYZ Cancer Center, identifiable by their email address, sends a notification that my new test results are ready to my email through unencrypted SMTP, that message conveys the fact that I am a patient at XYZ to every mail forwarder between their email server, and my inbox - often including, e.g., my ISP. The fact that I am a patient at a particular specialty center is protected health information under HIPAA, and the message contains a HIPAA identifier (my email address), so voila ... HIPAA violation.
I'm reasonably certain, however, that nobody wants to make MyChart even less use friendly than it already is, by eliminating these notifications.
Every health care institution I know tells people not to put sensitive health details in emails to doctors or nurses, often intimating that this is because of HIPAA. This is nonsense. Communications from the patient to the doctor are not HIPAA violations - you can stand in the town square and shout your symptoms to your doctor across the street if you want. HIPAA doesn't care. But institutions don't want information to come via email, because 1) it is rarely the most convenient way for a doctor to get information (things you put in MyChart get a defined place in physicians workflow; email probably not so much), and 2) if the doctor replies via email, and the email channel carrying the reply doesn't meet all the requirements for HIPAA allowed email, then the doctor's institution has committed a HIPAA violation.
Contributor
Seems to me all you would need to do is give the clinic an email address that your ISP or anyone else doesn't have like patient123@gmail.com. Any reason that wouldn't work?
Contributor
The contents of an email are readable by any organization handling the mail from the application that sends the mail (say Epic, running on a clinic's servers) up to and including the mail server that services your email, unless both the sending and receiving ends are properly configured to encrypt the transmission. So, for example, if my wife's doctor at Mayo Clinic were to send her an email with protected information to her email account on gmail.com, there are (when I last checked) 13 routers belonging to 5 different corporate entities that handle the mail. Under HIPAA rules, those corporations are considered to have received the content of the email, since they can read it. Configuring mail servers to use encrypted transmission is a pairwise problem - you can't just set a switch that says encrypt outgoing mail; you have to have an encryption agreement between your server and any you want to send the encrypted email to. That would obviously be extremely onerous for most clinics, so it is only done for certain circumstances.
But even if you do that, the receiving mail domain can read the mail (Google, or gmail, in my example). So they are a recipient of the protected information and you've still got a HIPAA violation. You have to encrypt the contents of the email with encryption agreed between the actual recipient (not their mail host) and the sender. Almost no one does this.
This is all because the mail protocol on the internet was never intended to protect information - its inventors trusted the ISPs, network providers and hosting organizations to respect the privacy of email, and didn't try to build a secure or private model. And, to be fair, with mail hosting services like ISPs and Google as the actual destination for messages, with the intended recipient only viewing them using services provided and managed by the hosts, it's not an easy problem to solve. The tech exists today to do it, but it would require significant changes in the way email works.
Last edited by Steve Demuth; 10-18-2022 at 8:07 PM.
Contributor
Steve, what if all the email says is "you have a message, sign in to your secure account to read it"? No links, no confidential information. Since your email address is basically anonymous anyone reading the email would only know someone has a message from the clinic but not who or what the message says.
Contributor
It's an interesting question. I think the health care business, both providers and tech companies, with no objection from HHS OCR (The Federal organization that enforces the HIPAA privacy rule) has collectively decided that what you describe is acceptable, whatever the regulations may actually say. What you describe is essentially what Epic MyChart sends by default (the links don't make a difference one way or the other, since every email identifies it's sender and recipient, and those are the things that make it identifiablle - whether or not you imagine your email to be inscrutable, it is one of the named identifiers in the HIPAA rule, and so legally identifies you). I could make a case that such an email is in fact Protected Health Information, but the public would scream loudly if someone were to actually prohibit such notifications, and the fact that nobody has been busted pretty much means it's ok. HHS OCR is not reticient about busting orgs that violate HIPAA, and letting the world know.
