Why Secure Communication Software is Critical for HIPAA Compliance

Transcription

1 Why Secure Communication Software is Critical for HIPAA Compliance

2 Executive Executive Executive Summary Summary Summary Smartphones and tablets are becoming standard equipment for healthcare professionals both in and out of hospital settings. These devices put a wide range of tools at their fingertips, including reference documents, patient management software and communication applications. While these smart devices are valuable, they also represent a fast-growing, highrisk aspect of health care that is not well regulated. Texting in particular is a popular practice but one which exposes electronic data to a variety of risks. While it is a fast and efficient way to communicate, standard texting applications do not provide sufficient safeguards to protect data. Unfortunately, this has not prevented physicians from using text messaging in the course of patient care. The College of Healthcare Information Management Executives conducted a survey in 2011 and found that 96.7% of the members surveyed allowed physicians to text orders to nurses and 57.6% of those groups used no encryption software. These statistics are alarming unencrypted communication regarding patients or patient care can violate HIPAA s rules on electronic protected health information, also known as ephi. This paper will examine the impact of text messaging in healthcare today and the different solutions available to ensure that ephi remains protected. 2

3 Quick The Role of Text Messaging in Modern Healthcare: Why Secure Communication Software is Critical for HIPAA Compliance Introduction Introduction and reliable messaging has been a staple of the health care industry since 1950, when pagers were first introduced into New York City hospitals. Being able to unobtrusively reach physicians has facilitated faster and better patient care. Although pagers are still used, their domination has faded as smart devices have gained prominence. Smart Devices: The 21st Century Stethoscope A study by Jackson & Coker conducted in October of 2011 found that over 80% of physicians used smartphones or tablets in their medical practices. Generally speaking, these devices are not owned or provided by hospitals and practices. They represent the new standard for healthcare technology: BYOD, or bring your own device. There are several reasons that BYOD makes sense; the investment cost for hospitals is lower and it allows physicians to streamline their personal and professional needs. Juggling multiple devices is difficult and hinders the efficiency that mobile devices make possible. The prevalence of smart devices in the workplace suggests that these have become crucial to healthcare as physicians are expected to digitize their practices more and more. 3

4 Several factors are driving the increased use of smartphones and tablets in healthcare. In the last few years there has been a proliferation of apps which allow physicians to practice more efficiently. Providers can use their smart devices to do both simple tasks, like consulting a drug reference guide, and more complicated ones, like tracking ICD-9 and CPT codes for patient billing. mhealth applications are exceedingly popular with young physicians who use smart devices in their everyday life. Finally, smartphones and tablets allow physicians to exchange information almost instantaneously. As coordinated care becomes the new focus of the healthcare industry, this ability is becoming increasingly important. Whether a provider needs a consultation, a second opinion, or the highlights of a patient s history, physicians need to talk to each other. Texting is fast becoming the preferred method for provider-to-provider conversations. Physician Texting: A Case Study According to a report from the Forrester Research, more than two trillion text messages were sent in This equates to six billion texts messages a day or an average of 35 messages per person. With the simplicity and efficiency of texting, it s little surprise. Physicians don t have to wait on return phone calls. Text replies can often be sent when a call cannot. Additionally, texting cuts down on overload and hospital noise pollution. Texting has already become a regular part of the workflow for many providers, nurses, and administrators. A study presented at the American Academy of Pediatrics National Conference in October of 2012 illustrates the impact text messaging already has on hospitals and physician behavior. This study, Texting Messaging as a Means of Communication among Pediatric Hospitalists, is the first major paper to examine the role of texting in a hospital setting. 106 pediatric hospitalists were surveyed to compile the report. The results clearly indicated the preference for texting. 96% of providers reporting regular use of text messaging, 57% reported sending or receiving work-related messages and 49% reported receiving work-related messages when they were neither at work nor on call. An important finding is that respondents preferred texting for brief communications over both pagers and face-to-face communication. It is important to note that 62% of the respondents had practiced for less than 10 years. As new physicians enter the workplace, texting will become more and more commonplace. 4

5 Perhaps the most concerning discovery pertained to data security. Only 10% of the respondents said their hospitals offered software which encrypted text messages. More than a quarter of the respondents reported receiving ephi, and 41% were worried their actions might violate HIPAA s privacy standards. Abstract author Stephanie Kuhlman, MD, noted that we ve had such a rapid increase in cell phone use I m not sure that hospitals have caught up by putting in place related processes and protocols. 1 Top 4 Benefits of Text Messaging in Health Care: Texting is fast The rate-limiting factor for texting is the amount of time it takes you to type a reply. While it may not be considered polite, a text represents a much smaller interruption in a conversation than a phone call and can be answered right away. Texting is quiet Loud hospital environments have measured detrimental effects on patient health, including sleep disruption and elevated blood pressure. Texting can help remove some of the worst noise offenders, such as overhead paging. Texting is device-neutral Text messages can be sent and received by almost every kind of phone, including older models. This is also helpful for BYOD environments because there is no risk of device incompatibility. Texting is visual Most modern texting applications allow users to send not only texts but pictures as well. This allows complex ideas and descriptions to be conveyed visually. Additionally, texts can be understood more easily than calls, especially when a lot of information is being conveyed

