Electronic Devices Mean New Risks for D.C.s
HIPAA Security Standards require every healthcare practitioner and practice to protect the privacy of patient health information (PHI). However, patient privacy can easily be jeopardized through electronic devices.
Posted in Risk Management on Thursday, July 26, 2018
DCs are not excluded from this complex and often confusing legislation. The penalties for violations of patient privacy and confidentiality are substantial.
A legal challenge is costly, time consuming, challenging, destructive and disruptive to the functioning of the practice. High-profile institutions have been highlighted in the headlines. However, the risk for smaller practices and entities is growing.
Email Communications with Patients
Just as you ask patients for their contact information, ask them whether the practice may communicate with them via email. These preferences should be checked regularly to ensure the patient’s email address or communication preferences have not changed. Make sure to add a disclaimer to your emails stating that patients shouldn’t communicate about time-sensitive matters via email. It can be helpful to address:
- The person who will be designated to: communicate with the patient via email; monitor the practice’s email account; route the emails; ensure patient emails are answered within the practice’s turnaround time; and archive emails to and from the patient.
- The timing for answering emails (e.g., within 24 hours and during normal office hours).
- The manner of obtaining and storing patient consent to communicate via email, and how this information will be retained in the patient’s healthcare record.
- The systems needed to protect confidentiality and security of PHI (e.g., passwords, encryption and patient authentication).
- The issues which may or may not be addressed via email.
- Instructions for what the patient should do in an emergency or in another situation requiring a prompt response.
- The consequences if a staff member or patient doesn’t comply with the practice’s email policies and procedures.
Smart Phones/Electronic Devices
A recent study by the Pew Research Center and the California Health Care Foundation* reported that the use of cell phones to obtain health information is expected to grow rapidly. As the use of these devices becomes more common, so does the potential for breaching patient confidentiality and violating HIPAA regulations. The most obvious threat is associated with the physical loss or theft.
The National Institute of Standards and Technology considers cell phones at “high risk for loss, theft, disposal and unauthorized access.” Once lost or stolen, patient confidentiality is at risk if these devices contain PHI and encryption is not in place. This can result in a HIPAA violation.
Make sure to keep devices that are not in use but contain PHI under lock and key. Employee policies regarding these devices should include what to do in case of loss or theft of any device that contains PHI. In addition, there are security risks when personal devices are brought into the practice. As such, it can be helpful to address:
- Are policies in place to safeguard patient privacy? This should include policies to secure the device (i.e., password/access numbers are enforced).
- Are devices protected against viruses, hacking and malware?
- Do devices have encryption features if PHI is accessed and transmitted?
- Can data be wiped remotely if a device containing PHI is lost or stolen?
Many D.C.s have embraced texting as an easy way to communicate with colleagues and staff. Texting has obvious appeal in that it is fast, easy and inexpensive. Unlike email, text messages are typically read by the recipient and responded to quickly (often within minutes of receipt).
And, text messages are viewed as much less obtrusive than a phonecall. However, texting is not without risk and limitations. (See sidebar on previous page.)
Risk vs. Reward
Although patient privacy can easily be jeopardized through electronic devices, they are the wave of the future. Now is the time to address how they will be used to ensure PHI remains secure, and patient care is uncompromised.
Limitations with Texting
Although using texting for appointment reminders, preventive health notices, and other health information may be beneficial, there are limitations and potential risks to consider. These include:
- A lack of encryption when sending and receiving messages can result in PHI breaches and HIPAA violations.
- Unlike emails, there is no retrievable record of a text message exchange to enter into the patient’s record.
- There is an inherent expectation that text messages are read and responded to promptly.
- Text messaging is not secure—With the right technical abiltiy, messages can be intercepted and read during transmission.
- Size restrictions make it difficult to include sufficient clinical information.
- The use of abbreviations may be misinterpreted.
- Texting is inherently casual and personal.
- Spellcheck and auto-correct features can create problems.