Think Beyond the Text: Understanding HIPAA and Its Revisions
By Terry Edwards
Every day, an increasing number of physicians and other health care providers are exchanging clinical information through a wide range of modes, including smart phones, pagers, CPOE, e-mails, texts and messaging features in an EMR. It’s no surprise that hospital and health system leaders are increasingly focused on securing protected health information in electronic form (ePHI)—a trend that has certainly invoked some confusion across the industry.
As PHI data breaches increase in frequency, hospital executives must strategize ways to eliminate security threats and remain HIPAA compliant. Especially since HIPAA violations can be extremely expensive, leaving these already-strapped organizations in an even more stressful financial situation.
In order to prioritize tangibles such as patient safety, physician satisfaction and overall efficiency across processes and hospitals, health care leadership must consider ways to tackle this confusion and maximize the benefits enabled by modern technology and electronic communications.
PHI can take a variety of paths in today’s complex healthcare environment and expose a health system to risk. But time and time again I see health systems looking to implement stop-gap measures and point solutions that address part—and not all—of the problem.
While texts are commonly sent between two individuals via their mobile phones, the communication “universe” into which a text enters is actually much bigger. It also includes creating ePHI and sending messages—in text and voice modalities—from mobile carrier web sites, paging applications, call centers, answering services and hospital switchboards.
For example, a 400+ bed hospital generates more than 50,000 communication transactions to physicians each and every month. Many of these communications contain ePHI. And if they were transmitted through unsecure networks and stored in unencrypted formats, they would represent a meaningful potential security risk to both the hospital and its medical staff.
In order to identify all potential areas of vulnerability, health care leaders need to consider all mechanisms by which ePHI is transmitted and the security of those mechanisms and processes. No mode of communication can be viewed in isolation. By failing to address all transmitted ePHI, organizations become vulnerable to security breaches with adverse legal and financial consequences, as well as loss of patient trust and reputation in marketplace.
In addition, contrary to what many health leaders have been led to believe, HIPAA provisions do not call out any specific modes of communication. Text messaging is permissible under HIPAA. The law simply stipulates that a covered entity (CE) must perform a formal risk assessment; develop and implement and effective risk management strategy based upon sound policies and procedures; and monitor its risk on an ongoing basis. These regulations apply to providers communicating PHI in any electronic form.
As a result, there is no such thing as a “HIPAA-compliant app.”
HIPAA provisions emphasize the risk management process rather than the technologies used to manage risk. For hospitals and health systems, the pathway to safeguarding electronic communication of PHI lies in the creation of an overall risk management strategy.
Ideally, leaders of the CE will form an information security committee to develop and execute the strategy, which includes representatives from IT, operations, the medical staff, and nursing, as well as legal counsel. Leaders should also consider including an external security firm in the group. Once the committee is formed, the organization should take these four essential steps for protecting the security of ePHI:
- Organize and execute a formal risk analysis. A formal risk analysis should break down types of technology used for electronic communication as well as the transmission routes for all ePHI. To ensure HIPAA compliance, ePHI transmitted across all channels must be “minimally necessary,” which means it includes only the PHI needed for that clinical communication. This layer of complexity, which is common in clinical communication processes, underscores the need for a comprehensive security assessment and strategy appropriate for the organization, coupled with the resources necessary to implement that strategy.
- Establish an appropriate risk management strategy. The committee should develop a risk management strategy that’s specific to the needs and vulnerabilities of the organization and is designed to manage the risk of an information breach to a reasonable level. HIPAA does not specifically define “reasonable,” but in general, the risk management strategy should include policies and procedures that ensure the security of message data during transmission, routing, and storage. The strategy should also include specific administrative, physical, and technical safeguards for ePHI.
- Roll out these policies and procedures and train staff. Implementing new policies and procedures is the biggest challenge for organizational leaders, especially as a substantial proportion of reported security breaches are due in part to insufficient training of staff. As a result, appropriate individuals should be assigned specific implementation tasks for which they are held accountable, while leaders and committee members must carefully monitor the success of implementation. All staff with access to PHI must be educated about the specific policies and procedures, which will help ensure they are upheld across the organization.
- Monitor risk on an ongoing basis. To ensure continued compliance with security standards, organizations must conduct ongoing monitoring of their information security risk. Leaders should receive regular trend reports from the information security committee based on their ongoing assessment of ePHI security at the organization. Those reports should support the ongoing assessment of security needs as technology and health care delivery change, and act as a catalyst for changes that may need to be made to the policies and procedures over time.
In today’s increasingly complex healthcare environment, analyzing and implementing a broader policy around security across all forms of electronic communications—rather than focusing on a single mode of communication in isolation—is critical to any health system’s ability to avoid and mitigate the adverse consequences of a breach. By clarifying the confusion around electronic communications now, hospitals and health systems will be better prepared to minimize risk and maximize best-practice communication process in the future.
Terry Edwards is president and CEO of PerfectServe of Knoxville, TN.