Health Information Compliance Alert

Published on Tue Nov 15, 2016 PDF

HIPAA-compliant messaging helps practices maintain their patients’ privacy.

Mobility — it is both the boon and bane of the healthcare industry and the greater society. On one hand, smartphones and tablets have allowed providers to assess patients with the mighty power of the net and all of its knowledge at their fingertips. These products have also helped doctors coordinate care between venues and specialties as well as transfer their notes quickly to staff, making the coding and billing process quicker and more efficient.

But, this communication revolution has its drawbacks, too. The handy nature of these implementations makes people complacent, and the line between what is acceptable and what is illegal is often blurred. The ease of use allows both clinicians and administrative staff to transfer data, voice opinions, and send private patient and practice information any which way they choose. When this happens, an innocent text could become fodder for a Health Insurance Portability and Accountability Act (HIPAA) breach.

Background. The HHS requires that all covered entities — healthcare providers, health plans, and healthcare clearinghouses — follow strict mobile-use guidelines under the HIPAA security rule. The rule lists a detailed inventory of governmentally-mandated requirements that are meant to help preserve electronic protected health information (e-PHI). Some of the highlights focus on setting up administrative, technical, personal, and physical safeguards to protect all involved parties. (http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html).

Since Medicare payment has been tied to adopting certified electronic health record technology (CEHRT) for a while now due to its necessity in the delivery of quality care, most providers and their partners have jumped on board the cyber train lest their incomes be inhibited.

“Since the implementation of the Affordable Care Act (ACA) and Meaningful Use (MU), medical providers are relying on cost-effective services that take pay-for-performance into consideration. These services include texting, telemedicine, and outsourcing,” explains Michael DeFranco, founder and CEO of Lua, a leader in healthcare mobility. “The growth of innovative technologies can lower the cost of delivering healthcare, and provide for better patient outcomes and patient satisfaction.”

The upside. Texting in particular speeds the daily work flow, connecting physicians, staff, and business partners with the easy distribution of information. Its efficiency and cost effectiveness can successfully reduce readmissions, coordinate the management of chronic care, help with e-Prescriptions, and increase and improve patient engagement, suggests DeFranco.

Here’s the Problem

Unfortunately, messaging abuses have become a serious problem for the healthcare industry, and the OIG is on the watch for violators of these HIPAA security rules. Lax office procedures, the enticement of a financial windfall from information theft, and workers with a lack of compliance education have increased the likelihood of cyber villainy and the loss of ePHI.

It’s more than a quick fix. “Since providers text their patients and other providers ePHI, which should never be transmitted in an unsecured manner, they need a solution,” says DeFranco.

Training matters. The first step your practice should take involves devising a comprehensive plan that includes realistic procedures to combat the accidental and intentional loss of ePHI. Educating administrative and clinical staff on the rules related to HIPAA-compliant communication via text, interoffice messaging, and email is essential to keep your practice safe and secure. Integrating HIPAA-compliant, user-friendly software and applications across the different mobile products your group utilizes is crucial to the success of your overall plan.

“Apps for HIPAA-compliant texting meet healthcare industry standards for security and privacy during the communication of ePHI,” says DeFranco. “Additionally, with text messaging, and due to the features included in secure messaging solutions, it ensures that system administrators can audit access to encrypted ePHI and any transmission of confidential data in compliance with HIPAA regulations.”

Bottom line. SMS texting is not encrypted or secure, yet providers unwittingly engage in the practice of texting often, leaving their patients and themselves vulnerable to cyberattacks and the loss of ePHI. Due to the confusing nature of the policies, it is wise to seek the advice and assistance of healthcare IT experts schooled in the complexities of the HIPAA security rules and regulations.

Take a look at Lua and HIPAA-secure texting, visit https://getlua.com.