Secure Messaging: Uphold Clinical Documentation Integrity

Follow Stage II meaningful use and HIPAA security guidelines when sending ePHI.

By Vernessa Fountain, RHIA, CTR

Stage 2 of electronic health record (EHR) meaningful use requires secure messaging, using certified electronic health record technology (CEHRT), to be sent to more than 5 percent of unique patients (or their authorized representatives) who are being seen by the provider during a meaningful use reporting period. Secure messaging criteria enables the provider and his or her patients to send and receive secure electronic messages. Provider/patient message content must be encrypted to safeguard electronic protected health information (ePHI). Secure messaging of electronic notes must be text-searchable, and may contain images and other content.

Secure Messaging Protocols

There are several ways to set up secure messaging solutions, all of which require secure web technology. For example, providers must supply patients or authorized representatives with a mailbox to send and receive secure messages via direct protocols that connect with the provider’s CEHRT. Providers use the CEHRT to send and receive secure messages from the patient’s mailbox.

Encryption Is Necessary

The recipient’s (patient or provider) secure messaging must be delivered only to its intended recipients. Secure messaging allows the sender to know when the message has been delivered, and to whom. The communication between the providers and patients must be encrypted, both in transit and at rest, to secure transmission to the recipients. The most common in-transit encryption use is secure sockets layer (SSL) protocol. When secure messages are at rest, they are stored in the CEHRT system. This also protects practice management patient database backup files.

CEHRT is designed to assist providers with privacy and security requirements and to facilitate adding secure messaging into the patient’s records. Secure messages become part of the patient’s EHR, and documentation may become relevant when deciding on the level of medical decision-making when coding for subsequent evaluation and management (E/M) services.

Unlike standard text messages and emails, secure text messaging allows the owner of the message to recall the secure message. The provider maintains control even after sending a secure text message, and has the ability to delete the secure message from the recipient’s mailbox or recipient’s personal device before—or even after—the recipient has read the secure message.

Be Leery of Text Messaging 

Text messages reside on a mobile device indefinitely, and this information can be exposed to unauthorized third parties when using smartphones, tablets, etc. Text messages are accessible without any level of authentication, which means anyone who uses a mobile device may have access to all text messages on the device without using a password.

Impose Email Safeguards

Email becomes part of the patient’s official health record when providers use email to communicate with patients about their medical decision-making. Emails are unencrypted and can be intercepted with harmful results to the patients. Unlike secure messages, emails can be read, altered, forwarded, and sent to the intended recipient without detection of an intruder or hacker.

Privacy and security experts advise healthcare providers to use unsecure email or text messaging only as a means to refer a patient to a portal to obtain their personal health information. Your practice must impress upon patients that electronic messages sent and received by unencrypted email or text present risks for both the provider and patient.

Secure messaging is part of the CEHRT. By contrast, text messaging and emails must be imported into the CEHRT via copy, paste, pull forward, and macros. In the future, this may affect your reimbursement. Note also that the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) have expressed concerns about providers using text messaging for clinical documentation, which is an area of focus for the OIG’s 2014 Work Plan.

Patient Consent Is Crucial

To send and receive secure messages, providers must obtain consent from patients (see: Electronic health information exchanges (eHIEs) allow providers to share and access information through a third-party organization. Patients must sign a consent to allow their health information to be shared using these health information exchanges.

Meaningful Use and CEHRT Audits

Secure messaging systems must be able to create an “audit trail” (showing what was sent and received, when, and by whom). The data must be text-searchable, archived, and retrievable. Providers must verify the output from their CEHRT, be able to look at the synchronizing data from multiple systems, and ensure compliance with the meaningful use standards.

CMS has contracted with a vendor, Figliozzi and Company, to conduct meaningful use audits for organizations and providers that attested to the meaningful use program and received an incentive payout. The initial letter will be sent from a CMS email address, informing the organizations of the audit contractor’s contact information. Organizations failing the audit of just one meaningful use measure are required to return incentive payment within 30 days of the notification.

Office for Civil Rights Audits

The Office for Civil Rights will be conducting HIPAA compliance audits on a random basis for six core measures of HIPAA compliance, consisting of security risk, security evaluation, risk management, risk evaluation, technical safeguard, and technical evaluation. A key focus is the security of portable electronic devices. You must ensure ePHI or PHI is stored and transported on a portal electronic device that is encrypted. Safeguard electronic devices and equipment that store PHI, and be sure PHI is wholly purged before these devices are recycled. Your organization must show policies and procedures governing the receipt and removal of portable electronic devices and media containing patients’ PHI.

Vernessa Fountain, RHIA, CTR, is the health information management consultant presenter at Caban Resources, LLC, and director, health information management/travel consultant at Healthcare Resource Group, former health information operation manager at Methodist Hospital of Arcadia, former adjunct instructor at East Los Angeles Colleges, and a former interim director, health Information management, medical records director, and coding manager at Los Angeles County University of Southern California. Fountain was also a former cancer registrar at Los Angeles County University of Southern California and a former bone marrow transplant cancer registrar, Hoag Presbyterian Hospital of Newport Beach, Calif. You may reach her at


Renee Dustman

Renee Dustman

Renee Dustman is executive editor at AAPC. She has a Bachelor of Science degree in Journalism and a long history of writing just about anything for just about every kind of publication there is or ever has been. She’s also worked in production management for print media, and continues to dabble in graphic design.
Renee Dustman

Latest posts by Renee Dustman (see all)

About Has 417 Posts

Renee Dustman is executive editor at AAPC. She has a Bachelor of Science degree in Journalism and a long history of writing just about anything for just about every kind of publication there is or ever has been. She’s also worked in production management for print media, and continues to dabble in graphic design.

Leave a Reply

Your email address will not be published. Required fields are marked *