Direct Secure Messaging Best Electronic Option for Mental Health Records

By Richard Sethre, Psy.D., L.P.
October 18, 2016 - Last updated: October 16, 2016

Electronic Medical RecordsThe Affordable Care Act (ACA) mandates increased communication between medical providers that creates significant challenges for psychologists and other mental health professionals (MHPs). In particular, use of Electronic Health Records (EHRs) raises concerns about the potential unrestricted flow of Protected Health Information (PHI) about mental health services among the patient’s medical professionals.

There are also emerging pressures from other oversight and regulatory bodies, such as the Centers for Medicare and Medicaid Services (CMS) and managed care organizations, to use EHRs and to increase coordination of care communication between providers. MHPs will increasingly face the challenge of balancing compliance with these expectations and maintaining patient confidentiality.

EHRs are mandated to have interoperability – to be able to transmit PHI from one EHR to another EHR. Interoperability is currently limited, or aspirational, for most EHRs. As EHR providers overcome technical problems it will be increasingly common for mental health PHI to be available to medical providers. Obviously, this raises significant concerns about who will have access to sensitive mental health PHI, and what they will do with it.

Here are a few crucial concepts necessary to understand EHR coordination of care issues and options:

*Pushing digital information: The secure sending of information between two known entities with an established business relationship, such as a primary care provider and a specialist. Such transactions typically relate to routine workflow and processes. A non-health care example of a push transaction would be sending an email.

*Pulling digital information: This is a secure accessing of information that involves a query and a response. The query is the request for information about a patient and the response is the retrieval of clinical information on the patient or information on where it may be found. Conducting a Google web search is a non-health care example of a pull transaction.

*Health Information Exchange (HIE): This is a service that provides digital access to a consolidated patient record. The record is a collection of documents about the patient from the patient’s medical professionals and health care systems. This information is aggregated and may be accessed by any medical professional or health care system staff that the patient has authorized to have access.

*Direct Secure Messaging (DSM): DSM is a secure messaging system that was specifically designed to securely exchange PHI. DSM may be viewed as a sort of email system for exchanging encrypted messages for coordination of care, including coordinating care but also other communications in medical systems and managed care organizations, such as making referrals. DSM is specifically designed to allow the patient to decide who receives the information.

*Healthcare Information Service Providers (HISPs) manage the exchange of DSM messages. HISPs maintain a directory of registered DSM users for their system and may be able to access a national database of DSM users to facilitate broad exchange of PHI. HISPs are responsible for ensuring that: 1) senders are who they say they are 2) messages are encrypted 3) recipients are who they say they are and 4) recipients are able to receive the messages and decrypt them.

Information in HIE databases may be collected by having it pushed into the system, such as when an EHR is programmed to automatically send a progress note or other PHI document to the HIE. HIEs may also be programmed to automatically pull information from authorized sources into the HIE system. Theoretically, the latter function would help ensure that the patient’s digital health record is complete. It may also result in others having access to PHI in unexpected ways, or in ways that the patient has not intended – the source of major concerns for MHPs and their patients.

For example, a patient may want one medical professional, such as the PCP, to have access to mental health PHI, but may prefer that another provider, such as a cardiologist, not have access to this information. Or, a patient may want medical professionals to have access to some mental health PHI, such as an intake summary, interim treatment summary or discharge summary, but not to other PHI, such as psychological testing raw data, progress notes, psychosexual assessments and marital therapy sessions. With HIEs, patients are unable to control access to their PHI.

As a result, many MHPs have refused to adopt EHRs out of concern that HIE technology will compromise patient confidentiality.

DSM allows patients to selectively authorize what PHI is sent, and who is to receive it. The technology for doing all of this is mature and works reliably. The main challenge for DSM is that it is a relatively new service. Medical professionals using DSM Company A may want to send information to other medical professionals who are not registered with Company A. The prospective recipient may be registered with DSM Company B, and therefore the recipient would be a trusted user for B but not A. Or, the recipient may not be a DSM user.

According to, utilization of DSM services is increasing rapidly:

  • Health care organizations serviced by DSM HISPs increased from 667 in 2013 to 52,241 in 2015.
  • DMS “trusted addresses” increased from 8,723 in 2013 to 1,099,484 in 2015.
  • DSM transactions increased from 122,842 in 2013 to 67,227,936 in 2015.

Today, many MHP websites include the office fax number. In the future, websites are likely to include information about whether the office has DSM capability. Or, just as it is often necessary to call a recipient’s office to find out the fax number, it will be necessary to call the office to find out the recipient’s DSM status and access information.


  • With DSM patients can trust that they have control over what PHI is sent to whom.
  • DSM technology is a better match for mental health services than HIE technology.
  • Use of DSM is increasing rapidly.
  • As more medical professionals, including MHPs, register with DSM companies, DSM will become increasingly easy to use.
  • DSM is likely to be increasingly required by major medical and MCO systems in order to receive referrals and participate in the care of patients who are members of the system.
  • The ability to coordinate care, either with HIE or DSM, will be mandatory for participating in Accountable Care Organizations.
  • MHPs who do not use HEI or DSM are likely to be increasingly marginalized – and potentially left behind – as the U.S. medical care system evolves. They are likely to receive fewer referrals and to experience barriers in exchanging PHI for mandated coordination of care.
Share Button

Richard Sethre, Psy.D., is in independent practice in Golden Valley, Minn. He may be contacted through his website at:

Related Articles