Posts Tagged ‘HIPAA’

Optometrists and Labs Need Encrypted E-mail

David Langford, O.D. on November 21st, 2009 under Optoblog •  2 Comments

E-mail is awesome because you can send notes, pdf’s, and other files quickly and easily- except when you are a doctor. Since any script kiddie can sniff your e-mail inbox, doctors can’t send e-mails of cornea topographies to labs, referrals to colleagues, or special testing results to patients because that would be a breech of patient confidentiality and a violation of that one unnecessary, burdensome law.

I protect patients by encrypting my e-mail!

I protect patients by encrypting my e-mail!

I’m sure George Q. Public doesn’t want his K-readings leaked to the press when he decides to run for President someday.

But seriously, sometimes birth dates and stuff are printed on the reports, so if doctors want to use this cool, new thing called “e-mail,” we’ve got to set-up our e-mails to have the capability to send and receive encrypted messages and attachments. What does it look like?

hQEQA+fCUifC1JYBEAALBTMH/14qvUP037oLntVx4WGUXl7b4+6NLQVDGNTD
i6zZejhe2/AzCrNB1tLhUU9HNh70e4Wi1eIAj/08QFZvlTZY+F641HR4XsZd
C6yAdvtsL8BCqcI0wJZQLXY7viioJiMz1cZW0w5fD81ld4acFgAi6Fbh9hUg
J3w42fcoE9JdRSnVbrsNrMtO0mBlvGl2lYWzEQYvHA5uPmYLLETiRwLWxBgS
L+ALi1MyvAK4VOoGQ44dmCOpbaKQ7IBG3SOfdDOR0f1ISF6HLm7J4TupVqcP
a4Up+7XoCK7nAZiCHFr4J/IhQ09Xe/7AlU5lBo2A7BlE7tsu9Ouke5bMuM2T
w7ZT9rukaNNXCXuWUCx9TwF3SRbuYen5+htDPzfl8a3JlYLG9DGvQFdD4jM5
WM9HQHce7BqpkHmEInfbvnYM5OI31N3QEvFk5E1OVn508MB+OM4KGK3PPqTi

So your email inbox gets a message that looks like this. You have an e-mail client plugin that you have set up. You input your password, and the message magically translates to:

Dude, isn’t this so cool that not even the government can tell what I’m writing you? Unless…you forward this message to them unencrypted, but I trust you.

You can see this in action on my practice website. To get started and do this you need a few things:

Your practice’s domain name (usually your web host will offer e-mail storage)
or
any e-mail address that you can access via the e-mail client Thunderbird. (ie POP3 or gmail)

Download the following:

  • GnuPG– the free, open source engine that runs encryption. The Windows version is found at gpg4win.org.
  • Thunderbird– a free, open source e-mail client.
  • Enigmail– a free plugin for Thunderbird that makes it easy to make your encryption keys, share your public key, store other people’s public keys, and encrypt/decrypt e-mails. You should read the install instructions for Enigmail.

Make sure when you generate your encryption key password that it is extra long and random. You must assume that anyone could capture it and try to brute force it. If it is long and random, it would be nearly impossible to crack. I suggest keeping your random, long password in a password wallet.

Why not do it?

Barriers to entry:

  • It doesn’t do any good for you to have e-mail encryption if the person to whom you want to e-mail the top-secret K-readings doesn’t have e-mail encryption set up. They must have a public key that they share.
  • I’ve just presented a free way (unless you have a paid practice URL/webhost) to do this, but it does require some tech savvy to download, install, and implement the tools. This way requires the Thunderbird e-mail client. If you use Outlook or something, there are paid solutions out there.

Why do it?

If every doctor would just get in gear with e-mail encryption keys, we could send patient referrals with high quality color photos and reports instead of low res, black and white faxes (usually with a few vertical black lines on the page). We could send the lab a topography. We could send a patient a report or copy of their Rx. We could talk about the stupid government and how we all secretly agree with Glenn Beck, Rush Limbaugh, and Ann Coulter.

Tags: , , , , ,

E-mailing Your Doctor

David Langford, O.D. on November 6th, 2007 under Optoblog •  3 Comments

Kevin, M.D. brings up the point that most doctors don’t e-mail their patients because of privacy laws. Another doctor getting a lot of press for his new practice style, Jay Parkinson, flaunts that he can do whatever he wants since he doesn’t take insurance.

Wow, makes me want to not take any insurance; however, I DO think that we can e-mail our patients as long as HIPAA rules are maintained. It’s my understanding that as long as the data is encrypted, we can communicate confidential information with patients. On my practice website, patients can e-mail me using a form. This form can be optionally encrypted before sending if they have confidential information to share.

This is all done using my public key. Only my private key with its password can decrypt the message. I didn’t go to the HIPAA Security Company store and buy it. It’s totally free if you know how. While I believe this system complies with the intent of HIPAA regulations, I can’t e-mail back a patient if they haven’t made themselves a cryptographic key pair for e-mail. I’ll bet only a very small percentage of people in the world even have one, and I’ll bet the percentage of doctors that have encrypted e-mail is even less than the general population. But I did it. It’s do-able. Sure, I’m a computer geek, but I learned computers the same way I learned eye doctoring; study and practice.

But the obscurity/confusion of how to implement encrypted e-mail communications is not the real reason doctors don’t use it. I don’t get paid to sit around and e-mail patients. I get paid for examining patients at the office. On-line communication tools work well for Dr. Parkinson since that is his mode of practice. But my patients don’t pay me a subscription, so any e-mail that I have with them would most likely say something like, “I would recommend you come in for an appointment.”

By the way, I’ve had this encrypted form feature on my website for over 18 months, and no one has ever used it nor have they used my public key to send me an encrypted e-mail.

Tags: , ,