Home Forums Discussions General Discussion UpDox Developer

To Bert again,

Pardon my mental lapse--I forgot that you likely wouldn't have too many mammo's in your practice. I had just mentally figured out whether to send a letter or email result to a patient just before reading this thread, earlier.

Question for other updox users--anyone billing by way of email through Updox portals? jimmie

Tobin,

You should be all set now.

Tobin, I am new and debating using Updox. When I export a CCD or CCR to the Updox portal, does a patient get an automatic email notifying them that they have results in the portal and they have a password? or does it go to their email. When you say that once the medical record is in the portal, I can then send it to another provider, do I designate an email (of that provider's practice) that it attaches to and if so, it is secure (encrypted)? Are doctor's sending this information to ER's? If so, are ER's getting it via emails?
Thanks, Donald Phillips MD Cedar Hill, Tx

Hey Donald, I'll try to address all of your questions.

First of all, when you send anything to the portal, whether it's a text message, or a lab result, or a CCD/CCR, we never send any part of it over email. Emailing PHI (patient health information) over email is never HIPAA-compliant.

If we have an email address for the patient, we will email the patient to tell them that they have a new item at the portal. If this was the very first item, we'll actually send them additional information instructing them how to log in. Once the patient logs in, they can download the actual XML file, or view a human-readable version. What they do with the XML file at that point is up to them.

If you are looking to transmit the CCR/CCD file to another provider instead of a patient, you could send it by secure message. In this case, the receiver would need to be an Updox user. We do have a free Updox plan which only includes secure messaging, so the receiver wouldn't have to be a paying Updox user. (We also support sending/receiving DIRECT messages (directproject.org), but no one's really using that yet.)

Again, if you choose to email it out of Updox, it is not encrypted and it is not secure.

As far as where our doctors are sending them, we do have several doctors who are sending a lot of CCR/CCD files to their patients, but I'm not aware of anyone sending them the other providers yet. I expect we'll see more of that in the months to come.

Does that help?

Tobin,

If the patient wants a direct email, can you send them a standardized email that they send back stating they know it is not secure or encrypted, but they are OK with that?

And, you have to explain the Avatar unless that is the person who devised Meaningless Use.

Dear Tobin,
Thank you for clarifying the secure messaging with Updox, but I want to make sure I understand you correctly. As long as my nurse or myself communicate with the patient via the secure portal through Updox we are HIPAA compliant. As I am not emailing or contacting patients electronically outside of Updox at this point. We have gotten several messages from patients through the portal. So would the best terminology to use with my patients be secure messaging through the portal rather than emailing in the portal--as email connotes non HIPAA compliance? thanks for your input--jimmie

Thanks Tobin, yes that does help clear up things. Since one of the meaningless use items was to successfully send records to another provider, which would generally mean a consultant, who probably does not have Updox, then I would still need to find or purchase an email surface that provides for encryption. But for a one time attestation in Stage 1, I could just find an Updox user and satisfy the test.
Donald Phillips MD Cedar Hill, Tx

Yes, most patients probably don't realize that email isn't HIPAA compliant, but for those who do, they may freak out a little if you refer to email at all. I would definitely recommend referring to it as "secure messaging through the portal" or something like that.

To use a secure email service, you would also need to get the consultant on the same service, you're not going to be able to use an encrypted email service and securely email something to a generic email address like Gmail/Hotmail/Yahoo/etc.

Tobin,

Now the next question --is faxing using a designated fax line out of Updox HIPAA compliant??? jimmie

Hey Bert, sorry, I missed this question earlier...

This is totally up to the practice. We do have some customers who email patients just because that's what their patients want. Most of them either get the patient to sign a form in the office stating that they understand email is not secure, or they include a big warning in the signature of their emails. We've seen less and less of this though, and even our customers who have been doing this for years have recently been switching to the portal.

As we expand portal functionality, the messaging option in the portal gets more interesting as you start to be able to do things like actually charge the patient a small fee for the conversation back and forth.

Absolutely. Obviously, faxing has been deemed HIPAA compliant, so the actual fax transmission is ok.

All the rest of the communication between you, Updox, and our fax machines is completely encrypted and secure. Explicitly sending PHI out by email is the only way to use Updox in a non HIPAA compliant manner.

Tobin,

What happens if my nurse or myself accidentally send Mr Jones PHI across the portal to Mr Smith ? Will Mr Smith be able to then open up the message and see Mr Jones PHI?
Also just trying to understand why one modality is deemed HIPAA compliant and another not, such as faxing versus emailing. A breech of PHI seems just as easy by faxing to a wrong number as emailing to a wrong address. I've been faxing PHI for years, but never really thought about these issues much till starting AC/Updox recently and now being paperless has definitely opened up new areas of communicating but also new concerns. So bear with my simplistic understanding of this field.
I have also noticed a portal payment option. Could you expand on what this capability offers. thanks for your time. jimmie

jimmie,

I just looked up so many sites on HIPAA and email, I decided not to list them. Remember, HIPAA doesn't always make specific recommendations as to protection of PHI. It mainly wants you to do everything possible to protect PHI and have policies to such.

HIPAA actually considers email safer as there are more ways to secure it via encryption. On the other and, when I used Certified Mail, which was simple and cost-efficient, I couldn't get doctors to figure it out, when all they had to do was receive an email which already had their email address in the username field and they had to add a password (not even a difficult one). Over 60% of them were scared to death of it.

HIPAA also states that since you can talk over an unsecure line, then you can fax over one. Using precautions such as a cover page is all they want. I think it is much easier to email the wrong place than it is to email the wrong place. HIPAA states that with any new fax number, you should verify it first, then put it in the address book.

I kind of laugh at all these emails with the disclaimer at the bottom as if they mean anything. As if emailing it back and then "deleting" the email will make a difference.

