Balancing Mobile Solutions and HIPAA Concerns for Providers

Every physician and provider at our hospital carries a smartphone allowing access to the patient record, the Internet, and their installed references, communicated by voice, text, and e-mail, as well as capture video and still photography. While new tech allows us to share information more quickly, these devices are often out of administration’s control and present a significant challenge to complying with HIPAA laws and patient confidentiality.

Our inpatient facility has worked hard over the past three years to implement technological improvements to alleviate provider administrative work flow, while striving to protect patient confidentiality. The stakes are high because sharing private information goes against the core of providing medical services. Plus, there are severe financial risks to consider - unknowing or intentional violations of patient confidentiality can result in penalties of $100 to $50,000 per violation, with annual maximums of $1.5 million.

I work in a unit that relies heavily on the visual. As providers that must continuously make admission and surgery decisions based on how wounds look, it is important that my surgeon partner and I are able to see burns and other wounds. When we are not in the confines of the hospital, text messaging is the preferred tool of choice among the members of our burn, plastics, and reconstructive team because it’s immediate. We take great care to keep any patient identifying information out of the texts, but there are dangers.

The good news is that HIPAA developed an Administrative Simplification (AS) Provisions that serve as guidelines for developing secure communication systems. Under the AS guidelines, the following four major areas are critical to compliance:

Secure data centers - Healthcare organizations typically store patient information in either onsite or offsite (cloud) data centers. HIPAA requires these centers to have a high level of physical security as well as policies for reviewing controls and conducting risk assessment on an ongoing basis.

Encryption - AS stipulates that electronic patient health information (ePHI) must be encrypted both in transit and at rest.

Recipient authentication - Any communication containing ePHI must also be delivered only to its intended recipient. A texting solution should allow the sender to know if, when, and to whom a message has been delivered.

Audit controls - Any compliant messaging system must also have the ability to create and record an audit trail of all activity that contains ePHI. For a text messaging system, this includes the ability to archive messages and information about them, to retrieve that information quickly, and to monitor the system.

At my hospital, we recently implemented an SMS app that is available for both smartphones and tablets. It is certified to meet the AS requirements, and allows the transmission of ePHI, including images. We are working out all the kinks of this system, in an attempt to allow us to use efficient communication technology, while at the same time protecting patient privacy.

It is an area that everyone, from providers to healthcare organizations, cannot afford to ignore. Providers and healthcare organizations cannot wait to get ahead of this curve and control the flow of protected patient information, as the consequences of not doing so are very expensive indeed.

This blog was provided in partnership with the American Academy of Physician Assistants.