MedMid Call January 24, 2004

[AI] {Barry} will provide MD Anderson contact information to Steve.
[AI] {Morgan} will query AAMC internally regarding current policies on academic med centers providing accounts to patients/family members.

MedMid Conference Call January 24, 2004

*Attendees*
Barry Ribbeck, UT-HSCH
Keith Hazelton, U. Wisconsin - Madison
Morgan Passiment, AAMC
Renee Frost, Internet2
Jeanette Fielden, Internet2
Steve Olshansky, Internet2
Theresa "Terrie" Clark, Internet2

*Discussion*

Steve Olshansky introduced an additional scenario where an academic medical center offers an optional service to provide accounts to patients for secure communication with health care providers.

Barry Ribbeck discussed an overview of MD Anderson Cancer Center's program, which offers e-mail accounts and wireless access in facility buildings to patients and guests to access services. This program has been active for over a year. The system administration for the program segregates these users from the private network. No certificates are issues. Each research institution in Texas operates independently, which makes the use of a single certificate at multiple research universities problematic. MD Anderson is pursuing other methods of secure data transmission over SSL, especially webmail. Due to geographic proximity and staff overlaps with UT-HSCH, MD Anderson may closely evaluate PKI. Other hospitals may be implementing this type of service. This can be accomplished by secure e-mail or Web based solution with SSL authentication between the patient and the physician to comply with HIPAA standards.

Morgan Passiment is aware of institutions' interest in patient e-mail programs. MD Anderson's interest in this type of program may stem from the fact that they, as a cancer treatment center, have long- term relationships with their patients. The hospital's goal is to maintain the long-term relationship with patients.

Jeanette Fielden noted that systems like these do exist commercially such as Kaiser Permanente, where a patient can fill prescriptions, schedule appointments, send e-mail, etc using a secure web site.

What are the issues around this scenario? Are any MedMid participants active with this scenario? The scenario is not practical if it requires the PKI enabling of technically unsophisticated clients. An application that is SSL enabled, accessible from any web browser, and provides the user with login credentials is a practical solution. However, this does not address what a patient may choose to do with their password. Nor does it address who at the institution has access to the login/passwords. Policies protecting the patient's privacy will be required.

How does this scenario expand into outside consultations? Physicians should be aware through their HIPAA compliance training, of how to make information over the Internet anonymous. Depending on where the consult occurs, logistical security issues should be addressed. For example, a physician in the U. S seeking a consultation from a physician outside the US is a different scenario than a physician seeking a consultation from a physician across the hall or elsewhere in the US. Additionally, the consulting physician must be certified in the state from which the consult request comes. Finally, insurance considerations exist.

Call Decisions
Further investigation of this new scenario is warranted, and intersects with a current topic of interest to the VidMid-VC working group - enabling secure authenticated videoconferencing in an academic medical environment.

Next Call
The MedMid call will now occur every 4 weeks until further notice. Next call will be 2 PM EST Thursday 19-Feb.