Certainly, a portal makes a huge difference when the data resides on the portal's server and never leaves it. You could have a form that allows people to opt out of using the portal but letting them know that this will delay their results and further access significantly. I think using the email they receive to access the data on the portal and finding it the wrong patient is more likely to end up with that patient not reading it and replying back to you.

Your nurse sending Jones to Smith is an error. It is simply going to happen. Mistakes will happen. You can try to come up with double checks as the hospitals do with chemo. We always have one other staff member check a lab req and label to see they are on the correct person. Not sure how easy that would be with this.

I try to keep all my information secure on my server and network. But, again, there is only so much I can do. I can't set up Department of Defense techniques with everything, although I can use DBAN to clean hard drives.

Tobin,

Maybe it would make sense to start a new thread on the portal portion and PHI. Also, are there benefits to using the portal only as opposed to the entire product. I suspect there are many users on here, such as myself, that have methods so ingrained as to how they process their faxes, that even if using the portal seems helpful, it is hard to get past the thought of the waste of not using all of the program.

Bert,

Thank you for clarifying this issue--I realize when I describe these as new ways to communicate--lots of folks have been doing this for years. What I find fascinating are the "new ways to communicate/practice" that if incorporated appropriately is about the only way we may "get a raise" by becoming more efficient.
I just got an Ipod touch bought a 10 dollar I tune card and my wife downloaded an "album"--so that shows you my level of technological saviness.
However the patient portal that Updox offers is an extremely intriquing tool at my disposal that I never dreamed of doing 3 months ago. However I am educating my patients on the ground rules early on and anticipate the portal function to be equivalent to voice mail messaging (the messages copied and pasted to the permanent record sent to me by my nurse, and also patient education and results being sent to patient via the portal.The portal gives you a buffer and you can set the ground rules and the expanse of communiciation you desire with the patient. I've told my nurse anything received over 4 lines deserves an appointment. Still early on in the process but will keep you updated. jimmie

Every patient that I have seen in the last 6 mos and has provided me with an email has been linked to our portal. It has been an invaluable communication tool. It has reduced phone calls and faxes. I agree it is treated similar to voice mail. Patients do not have an expectation of treatment on-line any more than they did by phone. Reducing phone calls for refills/results/simple questions has freed up the lines for patients to get through more quickly. PATIENTS LOVE IT!!!!!!

Now if we could have on-line scheduling with Updox that connected to AC!!! The more this gets centralized, the better. Updox provides us a website, portal, secure messaging, and faxes. We even have our forms on the Updox website so new patients can have everything filled out and sent in before they ever get here! It makes sense to add scheduling to this platform.

Can you tell WE LOVE UPDOX!

Alright, seems like my vaccine entry workflow is close to being sorted (huge props to Bert for his help). Now on to Updox. I read thru all the posts about color tags and so forth. Here is my dilemma:it appears to me that the doctor needs to be the person triaging the faxes in Updox- coz that is the only place where I can put signature, comments, date stamp etc. Once it is imported into AC, it can't be marked up....am I correct?

The dilemma is that I don't really want to wade thru' hundreds of faxed pages daily-- some of which may be for billing or even a fax offering a vacation in Jamaica. I want my MA to be able to go thru' the faxes, assign them to the relevant patient and THEN send them to me to sign/markup.

Thoughts?

=A.J.

The staff imports patient-related faxes into AC which then goes into their charts. I review my inbox and send orders to the staff. These comments are attached to the import. You could also have the staff import letters into AC, your personal faxes to your email, and testing can be left in Updox for you to review/respond and send to patient through the portal and import it into their charts at the same time.

There are many variations. I have tried a few different combos. When I am not in the office but still want to keep up with my mail, I do have them leave it in Updox because it is quicker for me, rather than going into AC through my VPN.

Dr. AJ,
I am moving this to another thread to make it easier in the future to find answers to Updox questions. The thread about Updox, signing off and marking up is found here.

Yes, Mr. Jones could see Mr. Smith's stuff; there's unfortunately nothing we can do to stop this, we're just doing what you told us to. It's the same thing as if you emailed it to the wrong address, or mailed a letter out with the wrong address. However, you can delete items from the portal, though, so if you realize it soon enough, you can remove it before the patient has a chance to see it.

Bert answered this pretty well, just wanted to add in a couple of thoughts. It's not about how easy it is to send something to the wrong location, it's about how easy it is to read in transit. To "read" a fax that you are sending out, a person would have to essentially tap the phone line, this is not trivial. "Reading" email as at is transferred, unencrypted, over the Internet is much simpler; it's available for many companies to read as it passes through their servers. And if you (or more likely your patients) happen to be checking their email at a coffee shop or library or anywhere else there are other people around, it would be fairly easy for anyone there to read their email as well. Not trying to scare you here, just trying to explain the how exactly email can be so insecure.

Sure, I won't too much into the nitty-gritty of getting the initial setup up and running (I'm happy to discuss offline or on another thread). Once you are set up, this allows you to accept credit card payments through the patient portal. Patients can pay you a one-time payment, set up a payment plan (pay $40 a month for 5 months), or even pay for products/services you configured. Our charge is just 20 cents per payment, there's no percentage cut. Payments is one of the areas we're excited about; over time, we'll be adding many more features around this, for example, charging your patients a small fee before they can send you a message or submit a certain form.

If you have more questions about this, let's start another thread so it's easily searchable if someone has the same questions in the future.

For example, logging into this site isn't very secure. Logging in over HTTP instead of HTTPS means a third party can come along and steal your login info. Even I can do this.

How do you delete something from a patient portal? Do you have to log into their portal? What if they change their password?

David Lee, MD
IM
Dallas, TX