Contributor
Recent versions of Thunderbird make it pretty easy to set up PGP encryption. The problem of course is that [I]every[I] email provider would have to do that, including web mail providers. would have to provide easy-to-setup PGP (Pretty Good Privacy) or something like it that the entire industry agrees on. I think there's a demand for encrypted email just as there is/was a demand for secure internet connections. I imagine getting every email provider to agree on its implementation would make herding cats seem trivial.
Last edited by Curt Harms; 10-19-2022 at 10:17 AM.
Contributor
They could send out the information using Whatsapp. Whatsapp encrypts end-to-end. Of course, both the sender and receiver have to use Whatsapp.
In encryption, the problem is usually getting the encryption key from the sender to the receiver. There are ways to do that, for example https negotiates a key between the sender and receiver, so it would be possible to do end-to-end secure mail on a web browser using https.
Mike
[And thanks to Steve Demuth for the very interesting discussion of the problems of communications in HIPAA.]
Last edited by Mike Henderson; 10-19-2022 at 2:33 PM.
Go into the world and do well. But more importantly, go into the world and do good.
Contributor
I wonder how the lawyers get around HIPPA for insurance fraud from whiplash and doctors who treat the phony injuries?
Contributor
It's actually rather challenging, although clearly not impossible. The challenge comes from the fact that because email delivery is a send-store-retrieve, rather than a simple send-receive, the mail host (gmail.com, e.g.), is always a "man in the middle" between the sender and the intended recipient. You can easily enough set up encryption between the sending server, and the mail host server, but the email only goes as far as the mail host server, where it lands and is stored. So the mail host ends up with an unencrypted copy of the message. You can't do end (sender to receipient) key exchange, because the recipient is generally not reachable when the mail is sent, so they can't negotiate the key pair. Most email recipients don't even have a publicly accessible ip address, as they are behind NAT, so you can't even try to reach them.
Contributor
You're right. I just didn't think it through far enough.
Mike
Go into the world and do well. But more importantly, go into the world and do good.
Contributor
Drug prices, this discussion saved me money today!
How many folks realize there is more than one drug price? Insurance or Medicare Plan D, Cash and GoodRX (R) price.
What happened today brought that out in a big way. Went to refill one prescription and the cost told to me by the cashier in Training was $60.28 and I said that is way too high! I said what is the cash price? The cashier in training and the other gal agreed it was $80! Of course I took the Plan price.
FYI the pharmacy is forbidden by Medicare to tell you a lower price.... Unless you ASK the cash price.
When I got to my next stop I pulled out my Iphone and used GoodRX to research prices in Town and the prices they give you are Coupon prices that show on the Phone and you show the pharmacy that Coupon. The price ranged from less than $10 to $32 for the exact Same drug!
Well my pharmacy does not take GoodRX coupons, BUT it turns out the Cash Price was not $80 as I was told by the Casher in Training but $35, wow. Needless to say I have a refund coming.
Lesson, ask the Cash price after getting your Plan D or Ins cost. Use GoodRX to do the research first.
IF your on Medicare D DO NOT sign up for GoodRX plan, just use the coupons as above. YOU Can not have two Plan D programs.
PS Use the Medicare website to compare prices for your drug list.... Cigna raised my Plan price from $32 to $53, I found MedicareBlue RX Select PDP at $17.50 per month.
Retired Guy- Central Iowa.HVAC/R , Cloudray Galvo Fiber , -Windows 10
Contributor
I thought that the coupons were the GoodRX plan.
I was HIPAA trained and certified for awhile. It only apples to care providers and associated admin staff. If you share your info with your lawyer she can tell anyone she wants.
< insert spurious quote here >
Contributor
Today’s supplemental Medicare plan mail. Can’t wait for tomorrow /s.
C0F8B7E4-17AC-42D7-B044-6C2CBE4C1862.jpg
My three favorite things are the Oxford comma, irony and missed opportunities
The problem with humanity is: we have paleolithic emotions; medieval institutions; and God-like technology. Edward O. Wilson
Posting Permissions
Reply With Quote