Electronic Communication Security

At the beginning of this year we published our list of smartphone predictions. Number two on that list was that an incident involving compromised electronic protected health information (ePHI) on a smartphone would cause headlines and fines. This has, unfortunately, come true. The basis for our prediction came directly from the Joint Commission’s FAQ webpage:

Is it acceptable for physicians and licensed independent practitioners and other practitioners allowed to write orders) to text orders for patients to the hospital or other healthcare setting?

No it is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.

In April, a cardiac surgery group in Arizona agreed to pay $100,000 to settle possible HIPAA violations. The cardiac practice was cited for multiple security oversights, including inadequate policies and procedures to protect patient information and no documented staff training on ePHI privacy and security. In fact, Health and Human Services (HHS) specifically identified text messaging as a security measure that needed to be addressed in the corrective action plan.

Beyond ePHI security on smartphones, other devices have also made headlines. In May, a personal laptop was stolen from a Boston medical center physician’s office that may have contained medical information summaries on as many as 3,900 patients. In June, Alaska’s Department of Health and Social Services was fined $1.7 million to settle possible HIPAA violations when a USB hard drive was stolen from the vehicle of a DHSS employee. While the device was not confirmed to have contained ePHI, the Office for Civil Rights cited inadequate policies and procedures to safeguard this sensitive information, a lack of risk analysis, lack of controls, and no documented proof of information security training for employees.

It’s clear that ePHI security risks can have significant consequences. Beyond simply the risk of patient data being stolen, HIPAA compliance requires maintaining the confidentiality of all created, received, maintained or transmitted ePHI. Healthcare organizations must protect against any reasonably anticipated threats or hazards to the security or integrity of this information. In addition to risk assessments and documented policies, healthcare organizations can use critical smartphone communication applications, such as Amcom Mobile Connect, to help ensure compliance with both HIPAA and HITECH.

What are some of your experiences with implementing HIPAA compliance in the era of tablets, smartphones and other mobile devices? What challenges are you and your organization working to overcome? We welcome your thoughts.

As Heard on National Public Radio

We’ve blogged a lot this year about smartphone usage in healthcare. It’s an evolving communications platform that more and more hospitals are using in daily care delivery and it has even attracted the attention of National Public Radio (NPR). This week, NPR highlighted this topic in their Morning Edition segment Are Pagers Obsolete? and we are pleased to be a part of the story.

Despite their decline in most other sectors, pagers remain an important piece of healthcare communications with an estimated 90% of hospitals in the country using paging systems. Traditional pagers are simple to use and typically transmit data not sensitive enough to require encryption.

With smartphones, hospitals need data encryption to be HIPAA and HITECH compliant because of the nature of patient information being transmitted among staff. As opposed to pagers, smartphones offer faster communications by eliminating call-backs and with the right communications platform they can also provide invaluable message tracking for audits. Brian Edds, Amcom Director of Product Management, also noted in the NPR podcast, “Doctors don’t want to carry a pager anymore. They want to carry their iPhone or their Android device.”

We see continued demand for both devices and anticipate that paging systems and encrypted smartphone communications will co-exist in the healthcare space for the foreseeable future. As always, your thoughts are welcome.

Amcom Releases New Version of Critical Test Results Management Solution

In early May, we acquired the Critical Test Results Management solution from IMCO Technologies. We quickly brought this into the fold of the full Amcom product suite and are excited to announce the release of version 5.0 of the Amcom Critical Test Results Management solution. We’re pleased that so many of the hospitals we’ve spoken with are excited to embrace this new functionality within the spectrum of their clinical communications to improve patient care and physician productivity.

Amcom Critical Test Results Management is the only solution of its kind to be cleared by the FDA as a class II medical device, and this enhanced version includes important features to help hospitals in their efforts to improve care and comply with industry mandates.

Highlights of Amcom Critical Test Results Management Version 5.0:

• Integration with Amcom Mobile Connect® helps hospitals achieve traceable, encrypted smartphone and tablet communications in accordance with HIPAA and Joint Commission guidelines.
• The new Emergency Department Discrepancy Module can help identify and communicate any differences between the preliminary diagnosis done by the Emergency Department and the final diagnosis done by Radiology.
• The updated user interface is now similar to Amcom’s broad suite of products to improve ease of use among Amcom’s hundreds of hospital customers. Learn more about the Amcom Critical Test Results Management solution.

Learn more about the Amcom Critical Test Results Management solution.