Using technology that safeguards PHI is a must in when providing care, but the same technology can lead to major HIPAA violations.
Using technology in medicine can be a double-edged sword. On one hand, it's easier than ever to collaborate on care, log into an Electronic Medical Record (EMR) to quickly find patient information, transmit orders, and send and receive information from colleagues.
However, using that same technology improperly can result in a HIPAA violation, which can result in fines. Just last year, a former nursing home operator was fined $650,000 for a stolen iPhone that contained medical records for more than 400 patients. The theft led investigators to uncover lax mobile device policies related to personal health information (PHI) that likely resulted in a larger award.
It's not just stolen phones that physicians and practices need to worry about. A report from Spyglass Consulting Group shows that 96 percent of physicians use smartphones as their primary device to support clinical communications. Each unencrypted text message, document or photograph that contains PHI is a potential HIPAA violation, subject to a fine between $100 and $50,000 per incident depending on the severity of the violation, up to a yearly maximum of $1.5 million.
Keeping Pace with Technology
Younger workers don't remember a time when they didn't have constant access to a smartphone, so it's no wonder the smartphone is the go-to device. The vulnerability of the devices to theft and HIPAA guidelines that govern protecting PHI while data is at rest, during transmission and at the sender require health providers of all sizes to take definitive steps to safeguard data and devices. Remember, HIPAA also applies to your business associates: other providers, pharmacies, billing companies, labs, imaging centers, and other people and entities that you exchange data with. Any potential HIPAA solution must address the needs of not only you and your staff, but also your business associates.
The Joint Commission allows secure texting, as outlined in an order issued last year. A secure text messaging platform that includes the following must be used:
•Secure sign-on process
•Delivery and read receipts
•Date and time stamp
•Customized message retention time frames
•Specified contact list for individuals authorized to receive and record orders
But are physicians clear whether texting other providers about a patient from a personal device is secure and HIPAA compliant?
Creating that type of environment is not occurring at a pace that physicians desire, according to the Spyglass Consulting Group survey. Only three in 10 physicians believe hospital IT is making sufficient investment to address the point-of-care mobile computing communication needs for caregivers. Reasons cited include poor mobile EHR tools, lack of planned investments and insufficient mobile user support.
Consider Cloud-based Collaboration
The value of collaboration across the care team has never been higher, necessitating that health systems, imaging centers, and physician practices of all sizes find a solution that works for everyone in the care continuum. This must benefit patients, and cannot run afoul of HIPAA regulations, which are coming under increased scrutiny.
The problem is that cell phones and cellular networks are vulnerable to hacking at nearly every point in the process, so many providers are exploring closed-loop systems such as virtual private networks (VPNs), secure Wi-Fi or, cloud-based solutions. For all but the largest providers, VPNs can be difficult to set up and tricky to operate. A simple malfunction could leave your network exposed to outside threats. VPNs and secure Wi-Fi also require authentication of new users, which makes secure messaging cumbersome and creates more work for IT staff or practice managers.
A better solution may be the cloud where data is maintained and transmitted securely.
A handful of forward thinking secure messaging providers are making it easier for care teams to collaborate in a secure environment and experience the benefits of connected healthcare.
Family physician Tracey Haas of DocbookMD offers a mobile app for both Apple and Android smartphones and tablets that allows physicians to send HIPAA-compliant messages bundled with photos of X-rays, EKGs, photos of wounds, and more, just as if they were sending a text. Another cloud provider HIPAAOFFICE offers an end-to-end suite of office apps that enable providers to connect, create groups, assign and track tasks, send and receive email and text, and share files and calendars in protected HIPAA compliance. Companies like IBM are leading the way, offering enterprise unified endpoint management (UEM) solutions.
Care collaboration is becoming easier and more secure thanks to advanced technologies that allow providers to communicate and share data in a secure environment. The key for providers of all sizes is to make sure their care teams are careful to use the technology that safeguards PHI at every possible point, and in turn, help physicians avoid HIPAA violations.
Terry Douglas has worked directly with over 3,000 medical practices with technology efficiencies and led product and marketing efforts at leading healthcare software companies. Today, Terry is on the executive leadership team at PracticeSuite, and he writes about practical education topics in practice management, electronic health records, and medical practice operations.