6 Without the development of protocols to ensure HIPAA compliance however, texting can pose a serious risk to both providers and practices. But it is often difficult to parse out exactly what the repercussions of insecure texting can be. ephi and HIPAA Compliance HIPAA, the Health Insurance Portability and Accountability Act, is a complicated piece of legislation. It addresses how protected health information (PHI) can be used and disseminated. The rules about PHI are defined in the Privacy Rule, a subset of HIPAA regulatory guidelines. It dictates that covered entities, including care providers, support staff, administrative employees, health plans and clearinghouses, are required to protect individually identifiable health information. This information can only be disclosed for treatment, payment, operations, or with patient consent. And even in these cases, disclosure must still comply with HIPAA s security standards. A section of the Privacy Rule known as the Security Rule specifically addresses ephi. The Security Rule is intended to ensure the confidentiality and integrity of ephi. This includes establishing safeguards against potential threats and impermissible disclosures as well as ensuring compliance among the entire workforce of the facility. The standards are intentionally general in nature to allow facilities of different sizes to adopt scalable solutions that fit their staff and budgets. There is no ideal software to achieve HIPAA compliance. Rather, practices and hospitals must evaluate their individual and group needs to determine the technology or programs to adopt. Security Rule Overview: The Security Rule mandates the implementation of three tiers of data safeguards: Administrative safeguards This category includes administrative action and policy developed to protect ephi and manage the conduct of covered entities. Physical safeguards This encompasses protecting electronic systems from natural and environmental threats and hazards, as well as taking measures to protect against lost devices. Technical safeguards This includes using technology and developing accompanying policy to protect ephi and control access to secure data. 6

7 Why Regular Texting Is Not HIPAA Compliant Standard texting applications open up providers and ephi to a variety of risks. Regular text messages store copies not just on the provider and recipient phones, but also on the servers of the provider s mobile carrier and any other carriers that helped transmit the messages. Even without any active attempts to steal data, leaving copies of potentially sensitive information on multiple servers can be a clear violation of the non-distribution component of HIPAA s Privacy Rule. Standard texting applications open up providers and ephi to risks. Regular text messages store copies not just on the provider and recipient phones but also on the servers of the provider mobile carrier and any other carrier that transmits the data. Even without any active attempts to steal data, leaving copies of potentially sensitive information on multiple servers can be a clear violation of the nondistribution component of HIPAA s Privacy Rule. This threat becomes more concerning when the exposure created by unsecured networks is considered. Standard text messaging applications can open data to interception while in transmission. This is why encryption is the most crucial component of a secure text messaging application. While there is currently limited interest in this data from unlawful parties, the sensitivity of ephi means that this may become a target for cyber criminals in the next few years. The third vulnerable point for standard texting applications is the smart device itself. While no one tries to lose their phone or tablet, it still happens. With the proliferation of messages across devices, even if it isn t your phone that is lost, there is a chance that the information can be obtained. The majority of the HIPAA violations that have occurred in the past five years were the direct result of a device being misplaced or stolen from a provider. However, accidental loss and theft do not negate the penalties of a HIPAA violation, which can be quite severe. The Cost of HIPAA Violations The costs associated with HIPAA violations are potentially quite high. Simply using a unique identifier can be considered a violation of HIPAA protocols if there is no system in place to safeguard this data. Violations are broken into different tiers, and some of the penalties are steep. This chart from the AMA breaks down the potential costs to providers and others who violate HIPAA s standards. 7

8 HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA HIPAA violation due to reasonable cause and not due to willful neglect HIPAA violation due to willful neglect but violation is corrected within the required time period $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $1,000 per violation, with an annual maximum of $100,000 for repeat violations $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1,500,000 $50,000 per violation, with an annual maximum of $1,500,000 $50,000 per violation, with an annual maximum of $1,500,000 HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1,500,000 $50,000 per violation, with an annual maximum of $1,500,000 Chart courtesy of the AMA 8

9 However, this is not the only point of concern for patient data privacy breaches; some states apply additional fines on top of those mandated by HIPAA. These fines are defined state-to-state and can run as high as those imposed by HIPAA itself. Maintaining HIPAA compliance is essential to protecting both providers and practices. 9

