When Congress enacted the Final Omnibus Rule in 2013, many healthcare organizations, doctors and administrators became concerned about how they and their entities would maintain HIPAA compliance. As these individuals soon found out, HIPAA compliance was difficult to implement and maintain. The biggest challenges administrators faced was understanding what HIPAA-compliance meant and realizing what they needed to change in their day-to-day workflow in general and communications, in particular.
The goal of this blog is to bring some clarity to the issues that have arisen around HIPAA compliance for healthcare institutions as well as to highlight how the adoption of secure messaging solutions can improve compliance.
One of the major goals of the HIPAA legislation was to improve patient privacy and the security of patient information. To that end, HIPAA compliant messaging platforms were created to help maintain these ideals. Indeed, HIPAA compliant messaging means that the messaging containing patient information, care instructions or any other relevant patient information must be both secure and encrypted.
When hospitals and clinics introduce HIPAA compliant messaging into their organization, they must maintain reasonable and appropriate administrative, technical and physical safeguards for protecting e-PHI. To that end, organizations must take steps to:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information which is created, received, maintained or transmitted.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of this information.
- Protect against any reasonably anticipated uses or disclosures of patient information.
- Ensure compliance by users of the information.
While not an easy agenda to meet, compliance with these mandates is made all the more difficult because healthcare is a largely pager-obsessed culture. That makes turning clinics and hospitals into HIPAA-compliant communities difficult.
Problem with Pagers
Risk Broadcasting Sensitive Information
The basic reason why pagers are ineffective for healthcare is that they run the risk of broadcasting sensitive patient information. In a specific case in North Carolina, a nursing home facility used pagers to transmit a patient’s lab results. Although the only authorized officials saw the message, the nursing home was slapped with an “e-level deficiency”, meaning there was no actual harm but potential for more than minimal harm.
At issue was that pagers have no way to ensure encryption. As such, it could have easily been the case that the patient records could be viewed by unintended individuals. This result would have caused a serious financial penalty for the facility. Readers should not think that hacked pagers are a fantasy. In fact, an exhaustive study carried out in 2016 showed just how easily pagers can be hacked by individuals looking to siphon off information.
Attacks on patient data have risen by 125% in recent years and the average cost of a data breach is over $2MM to the hospital. Clearly, huge financial losses loom for healthcare organizations that inadequately secure patient data. So, the inability to secure patient data represents both a loss of privacy for the patient and a significant financial loss for the hospital.
Impede Effective Exchange of Information
Beyond leaking sensitive information, pagers also impede the effective exchange of information. According to research put out in June 2017, “text paging has been identified as inefficient and disruptive, and even with the implementation of novel technology, concerns about communication quality and safety persist.”
Much of the fault for this inefficiency lies in the inability to fully exchange information through a pager. In order to remain HIPAA compliant, healthcare organizations cannot mention any personal identifiers in pager messages. As such, doctors and nurses inevitably need to page the recipient with a phone number and then follow up with a phone call. In addition to requiring healthcare workers to follow additional steps, the process also makes it take more time until the desired person can be reached.
Advantages of Secure Messaging
By embracing HIPAA-compliant, secure messaging platforms, hospitals and clinics will avoid many of the problems they face when they use pagers. Here are some of the advantages of using secure messaging platforms over pagers:
Improves HIPAA Compliance
By actively using a secure messaging platform, institutions will minimize the potential exposure of patient data. This in and of itself will minimize the potential for HIPAA fines. While obvious, the notion that HIPAA compliance is a virtue in and of itself cannot be overlooked. The impact of HIPAA fines inevitably goes back to the consumer who will be asked to bear the burden of increased costs for hospital visits as well as increased premiums for insurance.
Security of Patient Information
Another obvious win from using secure messaging is that patients know their information will be secure and will not be compromised. 7 out of 10 people are likely to choose a hospital that hasn’t been plagued with security issues. So, knowing that their information is secure also lets patients know that they run less risk of potentially dealing with the theft and improper use of their healthcare records.
Better Patient Outcomes
One of the main benefits of HIPAA compliant messaging is seen through the advantages they have in bettering patient outcomes. According to a study by the University of Pennsylvania, “patients whose hospital care providers used mobile secure text-messaging as a means of communication had shorter lengths-of stay compared to patients whose providers used the standard paging system to communicate”. The results of the study further indicated that mobile secure text messaging may help to improve communication among providers leading to more efficient care coordination and allowing patients to leave the hospital sooner.
Better Doctor and Nurse Communication
HIPAA compliant messaging allows for better care then pagers because the information exchanged on pagers does not come with any immediacy and thus do not provide a strong communications portal for hospitals. By contrast, a HIPAA-compliant messaging platform like the one provided by OnPage does let doctors and nurses know if the situation is urgent and thus lets them manage those situations with priority while letting non-urgent issues wait until later to be resolved.
At the same time, by using secure messaging, healthcare workers improve outcomes. Strong communications are central to care coordination and the proper communication tools and channels help providers communicate, collaborate and deliver care across the continuum.
How to Bring on Secure Messaging
In a culture that is tied to its cell phones, switching to secure messaging could be easier than expected. Rather than fighting the BYOD (Bring Your Own Device) trend whereby doctors and nurses bring their own smartphones to work, administrators should embrace it. By embracing the BYOD trend, healthcare institutions can bring on HIPAA-compliant secure messaging applications that live on smartphones. An important part of effective BYOD management though is handling the potential risks that come from actual BYOD use and ensuring effective secure messaging.
Management of BYOD security needs to be the focus of any secure messaging engagement as that is where the security begins. Maintaining BYOD security means that CIOs ensure smartphones are password protected and that remote wipe is made available on any messaging application employees download. Healthcare’s governing bodies have noted, and it seems prudent to ensure, that secure messaging applications need to provide:
- A secure sign-on process: Password enable access to the smartphone as well as access to the application.
- Encrypted messaging: Messages should be encrypted both at rest and in transit
- Have date and time stamps: Date and time stamps add further message security as they provide further evidence of an audit trail and who saw the message.
- Customize message retention timeframes: Messages need to be retained for a reasonable length of time after they are sent to ensure proper record keeping and to enable a look back in case any lawsuits occur or further investigation is required.
- Have a specified contact list for individuals authorized to receive and record order: To maintain the security of messages, only individuals who are authorized to receive messages should be included in the contact list. This ensures that sensitive patient information is not accidentally shared with unauthorized individuals.
As an additional benefit, implementation of a BYOD solution that enables secure messaging can lessen the financial burden on hospitals. With BYOD, hospitals don’t pay for the hardware as it is already in the employee’s possession. The hospital only pays for the secure messaging application. Furthermore, if the CIOs adopt the correct messaging application then the security concerns noted above will already be addressed.
While some hospitals might use pagers for a few more years, they will inevitably have to switch gears as the number of providers dwindles and the support of the technology also declines. Clearly, there are multiple advantages to switching to HIPAA-compliant messaging from insecure pagers. By embracing HIPAA compliant, secure messaging platforms, practitioners will not only decrease their chances of HIPAA violations, they will also incur the advantages of improved patient care and practitioner communications.
To learn more about HIPAA-compliant communications and how to help your practice, contact OnPage.
Written by Orlee Berlove. Berlove is the Marketing Director at OnPage Corporation located in Waltham, MA. OnPage is a SaaS-based HIPAA-compliant, clinical communications platform for healthcare providers.