The following is a guest blog post by Cliff McClintick, chief operating officer of Doc Halo. Doc Halo provides secure, HIPAA-compliant secure-texting and messaging solutions to the healthcare industry. He is a former chief information officer of an inpatient hospital and has expertise in HIPAA compliance and security, clinical informatics and Meaningful Use. He has more than 20 years of information technology design, management and implementation experience. He has successfully implemented large systems and applications for companies such as Procter and Gamble, Fidelity, General Motors, Duke Energy, Heinz and IAMS.
Reach Cliff at cmcclintick@dochalo.com.
One of the many responsibilities of a health care chief information officer is making sure that protected health information stays secure.
The task includes setting policies in areas such as access to the EMR, laptop hard drive encryption, virtual private networks, secure texting and emailing and, of course, mobile electronic devices.
Five years ago, mobile devices hadn’t caught many health care CIOs’ attention. Today, if smartphones and tablets aren’t top of mind, they should be. The Joint Commission, the Centers for Medicare and Medicaid Services and state agencies are scrutinizing how mobile fits into organizations’ security and compliance policies.
Be assured that nearly every clinician in your organization uses a smartphone, and in nearly every case the device contains PHI in the form of email or text messages. That’s not entirely a bad thing: The fact is, smartphones make clinicians more productive and lead to better patient care. Healthcare providers depend on texts to discuss admissions, emergencies, transfers, diagnoses and other patient information with colleagues and staff. But unless proper security steps are being taken, the technology poses serious risks to patient privacy.
For creating a policy on mobile electronic devices, CIOs can choose from three broad approaches:
- Forbid the use of smartphones in the organization for work purposes. This route includes forbidding email use on the devices. Many companies have tried this approach, but in the end, it’s not a realistic way to do business. You may forbid the use of the technology and even have members of your organization sign “contracts” to that effect. But even for the people who do comply out of fear, the organization sends the message that it’s OK to violate policy as long as no one finds out.
- Allow smartphones in the organization but not for transmitting PHI. This approach acknowledges the benefits of the technology and provides guidelines and provisions around its use. This type of policy is better than the first option, as the CIO is taking responsibility for the use of the devices and providing some direction. In most cases there will be guidelines regarding message life, password format, password timeout, remote erase for email and other specifics. And while the sending of PHI would not be allowed, protocol and etiquette would be in place for when the issue comes up. Ultimately, though, this approach can be hard to enforce, and the possibility remains that PHI will be sent to a vendor or out-of-IT-network affiliate.
- Create a …read more
Leave a Reply
You must be logged in to post a comment.