MedMid Conference Call January 24, 2004
Barry Ribbeck, UT-HSCH
Keith Hazelton, U. Wisconsin - Madison
Morgan Passiment, AAMC
Renee Frost, Internet2
Jeanette Fielden, Internet2
Steve Olshansky, Internet2
Theresa "Terrie" Clark, Internet2
Steve Olshansky introduced an additional scenario where an academic medical center offers an optional service to provide accounts to patients for secure communication with health care providers.
Barry Ribbeck discussed an overview of MD Anderson Cancer Center's program,
which offers e-mail accounts and wireless access in facility buildings to patients
and guests to access services. This program has been active for over a year.
The system administration for the program segregates these users from the private
network. No certificates are issues. Each research institution in Texas operates
independently, which makes the use of a single certificate at multiple research
universities problematic. MD Anderson is pursuing other methods of secure data
transmission over SSL, especially webmail. Due to geographic proximity and staff
overlaps with UT-HSCH, MD Anderson may closely evaluate PKI. Other hospitals
may be implementing this type of service. This can be accomplished by secure
e-mail or Web based solution with SSL authentication between the patient and
the physician to comply with HIPAA standards.
Morgan Passiment is aware of institutions' interest in patient e-mail programs. MD Anderson's interest in this type of program may stem from the fact that they, as a cancer treatment center, have long- term relationships with their patients. The hospital's goal is to maintain the long-term relationship with patients.
Jeanette Fielden noted that systems like these do exist commercially such as Kaiser Permanente, where a patient can fill prescriptions, schedule appointments, send e-mail, etc using a secure web site.
What are the issues around this scenario? Are any MedMid participants active with this scenario? The scenario is not practical if it requires the PKI enabling of technically unsophisticated clients. An application that is SSL enabled, accessible from any web browser, and provides the user with login credentials is a practical solution. However, this does not address what a patient may choose to do with their password. Nor does it address who at the institution has access to the login/passwords. Policies protecting the patient's privacy will be required.
How does this scenario expand into outside consultations? Physicians should be aware through their HIPAA compliance training, of how to make information over the Internet anonymous. Depending on where the consult occurs, logistical security issues should be addressed. For example, a physician in the U. S seeking a consultation from a physician outside the US is a different scenario than a physician seeking a consultation from a physician across the hall or elsewhere in the US. Additionally, the consulting physician must be certified in the state from which the consult request comes. Finally, insurance considerations exist.
Further investigation of this new scenario is warranted, and intersects with a current topic of interest to the VidMid-VC working group - enabling secure authenticated videoconferencing in an academic medical environment.
The MedMid call will now occur every 4 weeks until further notice. Next call will be 2 PM EST Thursday 19-Feb.