Tips for Choosing and Implementing Secure Messaging
Trying to determine if secure messaging is right for your clinic? To assist clinicians, OntarioMD has compiled a checklist of questions to help with your decision, including important considerations such as:
- Choosing a system to suit your needs
- Setting up workflows
- Training staff
- Educating patients on the purpose and benefits of secure messaging and onboarding them to the system.
The Ministry of Health is undertaking a Secure Messaging Proof-of-Concept Pilot. If you would like to learn more, please refer to the Secure Messaging Proof-of-Concept Pilot page for details such as registration, requirements, and information on choosing and implementing secure messaging.
Secure Messaging Solution Selection: Checklist
| Category | Questions to Consider |
|---|---|
| Sending capabilities • One-way (clinic/clinician to patient only) • Two-way (to and from clinic/clinician and patient) • Blasts (to groups or multiple recipients) | • Does the clinic/clinician have the option to choose the message type (one-way from the clinic/clinician to patient only vs. two-way to which patients can reply)? • Can patients initiate secure messages? (requirement for MOH pilot participation) • Can messaging be temporarily, partially or completely disabled (for holidays, clinic closures, one or more clinicians opting out of messaging or only available during clinic hours)? • Can individual patients be blocked from sending messages to the clinic? • Is there a limit to the number of recipients when sending blasts? If so, what are the workarounds? • What, if any, are the processes to create cohorts or groupings prior to sending blasts? • Are there limits to graphics and imagery used in blasts? Is there functionality to design blasts as newsletters or announcements? |
| Message attachments, customization and documentation | • Can the clinic/clinician and patients add attachments to messages? Are there limits to attachment types or sizes? • Are incoming attachments scanned for malicious content/malware? • Can the clinic/clinician add attachments directly from patient charts? • Does messaging allow for the creation and use of customized templates, including clinic logos, branding and signatures? • Is messaging integrated into the EMR and automatically recorded in patient charts? If not, is the clinic/clinician required to download and import the message record into charts? • Does the messaging option capture and store metadata associated with patient chart messages (sender/recipient identities, time stamps, message context)? • What are the retention policies for messages (how long are they stored, can they be retrieved if deleted, can they be archived, can clinicians define their own retention policies and manage their own message storage)? • Are all exchanges, including text, images, attachments, etc., always encrypted from end to end? |
| Customization of users, inboxes, and clinic groups | • What are the inbox options: single (that must be sorted) or multiple (for groups, roles, and individuals)? • Can multiple users have individual sending capabilities (clinicians vs. nursing vs. staff)? • Are there customizable filters or rules to route messages to specific folders? • Can users customize notification preferences to receive alerts and/or updates about new or priority messages, replies, and other relevant details? • Are notifications on the status of messages (opened/read, unopened) sent to the clinic? • Can different security/permission levels be applied to users? |
| Patient engagement | • How is patient consent, enrolment and onboarding collected and/or conducted? • How are patient preferences re: secure messaging captured (opt-in/opt out, language option, mode of delivery and recipient addresses)? • Is a patient portal used? If so, what is required for onboarding patients to create accounts? • Are training resources/instructions/support provided to patients? if so, how is it provided and who provides it (clinic, secure messaging vendor, online via clinic website, handouts)? • What are the security measures to authenticate recipients to access messages (logging into account, entering birth date or health card)? |
| Patient expectations | • How do patients receive notifications for new/unread messages? Are multiple notifications sent for unopened/unread messages? • How do patients access/view/send secure messages? Can they attach documents or pictures in messages? • How are patients informed about the appropriate use of secure messaging? • Are patients sent a standardized message to confirm the successful transmission of a message, automatic acknowledgment of receipt from the clinic and anticipated response times or next steps? |
| Analytic capabilities | • Are metrics on patient engagement tracked (message open and response rates, and overall interaction frequency) to identify areas of improvement, and evaluate the impact of messaging initiatives on patient outcomes? |
| Listing on Ontario Health’s Verified Solution List | • MOH pilot participants must choose a secure messaging option from the Ontario Health Verified Solution List. • Clinics/clinicians not participating in the pilot who choose an option not on the verified list should ensure the secure messaging vendor undergoes regular security assessments and meets the PHIPA, HIPPA security levels. |
| Stand alone or integrated with EMR | • Does the messaging option integrate with the EMR or require separate sign-in? If integrated, is information automatically pulled from patient charts (selection of EMR reports, preferred contact methods and personal health information)? • Does the messaging option allow for multiple users to sign into accounts and security tracking to review user activities? |
| Associated costs | • Are fees set by month, user or message? • Are there different fee options for monitored metrics, roles, permissions, or added features (basic functionality vs. all-inclusive)? |
| Integration with, or inclusion of, other digital health tools | • Are other digital health tools included (online appointment booking, automated appointment reminders)? • Can third-party capabilities work in conjunction with the messaging option (adhering to templated online appointment booking schedules and rules, etc.)? |
