undefined | Better HN

0 pointsFungalRaincloud9y ago0 comments

Agreed upon code words in the message. I had a friend who was told that if she received a call regarding a particular sensitive matter, the person on the phone would start the call (whether she answered or not) with "Hey, it's Jenny" If someone was listening in to the call/message, it'd be easy to just say "Sorry, I think you have the wrong number."

Trouble is, sometimes people feel uncomfortable bringing up the subject, so it takes the professional who is calling bringing it up to see any benefit.

I do not think that a checkbox is appropriate - at any point, you might become concerned with the privacy of a matter, or you might not realize that privacy is a concern for you. For instance, consider someone who accidentally listens to a message stating that they are now pregnant, at work. Their employer now has advanced notice of a pregnancy, but no knowledge of the employee's intentions with regard to work. That is going to change the dynamic of the workplace, even if the employer does not intend anything nefarious. I really think the only graceful solution to this is agreed code words.

0 comments

3 comments · 1 top-level

cmiles749y ago· 2 in thread

We can only expect so much from the people who work at these offices. It's probably a bad idea to listen to voicemail messages at work via speakerphone; if someone does do this I think it's on them to deal with the repercussions... It doesn't strike me as reasonable to put the onus on the person leaving the message. Voicemail is tied to a phone or requires a PIN number and this seems to meet the bare minimum security requirements.

I agree that code words may be more effective than simply checking a box, but I maintain my position that it should be opt-in. I don't want to have to remember which code words mean what, or which office use code words, etc. I use my phone and email in a secure and responsible manner; explanatory text is my preference.

FungalRaincloudOP9y ago

It certainly would seem like it's your fault if someone overhears a sensitive message, if you know it's a sensitive message. But what if you don't know it's sensitive? What if you thought your last message was something you wanted to share? Or, what if your doctor transposes your number, and calls and leaves the message on someone else's phone? Even if you've opted in to have information exposed on your voicemail, you'd still have a case for a HIPAA violation, in that case.

You're right, of course, that it's your information, and if you want to have it treated less sensitively, that's your decision. But your doctor will likely want no part in that, and will probably prefer wholeheartedly that you do what you want with that information once it is in your possession.

What would be interesting is establishing a secure communication channel for medical information like this. For instance, some sort of encrypted email, where HIPAA violations were not so much of a concern, because you could reasonably assume that no one could easily accidentally send the information to the wrong client, and that the client had sole access to the information. Such things come with their own concerns, though.

There is probably a better way of doing things, but I don't think it's all that hard to remember a code word. Especially since you can leave a callback number, preventing the client from needing to know who the code word was from.

cmiles749y ago

I think I agree with you to some point. There have been a couple of suggestions and it's unfair of me to attribute them to you.

My concern is with a physician's office (or a bank, etc.) calling from a phone that does not provide Caller ID information and leaving a message that goes something like: "This is a message for you, please call us back at your earliest convenience." This would result in a call that I would ignore, followed by a voicemail that I would also ignore. Effectively it would mean that there would be no phone communication between myself and this office, bank, etc.

In my opinion, when you provide a bank or physician's office with your cell phone number and authorize them to contact you via that method, you are agreeing to let them leave the minimum required information. In my opinion, I need to know (1) who is leaving the message and (2) is it important. In a pinch, I will settle for (1). Without either, it may as well be static on the phone for all of the information it conveys. I disagree that I am allowing these offices to treat my information "less sensitively". On the contrary, it's my responsibility to treat my end of the communication channel sensitively.

A code word is an interesting idea, but people are pretty poor at remembering arbitrary information (on the whole). It's common for many people to use the same password for every website, since they have trouble memorizing more than a couple at a time. Code words, I fear, would have the same issue. People who don't need a code workd would forget it and they'd just be confused with the message; I think it would need to be opt-in for those who cannot secure their own side of the communication channel (voicemail, email, etc.)

Some of the electronic medical record (EMR) systems that have a public facing web interface do provide a more secure method of communicating with clinician or their office. In my experience these often mimic email and are secured via SSL, they require the typical username and password (or PIN) combination. These will probably become more popular, but I expect clinicians will still fall back to phone calls if the information is time sensitive.

For those who insist on listening to voicemail via speakerphone, it seems like the smart move is to ask the physician to contact them only through a secure website or email and never via cell phone.

j / k navigate · click thread line to collapse