Think Beyond the Text: Understanding HIPAA and Its Revisions
Guest post by Terry Edwards, CEO, PerfectServe.
Every day, physicians send and receive clinical information to and from patients, nurses, care managers, pharmacy technicians, specialty clinics and other physicians. These communications occur through a wide range of modes—including smart phones, pagers, CPOE, emails, texts and even messaging features within electronic medical records. Patient health information (PHI) is constantly exchanged through these messages, and to avoid a HIPAA violation, which can cost millions of dollars plus a hit to reputation, practices must make sure proper security features are in place.
Especially for physicians in smaller practices who are already strapped for time and resources, a HIPAA violation could leave their practice in a precarious situation. In fact, according to a recent study by the Ponemon Institute, the average cost of HIPPA breaches from 2010 through 2012 was $2.4 million per organization. To meet evolving guidelines around the quality of care, increase efficiency and potentially avoid financial penalties in the years to come, physicians must address communications security holistically.
The final HIPAA ruling requires physicians look at their entire risk management process, and not just specific technologies, which is why “HIPAA-compliant” text messaging isn’t yet possible. While texts are commonly sent between two individuals via their mobile phones, the “communication universe” into which a text enters is actually much bigger. This universe also includes creating electronic PHI (ePHI) and sending messages—in text and voice modalities—from mobile carrier web sites, paging applications, call centers, answering services and hospital switchboards.
The law stipulates that a covered entity – i.e. a physician, medical group practice, hospital or health system – must perform a formal risk assessment; develop and implement and effective risk management strategy based upon the findings in that risk assessment; implement the strategy using sound policies and procedures; and monitor its risk on an ongoing basis. These regulations apply to physicians creating, transmitting and receiving PHI in any electronic form.
While there is no “one-size-fits-all” approach, medical practices can take the following steps to improve the security of their communications:
- Develop an information security committee to develop and execute the risk management strategy, which should include representatives from IT, operations, and the clinical staff, as well as legal counsel. Leaders should also consider including a third-party security firm or consultant.
- Organize and execute a formal risk analysis to identify where and how ePHI is created, transmitted, stored and received.
- Establish an appropriate risk management strategy that’s specific to the needs and vulnerabilities of its physicians. The risk management strategy should include policies and procedures that ensure the security of message data during transmission, routing and storage. To ensure HIPAA compliance, ePHI transmitted across all channels must be “minimally necessary”—which means it includes only the PHI needed for that communication.
- Roll out these policies and procedures and train staff on the new processes. Implementing new policies and procedures is the biggest challenge, especially as a substantial proportion of reported security breaches are due in part to insufficient training of staff. All staff with access to PHI must be educated about the specific policies and procedures, which will help ensure they are upheld across the organization.
- Monitor information security risk on an ongoing basis to ensure continued compliance with security standards. Your staff should receive regular trend reports from the information security committee based on their ongoing assessment of ePHI security and recognize changes that may need to be made to the policies and procedures over time.
In today’s increasingly complex healthcare environment, where physicians often receive more communications than any other care provider, analyzing and implementing a broader policy around security across all forms of electronic communications is a must to avoid and mitigate the adverse consequences of a breach. By clarifying the confusion around electronic communications now, physicians and physician groups will be better prepared to minimize risk and maximize best-practice communication processes in the future.