Abstract:
Caring for patients across an enterprise involves many different individuals, all of whom will need access to at least part of a patient’s information. The complicating factors include the federal regulations that govern the protection of patient data privacy and limit to whom and what information can be communicated. The essential rule, HIPAA, is enforced by the Department of Health and Human Services. Among other provisions it has rules mandating that healthcare organizations safeguard the privacy and security of patient health information, the key of which is understanding where the protected health information reside.
Many different individuals, all of whom will need access to at least part of a patient’s information, are involved in caring for patients across an enterprise. Federal regulations that govern the protection of patient data privacy limit to whom and what information can be communicated. The essential rule, HIPAA, is enforced by the Department of Health and Human Services (HHS). Among other provisions, it has rules mandating that healthcare organizations safeguard the privacy and security of patient health information, the key of which is understanding where the protected health information (PHI) resides. These privacy rules apply to patient information in an electronic form called electronic protected health information (EPHI), which covers any patient information transmitted over a network and stored on a computer. There are severe penalties, including massive financial fines, for violating these rules, so these privacy considerations must take precedence over the typical communication processes. The guidelines do not require specific technology solutions, but they are clear that reasonable and appropriate security measures must be implemented. One of the reasonable solutions used by many physician practices and hospital are electronic health records (EHRs) or electronic medical records (EMRs). This article presents some of the challenges and solutions specific to communicating safely with and between healthcare providers, patients, and staff in the healthcare arena.
Sharing Patient Data
Patient care often requires effective coordination and communication among many individuals: patients, primary doctor, specialists, nurses, clerks, aids, interns, therapists, pharmacists, and so on.(1) When care is provided in multiple settings, complicating factors that have nothing to do with the actual medical care provided can interfere with the quality of that care.
Years ago, the main difficulty with sharing patient data was that all patients’ medical records were paper based, and, in some cases, hand written. Forty years ago the majority of technological growth in healthcare was spent on administrative computer programs—that is, medical billing and accounts receivable management. About a decade ago, the emphasis changed to focus on the clinical processes.(2)
One might think with so many healthcare providers having installed some kind of electronic record system that the sharing of patient data would be easier. These EHRs or EMRs might be the media that would enable communication between the different healthcare organizations.(3) Not so.
Unfortunately, the data are stored in disparate sources, each with their unique code structure that cannot freely pass patient data between different healthcare organizations. Where or when interconnectivity does exist between systems, it most often occurs when health systems spend very large amounts of money for upfront connecting charges, typically through large hospital systems, not physician practices or small rural hospitals.(4) This is also why, even today, each time a patient enters a healthcare facility he or she is required to fill out patient information forms, answering the same questions over and over again.
Yet another barrier was created by the U.S. government via regulations passed to protect patient data privacy by limiting to whom and what information can be shared. HIPAA was enacted more than 20 years ago, in August 1996. All of its provisions are enforced by the HHS, and implemented by regulations of 45 CFR. Among the provisions are rules directing that healthcare organizations safeguard the privacy and security of patient health information.(5)
What Information is Protected
These privacy rules apply to patient information, which is referred to as electronic protected health information. The regulations protect all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The privacy regulation calls this information protected health information. There are severe penalties, including massive financial fines, for violating these rules, so avoiding those penalties(6) must take precedence over the typical communication processes.
The regulations do not require specific technology solutions, although they are clear that reasonable and appropriate security procedures must be implemented.(7) For example, Section 164.312 states that each organization, regardless of size, must have technical policies and procedures to only allow access to EPHI to “authorized persons to prevent improper alteration or destruction of EPHI and to protect health information transmitted over an electronic communication network.”(7) Section 164.308 also requires that each organization identify, respond to, mitigate, and document suspected or known security incidents.(7)
HIPAA Rules Need Not Be an Obstacle to Efficient Communication
Like everywhere else in society, wireless-enabled devices are increasingly being used in day-to-day operations in healthcare. With continued changes in operational practices and high-tech advances, PHI is more commonly being communicated and accessed using mobile devices such as smartphones, cell phones, and tablets.(7) Healthcare organizations (e.g., physician offices, hospitals), therefore, must provide access for WiFi-enabled devices that satisfy the auditing requirements of HIPAA, especially with regard to guarding EPHI.(7) It is essential to have strong authentication and encryption on managed access points.