10 Ensuring Ensuring Ensuring HIPAA HIPAA Compliance Compliance HIPAA in Your Compliance in Your Practice Practice in Your Practice Texting exposes practices and providers to risk, but because of its efficiency and familiarity it has become a standard tool for communication in healthcare. The prevalence of BYOD practices mean that eliminating texting could be a difficult prospect for hospital and practice administrators. Since device regulation is a difficult prospect at this point, practices need to consider alternative methods of ensuring HIPAA compliance among their providers and staff. The next best thing is for healthcare facilities to influence the choice of apps among their providers. Today, apps are the equivalent of software for desktops or laptops. Coordinating software helps ensure that physicians systems are able to securely communicate with each other. But helping providers select the right software is not enough. Hospitals and practices need to make a concerted effort to define and establish protocols to ensure the security of patient data. This is essential for HIPAA compliance, but more importantly to demonstrate a commitment to patient privacy. 10

11 How to How to How to Develop Develop Develop a PHI a PHI a PHI Protection Protection Protection Policy Policy Policy Here are five key steps to developing a truly HIPAAcompliant communication network between providers that will allow physicians to take advantage of the benefits of smart devices while avoiding unnecessary risk. Appoint a privacy officer to develop policy. HIPAA has recommended that practices and hospitals hire a privacy officer since the inception of the Privacy Rule in the early 2000s. But many practices choose to either ignore this entirely or to fold this title into another position. Having a dedicated staff member to ensure provider and support staff compliance could help prevent costly HIPAA fines for violations and help ensure that PHI, both electronic and physical, is kept safe and secure. Do not text patient care orders. The Joint Commission (JCAHO) dictated in 2012 that physicians were not allowed to text orders because there was no verification system and no way to track those orders once they had been sent. Even with the proper safeguards, texting patient orders is not an acceptable practice; care orders are required to be recorded as part of a patient chart. Using text messaging to communicate orders means that this crucial transmission could be forgotten. The concern is there is no way to verify the sender of a text. While it is highly unlikely that a device 11 source:

12 could be stolen and a care order fabricated, this is enough of a concern that the practice of texting patient orders, even securely, is not acceptable. Password-protect all smart devices. All smartphones and tablets on the market today feature simple password locks. However, a Sophos study found that 70% of smartphone users do not password protect their mobile devices. This is a simple but powerful security measure and an important one if any sort of sensitive data exists on the device. Use a secure text messaging application. The Doctor s Insurance Agency recommends that text messages among colleagues should be encrypted and exchanged in a closed, secure network. 2 Recently, several applications have arrived on the market which can help practices ensure data security through encryption Use a remote wipe application. While creating a smart device that is immune to electronic assaults is crucial, this still won t protect patient data against theft or human error. It is critical to have a contingency plan. Installing remote wipe programs on smartphones is fairly simple and quick process. Most smart devices have specific programs intended to provide remote-wiping capabilities. You can learn more here: smartphone-remote-wipe.htm 2. Tips for Maintaining Mobile Security Watch who is watching you. Keep an eye out for snooping eyes whenever you use your phone in a public place. Double check recipients before sending information. This is one of the big concerns with standard text messaging applications. You don t want to accidentally send a family member a picture of a patient s rash. Don t use shorthand or abbreviations when texting. Text-speak is pervasive, but it is a bad habit to fall into. Using imprecise language when texting can lead to misunderstandings; these can lead to bad patient care and even lawsuits. 12

13 Conclusion Conclusion Texting has become a part of the healthcare system. There is no denying the utility or efficiency made possible by this medium, particularly in the hectic hospital environment. A study conducted by the Robert Wood Johnson Foundation found that nurses spend up to 60 minutes tracking down physicians during the workday to get simple answers to quick questions. Texting can help eliminate this and similar wasteful practices caused by communication barriers. As the next generation of physicians enters the workforce, texting will become even more integral to the way they communicate with coworkers and support staff. It is crucial to develop a standardized set of practices early on to prevent HIPAA violations. Fines and monetary costs associated with these violations are concerning, but the biggest threat is to patient security. Improperly managed data can damage patient confidence in a medical practice or hospital. Both hospitals and practices need to evaluate the measures they have in place to ensure that ephi is properly protected and managed. The two most important steps to developing a HIPAA-compliant security program are to hire a dedicated privacy officer and to mandate the use of secure software for their physicians. 13

14 About About Medimobile Medimobile About Medimobile MediMobile is the leading technology provider of mobile health applications for healthcare providers. We offer a suite of health applications which focus on point-of-care billing solutions and patient management systems in order reduce costs, streamline processes, and offer providers more time for patient care. MediMobile s medical charge capture helps physicians and care providers maximize their revenue and minimize wasteful paperwork. Our newest application, SafeTextMD, is a free, secure messaging platform. It allows not only healthcare providers but administrators, nurses, and billers to communicate quickly and efficiently with each other while maintaining HIPAA compliance. SafeTextMD can be easily implemented by all members of a hospital or medical practice which means that your staff can start texting securely in as little as one day. To learn more visit If you re interested in an enterprise secure messaging solution request a free demo. 14