Critical Aspects to Achieving Meaningful Use: Patient Admission and Discharge

Chris Strammiello
Chris Strammiello

Chris Strammiello, vice president of marketing and product strategy, Nuance.

Patient admissions and discharge processes implemented at many hospitals today are rife with vulnerabilities and potential HIPAA violations. One of the greatest challenges hospitals face is how they can successfully deliver on dual requirements to make the information in a patient’s electronic health record (EHR) more accessible while at the same time making it more secure, especially because of their reliance on paper, analog fax machines and unmonitored multi-function devices (MFDs).

Every time a document or form is copied, scanned, printed, faxed or emailed — on either an analog fax machine, digital MFD or mobile phone or tablet — a patient’s protected health information (PHI) can be accidentally exposed or intentionally compromised. In light of this, federal standards have now defined digital MFDs as workstations, where PHI must be protected with administrative, physical and technical safeguards that authenticate users, control access to workflows, maintain an audit trail of all activity and encrypt data at rest and in motion.

Healthcare organizations need to add a layer of security and control to electronic and paper-based patient admissions and discharge processes to help minimize the manual work and decisions that invite human error, automatically mitigate the risk of non-compliance and avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.

As hospitals are rapidly approaching an FY 2015 deadline for meaningful use, they must demonstrate their “meaningful use” of certified EHR technology, including the ability to protect patients’ health information, or face reduced Medicare payments. The recent HIMSS Analytics survey found that despite the vast majority of hospitals reporting progress toward Stage 2 EHR, barely half of them — just 54 percent — were yet capable of protecting electronic health information, a required Core Objective in Stage 1.

Acting under provisions of HITECH, the Department of Health and Human Services Office of Civil Rights issued new rules in 2013 that enhance patients’ privacy protections, expand individuals’ rights to their health information and strengthen the government’s ability to enforce the law. One new development from these rules is that a security risk assessment tool prepared by the Office of the National Coordinator for Health Information Technology (ONC) mentions copiers 15 times as being workstations where PHI must be protected with administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.

Hospitals also need to conduct a risk assessment to identify threats and vulnerabilities (including copiers), implement and train workers in data loss protection (DLP) technology and procedures, and establish security incident reporting.

Security vulnerabilities and potential compliance issues impacting patient admissions and discharge processes are usually found with analog fax machines that lack activity logging; in every digital MFD that copies, prints, scans and faxes documents, stores images on an internal drive and retains email addresses, network and user IDs and even passwords in memory; and in every mobile device from which information can be accessed, shared or printed.

Securing patient healthcare information

Admission is all about PHI. And at many hospitals, it’s still all about paper. Admission orders, patient information and consent forms, insurance ID cards and authorization forms, medical histories, referrals, initial prescriptions and even drivers licenses are routinely copied, scanned, printed, faxed or emailed as part of admitting the patient into the hospital and getting their information into the EHR system. Upon discharge, the patient typically receives a package of printouts, including a summary of their hospitalization, diagnoses or results, discharge orders and instructions, referrals for follow-up care and additional prescriptions. In the absence of user authentication, audit trails or other security controls, each document and action presents a risk of exposure and a point of vulnerability where PHI can be accidentally misdirected or intentionally compromised.

For example, printing of admissions- or discharge-related forms and documents to shared MFDs risks exposure of patient information in papers left sitting in the output tray or picked up by the wrong person. Unsecured MFDs could be used to make and transmit unauthorized copies or scans. Documents stored in the MFD’s hard drive could be improperly printed out or copied onto a USB stick.

Faxes can pose another HIPAA violation in which there have been numerous reports of unfortunate incidents. For instance, it has been reported that a South Carolina hospital faxed information on four patients, including birth dates, admission dates and insurance ID numbers to a wrong number. Another hospital in California, intending to communicate with a doctor’s office, instead sent six faxes containing patient records to an auto shop. There have been many incidents reporting patient information faxed to the wrong place exposing the patient’s name, date of birth, developmental and psychological treatment history, family history, diagnostic results and prescribed treatment. While paper can be particularly difficult to track and control, some of these same vulnerabilities exist in electronic admissions and discharge processes. And to be sure, electronic processes do not completely eliminate paper.

Electronic admissions might involve scanning a new patient’s admission form or referral into the EHR or populating a form with a previous patient’s stored information. The hospital’s method of sharing that information internally might include emailing it or even faxing it to other departments, such as the pharmacy. Patient billing upon discharge generates a lot of paper, all of it containing information that must be protected, even though it also needs to be shared.

Securing Patient Information on Mobile Devices

Mobile devices present a whole other set of risks to EHR. Theft or loss of mobile devices, laptops and portable media is, in fact, the biggest source of reported HIPAA data breaches. For example, a portable computer lost in Connecticut contained protected health information on 1.5 million individuals, over a third of the state’s residents. And the theft of two laptops in California compromised the protected information of 729,000 patients treated at six hospitals.

In admissions, the risk of mobile devices comes not only from theft or loss but in their non-secure use. Perhaps a hospital’s mobile strategy has not fully accounted for security. Or employees might be using mobile devices inappropriately in their own EHR work-around. Imagine an admissions clerk who prefers not to walk to the scanner and instead photographs a patient’s insurance card or driver’s license on a mobile phone, emails those images to her hospital address, then imports them into the patient’s EHR — with no record of how the information got there and no guaranteed deletion of the images from the employee’s device.

The simple fact is, whether a hospital’s admissions process is largely paper based or built around getting information off of paper and into an EHR, the only way documents containing PHI can be scanned, copied, printed, emailed or faxed within HIPAA compliance is under a system incorporating technological security and authentication. And hospitals have very few months remaining to achieve this capability.

In helping hospitals protect patient health information as part of achieving HIPAA-compliant patient admissions and discharge, we recommend adding a layer of automated security and control to processes that involve paper. There is software to minimize the manual work and decisions that invite human error, mitigate the risk of non-compliance and help hospitals avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.

To reduce vulnerabilities in capturing and sharing PHI, it is critical to provide admissions and discharge processes that ensure:

Admission is the gateway to hospitals meaningful use of EHR and the front line in efforts to secure patient PHI. Security of PHI must continue through and beyond patient discharge.

Write a Comment

Your email address will not be published. Required fields are marked *