Guest post by Terry Edwards, CEO, PerfectServe.
Every day, physicians send and receive clinical information to and from patients, nurses, care managers, pharmacy technicians, specialty clinics and other physicians. These communications occur through a wide range of modes—including smart phones, pagers, CPOE, emails, texts and even messaging features within electronic medical records. Patient health information (PHI) is constantly exchanged through these messages, and to avoid a HIPAA violation, which can cost millions of dollars plus a hit to reputation, practices must make sure proper security features are in place.
Especially for physicians in smaller practices who are already strapped for time and resources, a HIPAA violation could leave their practice in a precarious situation. In fact, according to a recent study by the Ponemon Institute, the average cost of HIPPA breaches from 2010 through 2012 was $2.4 million per organization. To meet evolving guidelines around the quality of care, increase efficiency and potentially avoid financial penalties in the years to come, physicians must address communications security holistically.
The final HIPAA ruling requires physicians look at their entire risk management process, and not just specific technologies, which is why “HIPAA-compliant” text messaging isn’t yet possible. While texts are commonly sent between two individuals via their mobile phones, the “communication universe” into which a text enters is actually much bigger. This universe also includes creating electronic PHI (ePHI) and sending messages—in text and voice modalities—from mobile carrier web sites, paging applications, call centers, answering services and hospital switchboards.
The law stipulates that a covered entity – i.e. a physician, medical group practice, hospital or health system – must perform a formal risk assessment; develop and implement and effective risk management strategy based upon the findings in that risk assessment; implement the strategy using sound policies and procedures; and monitor its risk on an ongoing basis. These regulations apply to physicians creating, transmitting and receiving PHI in any electronic form.
While there is no “one-size-fits-all” approach, medical practices can take the following steps to improve the security of their communications: