For Idaho Clinic, Secure Messaging Means HIPAA Compliance and Better Patient Care

John Cotten

With secure messaging, when the nurse or provider sends out a message, the patient
gets it.”

– John Cotten, IT Director,
Family Medicine Residency of Idaho



HIPAA Mandates Secure Electronic Communication

“Starting in February of this year, the next revision of HIPAA came out – the high-tech policy that required any kind of unsecure electronic communication to be encrypted and secure. In other words, you can’t e-mail your patients,” said John Cotten, IT Director at Family Medicine Residency of Idaho (FMRI). In response to this new federal HIPAA requirement, the clinic decided to adopt secure messaging. This technology would enable health care providers and nurses to send medical information like lab results to patients securely by e-mail.

Family Medicine Residency of Idaho, based in Boise, trains medical school graduates to become family physicians. The clinic associated with FMRI is called the Family Medicine Health Center. It provides a range of health services with an emphasis on affordable care for underserved groups.

Another benefit of secure messaging is streamlined patient communication. “Traditionally in a doctor’s office, when lab results come in for a patient, the nurse will try to call up a patient and let them know what the doctor said. And a lot of times they are playing phone tag. With secure messaging, when the nurse or provider sends out a message, the patient gets it. There is no phone tag and no interpretation of what the provider may have said. It’s pretty black and white – here are your results and here is what we recommend,” said Cotten.

GE Centricity Secure Messaging and Patient Portal

Cotten attended a user conference where he previewed the GE Centricity Secure Messaging and Patient Portal solutions. FMRI already used GE Centricity Electronic Medical Record (EMR) in its clinic. The Secure Messaging and Patient Portal solutions, originally developed and sourced from the vendor Kryptiq, were integrated with Centricity EMR and resold under the GE brand. Therefore it would be easy to drop them into the clinic’s existing IT infrastructure.

Cotten presented this solution to the staff. Dr. Justin Glass, one of the doctors at the clinic, happened to be looking at a grant that would cover an IT healthcare solution like this, so they included it in the application. The grant was approved and they went ahead with the deployment. It was a fairly easy sell to management because of the new HIPAA mandate for secure electronic communication.

The clinic configured the system for robust security to ensure the privacy of a patient’s medical record. When a new patient visits, he or she receives a one-time PIN for the portal. The patient goes online and registers, providing some key information to verify their identity. At this point the patient is set up for secure messaging. When a provider wants to send the patient information, such as the results of a cholesterol screen, the patient will receive an e-mail with a link to the portal. The patient clicks on the link, logs in and views the results and recommendations. If a patient does not log in and view the information within a certain number of days, the system alerts the nurse or provider so they can follow up by other means.

“Of course, with any technology, you can do a lot of things with it. What really drives a technology is the policies and procedures that you put in place at your practice,” said Cotten. Providers can control how and if information is presented through secure messaging. They might allow a patient to see a full test result or choose just to say, “Everything is normal. Check back in six months.” Sometimes presenting too much complex information which is subject to interpretation may be confusing. And for sensitive information, they might forego e-mail altogether and contact the patient in person.

Providers also have the option to allow the patients to respond by e-mail, and some at the clinic take advantage of this feature for back-and-forth communication. It facilitates more responsive patient care. “One of our providers is a huge proponent of the system, and he decided to allow some of the patients to respond to him. In one case, a patient responded to an e-mail and said, ‘I’m having pain in my leg…’ The nurse was able to see that information, track down the provider and see if they had taken care of it. If not, find another provider to take a look at it. So from a patient standpoint, it was great patient care,” he said.

Another benefit is that messages become part of a patient’s electronic medical record. The next provider that works with a patient can see the record and know exactly what was communicated. This provides more detail than summary notes.

Managing Change

As with any new healthcare technology, it is challenging to train and encourage people to use it. “A lot of technologies aren’t going to make their jobs easier right off the bat. At first it seems like one more thing to do,” he said. But in the end secure messaging reduces the amount of time spent with unanswered patient calls and playing phone tag. The clinic’s approach is to educate about the benefits and the ultimate goal of the technology. For instance, Cotten sent a message to the staff about how secure messaging will help nurses and providers focus on the patient that is here and in front them while still getting the message to the patient that they have already seen. In another words, a tool for efficiency and better patient care.

The patients themselves were leery at first about giving their e-mail addresses to the clinic because they did not want to be spammed. Once they realized it was so their provider could communicate with them, they became more enthusiastic. Many people prefer to communicate by e-mail today.

