Electronic Communication Security

At the beginning of this year we published our list of smartphone predictions. Number two on that list was that an incident involving compromised electronic protected health information (ePHI) on a smartphone would cause headlines and fines. This has, unfortunately, come true. The basis for our prediction came directly from the Joint Commission’s FAQ webpage:

Is it acceptable for physicians and licensed independent practitioners and other practitioners allowed to write orders) to text orders for patients to the hospital or other healthcare setting?

No it is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.

In April, a cardiac surgery group in Arizona agreed to pay $100,000 to settle possible HIPAA violations. The cardiac practice was cited for multiple security oversights, including inadequate policies and procedures to protect patient information and no documented staff training on ePHI privacy and security. In fact, Health and Human Services (HHS) specifically identified text messaging as a security measure that needed to be addressed in the corrective action plan.

Beyond ePHI security on smartphones, other devices have also made headlines. In May, a personal laptop was stolen from a Boston medical center physician’s office that may have contained medical information summaries on as many as 3,900 patients. In June, Alaska’s Department of Health and Social Services was fined $1.7 million to settle possible HIPAA violations when a USB hard drive was stolen from the vehicle of a DHSS employee. While the device was not confirmed to have contained ePHI, the Office for Civil Rights cited inadequate policies and procedures to safeguard this sensitive information, a lack of risk analysis, lack of controls, and no documented proof of information security training for employees.

It’s clear that ePHI security risks can have significant consequences. Beyond simply the risk of patient data being stolen, HIPAA compliance requires maintaining the confidentiality of all created, received, maintained or transmitted ePHI. Healthcare organizations must protect against any reasonably anticipated threats or hazards to the security or integrity of this information. In addition to risk assessments and documented policies, healthcare organizations can use critical smartphone communication applications, such as Amcom Mobile Connect, to help ensure compliance with both HIPAA and HITECH.

What are some of your experiences with implementing HIPAA compliance in the era of tablets, smartphones and other mobile devices? What challenges are you and your organization working to overcome? We welcome your thoughts.