The ONC’s wall of shame documents that exposure due to “non-compliant e-mail” is up 1,500% between 2013 and 2017. And this data doesn’t include all of the hundreds of thousands of records exposed due to unauthorized access associated with transmitting unsecured data.
We rely on technology to transmit information in all areas of our lives including work, and the reality is that most information shared is not secure. Methods like texting were not designed to be secure; and others, like e-prescribing solutions, were designed with security in mind from their inception. For the methods that weren’t designed with security from the get-go, there’s a lot of catching up to do.
Reality check
Let’s take step back and look at all the ways doctors and staff communicate with each other, with patients, and with the outside world. Reviewing how we communicate allows us to recognize the methods we can safeguard and educate staff to avoid using those that we cannot.
E-mail is a way of life. There are basically two types of e-mail services when it comes to HIPAA—those that are compliant and those that aren’t. By compliant, HIPAA means secure and encrypted transmissions for ePHI.*
Patient Portals
We would be hard-pressed to find a company that designs and creates patient portals that didn’t develop them with all of the security necessary to meet the requirements of HIPAA, including password protection and Web interface encryption.
Remote network connections
Working from another location like home or the hospital requires you to have a secure Internet connection. Logging in to your practice’s secure network should be done via an encrypted connection or virtual private network (VPN). There are many services that offer these types of connections and your healthcare IT provider should be able to set up your remote access.
Business solutions like eFaxing, e-prescription services, and medical device interfaces
These tools communicate with the outside world and need to have a secured way to do it. Just like working remotely, they need to use encrypted connections to keep the information they contain private as they transmit.
Texting (or not to text)
Texting is a touchy subject because even if your phone is “secure,” using the text icon on your phone to send a message is NOT. It wasn’t developed to be secure and today’s cell providers are not offering secure texting options. We know it’s easier to text your nurse or office manager a brief message about your next appointment or patient follow-up, but it is not a secure method of communication.
The easy answer is to say that until there is a fail-safe, HIPAA-compliant texting solution, just don’t use text; but we know that’s not realistic. If your staff insists on texting:
E-mail communication is a basic tool in running a practice, and using a HIPAA-compliant e-mail product will insure that your transmissions are both compliant and secure. Without it, the number of breaches due to e-mail use will continue to grow as a result of using e-mail options that are not secure. Protecting ePHI when you communicate IS possible when you use HIPAA-compliant e-mail, secure remote connections, and patient portals, all of which your IT service provider can help you with; and as for texting, proceed with caution.
* HIPAA defines PHI as the health information of an individual that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers such as name, address, birth date, Social security number, etc.