Building on the Patient Portal

The clinic uses Centricity Patient Portal only for secure messaging at this time, though it has the potential to do much more. The software can show a patient’s full medical record, including historical details. So FMRI is currently studying how it might build upon this solution in the future. According to Cotten, while the technical aspects are straightforward, the real work is in understanding the impact on providers, nurses and patients and developing appropriate policies and procedures around the technology. It always comes down to the human impact.


 Copyright © 2010 Apropos LLC. All rights reserved.

Chugach Electric Gets Control of Spreadsheets for SOX Compliance with Brainloop Secure Dataroom

Most organizations don’t have any of those standard controls in place around spreadsheets, and Chugach was no different.”
– Cheryl Klein, Founder and Principal Consultant, GRC Consulting Services

Spreadsheets out of Control

Chugach Electric Association needed to get its Excel spreadsheets under control for compliance with Sarbanes-Oxley (SOX) regulations. “A lot of organizations have issues with Excel spreadsheets,” said Cheryl Klein, founder and principal consultant of GRC Consulting Services. “The most often-used financial application for tracking, accounting and reporting is Excel. Unfortunately there are very few controls around anything within Excel to ensure that the information is valid, that it is correct, that it reports correctly, that someone hasn’t made a change inadvertently… Generally speaking most organizations don’t have any of those standard controls in place around spreadsheets, and Chugach was no different.”

Chugach Electric, headquartered in Anchorage, Alaska, is the largest producer and distributor of electricity in the state. It is a member-owned cooperative and therefore a private organization, though it had taken on a public debt which required it to comply with federal financial regulations, including SOX.

To bring the organization into compliance, Chugach Electric enlisted an outside consultancy, Certified Security Solutions. Cheryl Klein was the lead consultant for this project. She assembled a team of IT and financial professionals to implement the proper controls and processes for SOX compliance, test them for effectiveness and interface with their external auditor KPMG. (Klein has since started her own company, GRC Consulting Services, which specializes in governance, risk and compliance initiatives.)

The proliferation of spreadsheets for financial reporting was a major issue. By scanning the file server for last-modified dates at the end of the quarter, they were able to determine which spreadsheets were used in financial reporting. “We tested and validated the functionality of each one of those spreadsheets to ensure that all the formulas were being called correctly, the summations used the right ranges… So we knew that those were the key spreadsheets, tested and signed off,” said Klein.

From that point, they looked for a way to secure the spreadsheets by limiting access only to authorized individuals and creating an audit trail around journal entries and approvals. As a midsized organization, Chugach Electric did not have the time or resources to deploy a comprehensive enterprise resource planning (ERP) system such as SAP or Oracle. Instead they wanted a cost-effective, targeted solution that would enable them to achieve and maintain SOX compliance.

Brainloop Secure Dataroom for SOX Controls

Chugach Electric adopted Brainloop Secure Dataroom, a hosted service for managing and sharing confidential documents. It provides a secure, Web-based document repository with user authentication and access rights, a tamper-proof audit trail and collaboration tools. Chugach Electric used the Brainloop platform to establish controls around their financial spreadsheets.

Now they actually have a more streamlined workflow process that is better controlled than they did when just emailing spreadsheets back and forth.”
– Cheryl Klein, GRC Consulting Services

Klein continued, “The goal was to create efficient, repeatable processes for compliance. Because compliance with SOX is not a one-time thing – it’s every year you have to go through this. So the goal was to bring them to the point of initial compliance, and then a cost-effective, repeatable compliance process going forward. The use of Brainloop Secure Dataroom does both of those. We got them into compliance initially. And now they actually have a more streamlined workflow process that is better controlled than they did when just emailing spreadsheets back and forth.”

Time and Money Saved – Every Year

Reining in Excel spreadsheets closed major gap for SOX compliance. The Brainloop platform allowed Chugach Electric to achieve SOX compliance initially, as mandated by law, as well as to save time and money maintaining compliance going forward. SOX requires organizations to perform testing internally, in addition to the testing done by an external auditor. By establishing secure controls and processes around their financial spreadsheets, Chugach Electric and its auditor KPMG only have to confirm that the controls are in place and working instead of manually re-testing and re-validating the spreadsheets each quarter. This saves a tremendous amount of time and money in labor and consulting fees every year.


 Copyright © 2010 Apropos LLC. All rights reserved.