Clinic Workflow: Checklist and Recommendations
| Category | Questions to Consider | Recommendations |
|---|---|---|
| Patient consent and enrolment | • Will consent and enrolment be collected in person or through secure messaging? Will enrolment be online, via website, through individual invitation or access code? • Who will initiate and manage patient consent (whether in person and/or paper-based)? • What information will be included in consent forms/conversations (purpose of secure messaging, types of communications to be used, protection of health information, user rights and responsibilities)? • Will consent be indefinite or updated at various intervals (how frequently)? • Where will consent expiry be noted in the EMR and which workflows will be implemented to ensure consent is updated (reminders, tasks, messages, searches)? • Can patients change consent and/or preferences through the secure messaging option? If so, how is the clinic notified/EMR updated to reflect these changes? • What options and communications are available for patients who wish to opt out? • Where will the status of patient consent and other details be documented and visible in the EMR? | • Create processes and clear communication to inform patients about the purpose, use and options of secure messaging. • Define processes for collecting consent from minors and caregivers. • Collect patient feedback and suggestions for clinic workflow and processes to improve the secure messaging experience. |
| Trial or immediate implementation | • Should the clinic begin secure messaging implementation via a small trial (with a small patient or clinician group) before opening it to all patients/clinicians? If so, what should the testing period be? • Following the trial phase, how will patient/clinician feedback be collected to help refine workflow and the secure messaging option, optimize features, and improve user experience before full implementation? • How will success and communication be measured within your team to identify the process changes needed? | • Start small with a focused group to test secure messaging processes. • Define target dates to review processes and make changes as needed. |
| Process for checking messages | • Will messages go to different recipients, or will all staff be responsible for triaging messages in a common inbox and forward them on as needed? Which messages will go to individual vs. group boxes (automatically sorted or managed manually)? • How will incoming messages with data be managed (attachments, forms, pictures, etc.)? For secure messaging options not integrated with the EMR, how will messages with data be incorporated into patient charts? • What will be the emergency protocols for escalating messages to supervising physicians, specialists, and other health-care professionals, as needed? | • Prioritize integration. • Establish and train all staff/clinicians on strict guidelines regarding the movement of messages and data between secure messaging and the EMR. |
| Process for managing messages during holidays, weekends and/or clinic closures | • Will secure messaging be turned off or checked during clinic closures? If not, will an automatic out-of-office response be issued to instruct patients to seek care at their local hospital in case of emergency? • How will patients be notified of these policies? | • Create clear, standardized messaging to inform patients on secure messaging policies. • Define appropriate use of secure messaging and process for handling its inappropriate use. |
| Definition of appropriate/ inappropriate use of secure messaging | • How will this be communicated to patients? • Are there exceptions to these rules? | • Create clear, standardized messaging to inform patients on secure messaging policies. • Define appropriate use of secure messaging and process for handling its inappropriate use. |
| Turnaround times for received messages | • How will this be communicated to patients (auto replies, portal statements, etc.)? • How will the clinic measure its response time performance and efficacy of modifications, when needed? | • Create clear, standardized messaging to inform patients on secure messaging policies. • Define appropriate use of secure messaging and process for handling its inappropriate use. |
| Process on unread messages to patients | • What is the acceptable time span between an unread patient message and an alternative communication being undertaken? Will these attempts be stored in patient charts? • What is the alternative communication? | • Create a standardized process to follow up on unread messages. |
| Standardized templates for common scenarios and quick response | • Who will create these templates? • Will staff have access to approved messaging for responses to patient requests? • How will the clinic review and update templates to ensure they meet all requirements? • How will staff/clinicians be trained on template use? | • Create simple templates for trial implementation. • Set target dates to discuss and implement updates to templates. |
| Ongoing training requirements | How will patients be trained/provided guidance, educational resources and support with the use of secure messaging and completion of questionnaires/intake forms? How will patients be updated of any changes to clinic processes around secure messaging? | Create clear, standardized messaging to inform patients about secure messaging policies. |
| Existing clinic processes to be replaced by secure messaging | • How will existing processes be replaced? • How will patients be notified of new processes (if applicable)? | • Discuss the plan for phasing out old processes and replacing them with secure messaging. • Define exceptions and processes around them. |
| Process on pre-appointment triaging (sending questionnaires or intake forms before booked appointments) | • Who will be responsible for implementing and carrying out this process? • How will outstanding tasks/forms be identified? How will patients be reminded to complete tasks/forms? • How will completed tasks/forms be acknowledged and reconciled within secure messaging and the EMR? | • Define processes and clear guidelines for staff on appointments that require completed intake forms or questionnaires before clinic visits. |