Healthcare organizations routinely purchase services and software to assist them in achieving these security measures. One example is Maine Medical Center (MMC), a 10-building, two-million square-foot healthcare system in Portland, Maine, which was an early adopter of Wi-Fi technology in healthcare information systems. MMC was very security conscious, performing deep-down analysis of security offered by a variety of wireless security solutions.(7)
Wi-Fi has the capability to help improve the quality of healthcare by providing easier access to information and mobility of healthcare staff. It must be recognized, however, that Wi-Fi comes with the risk of new and changing security threats and potential compliance breaches.(7)
Text Messaging With Patients
Texting is very common today, with all ages and demographics using it to communicate.(8) However, just as individuals should never send their Social Security number using public Wi-Fi, the same is true of PHI. It must be recognized at all levels of healthcare organizations that SMS (i.e., short message service, which is the technical term behind text messaging) is not secure by itself, and is not HIPAA compliant.(8)
Text messages on a regular cell phone or smartphone stay on that device indefinitely.
Furthermore, text messages on a regular cell phone or smartphone stay on that device indefinitely, where the data can be unprotected and available to unauthorized third parties due to theft, loss, or recycling of the device. Text messages can be accessed without authentication, so anyone who might have access to that mobile device may have access to all the text messages without the need to enter a password.(9)
A provider must be certain to whom the medical information is being sent, and with a text that is not always possible. The message could be read by an unintended recipient over an open cell phone network, and security is further limited because text messages are not encrypted.(10) Then there is the possibility that some providers who text messages do not understand that the information they send and receive should be included in that patient’s medical record.(9)
However, text messaging can be HIPAA compliant under certain circumstances, especially if done by secure texting, often through a private vendor selling the service.(10) Secure texting is a process whereby encrypted messages are transmitted from a secure server that stores all PHI, and where the network carrying the message can be blocked from keeping a copy.(10) Messages can be accessed at any time in any location where there is an internet connection. In some cases, the messages can be programmed to expire automatically or recalled to protect the integrity of the PHI.
Creating Texting Policies
It might be best to prohibit the use of text messaging until or unless there are safeguards implemented to reduce the liability exposure. If it is believed that texting is going to be used, then there should rules in place for everyone to follow. Some of the most common rules include the following(11):
Only certain types of non-urgent information are sent via text;
There should be verification of who received the text;
Devices used are password protected and encrypted;
Text messages related to patient healthcare are entered into the patient’s medical record; and
The devices used are purged of all texts prior to being discarded or exchanged.
Some might believe the use of text messaging in healthcare is desirable because it is mobile, fast, and direct, and increases dialogue between physicians and patients.(11) Others might think that it could streamline the callback paradigm that sometimes stalls the efficiency of healthcare delivery. In those cases, caution should be the thought for the day.
Text messaging could be a very useful tool, and some patients may increasingly expect it to be used because they use it every day. That does not make it safer to discuss PHI. Different organizations may arrive at different conclusions regarding the threat posed by texting of PHI. Each must consider what combination of controls could reduce the various risks, and what action to take to address those issues.(9)
Web-based Messaging
Secure messaging could be a more useful option for communication between patients and physicians than texting. Unlike a standard text, secure messaging is encrypted and sent across a secure network. These messages typically are stored in the cloud, not on individual mobile devices. Messages can be printed or ported to an EMR/EHR, and stored for medical record management purposes.(8) Patients and providers log in to the web-based messaging system. After each is authenticated, users may send messages to specific recipients. When a user has a message in their secure in-box, the system sends an email informing them, and invites them to log in. This method better assures that no PHI is sent via regular email or texting, which, as was discussed earlier, can be intercepted, a violation of HIPAA.(12)
Conclusion
Some believe the increase in health IT has made it possible for physicians to provide better care through secure use and sharing of PHI and that this effort improved the quality of care and reduced the overall cost. Not true. Nothing that these rules stipulated improved the quality of healthcare provided. The federal government added layer upon layer of regulations, which meant that healthcare organizations of all sizes had to increase their administrative costs without improving the care provided to any patient, in any facility, anywhere in this nation.
It is true that technological innovation continues to grow in healthcare,(13) and that it increasingly plays a role in many processes, from patient registration to data monitoring, from lab tests to self-care tools. However, the fact is that none of this replaces the care provided to a patient by a physician, even though it may help to enhance the experience for the patient in some small way.
References
Coiera E. Communication systems in healthcare. Clin Biochem Rev. 2006;27(2):89–98. www.ncbi.nlm.nih.gov/pmc/articles/PMC1579411 . Accessed August 15, 2016.
Cassano C. The right balance: technology and patient care. HIMSS. October 1, 2014. www.himss.org/right-balance-technology-and-patient-care . Accessed August 15, 2016.
Gunter TD, Terry N. Electronic health record. https://en.wikipedia.org/wiki/Electronic_health_record . Accessed August 12, 2016.
Creswell J. Doctors find barriers to sharing digital medical records. The New York Times. September 30, 2014. www.nytimes.com/2014/10/01/business/digital-medical-records-become-common-but-sharing-remains-challenging.html?_r=2 . Accessed August 15, 2016.
Summary of the HIPAA Privacy Rule. HHS.gov . www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/ . Accessed August 15, 2016.
Chapple M. Three steps to avoiding massive HIPAA violation fines. TechTarget. http://searchsecurity.techtarget.com/tip/Three-steps-to-avoiding-massive-HIPAA-violation-fines. Accessed August 15, 2016.
Chaskar H. Healthcare, Wi-Fi and HIPAA—a tricky combination. Mojo Blog. February 12, 2014. http://blog.mojonetworks.com/wireless-security-and-hipaa-compliance-in-healthcare/. Accessed August 16, 2016.
Toth C. Five ways to ensure secure text messaging in your medical practice. Physicians Practice. August 27, 2014. www.physicianspractice.com/mobile/five-ways-ensure-secure-text-messaging-your-medical-practice . Accessed August 16, 2016.
Cepelewicz BB. Text messaging with patients: steps physicians must take to avoid liability. Medical Economics. May 23, 2014. http://medicaleconomics.modernmedicine.com/medical-economics/content/tags/hipaa/text-messaging-patients-steps-physicians-must-take-avoid-liabil?page=full . Accessed August 16, 2016.
Is text messaging HIPAA compliant? TigerText. www.tigertext.com/about/faqs/is-text-messaging-hipaa-compliant/ . Retrieved August 16, 2016.
Lakhani A. “HIPAA-COMPLIANT” texting of PHI: The good. The bad. The ugly. TechHealth Perspectives. October 14, 2013. www.techhealthperspectives.com/2013/10/14/hipaa-compliant-texting-of-phi/ . Accessed August 16, 2016.
Sands D. Communications technology critical to healthcare improvement. WTN News. February 5, 2008. http://wtnnews.com/articles/4522/. Accessed August 17, 2016.
Jayanthi A. 10 biggest technological advancements for healthcare in the last decade. Becker’s Health IT & CIO Review. January 28, 2014. www.beckershospitalreview.com/healthcare-information-technology/10-biggest-technological-advancements-for-healthcare-in-the-last-decade.html . Accessed August 16, 2016.
Topics
Quality Improvement
Healthcare Process
Communication Strategies
Related
When a Coworker You Don’t Like Becomes Your BossEmployee Retention: Crucial for Continuity and Cost ControlFostering Inclusive Practices for Physicians