HIPAA News

The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit

The Department of Health and Human Services’ Office for Civil Rights commenced the second round of HIPAA compliance audits late last year. The audit program consists of desk-based audits of HIPAA-covered entities and business associates, followed by a round of in-depth audits involving site visits. The desk audits have been completed, with the site audits put on hold and expected to commence in early 2018.

Only a small number of covered entities have been selected to be audited as part of the second phase of compliance audits; however, covered entities that have escaped an audit may still be required to demonstrate they are in compliance with HIPAA Rules.

In addition to the audit program, any HIPAA-covered entities that experiences a breach of more than 500 records will be investigated by OCR to determine whether the breach was the result of violations of HIPAA Rules. OCR also investigates complaints submitted through the HHS website.

The first round of HIPAA compliance audits in 2011/2012 did not result in any financial penalties being issued, but that may not be the case for the second round of audits. Also, the past two years as seen an increase in financial penalties for noncompliance with HIPAA Rules that was discovered during investigations of complaints and data breaches.

There is now an elevated risk of an audit or investigation and OCR is issuing more fines for noncompliance. Consequently, covered entities cannot afford to take chances. Many healthcare organizations are turning to HIPAA compliance software and are seeking assistance from compliance experts to ensure their compliance programs are comprehensive and financial penalties are avoided.

Imperial Valley Family Care Medical Group Calls in HIPAA Compliance Experts

Imperial Valley Family Care Medical Group is a multi-specialty physician’s group with 16 facilities spread throughout California. IVFCMG was not selected for a desk audit, although following the theft of a laptop computer, OCR investigated the breach. IVFCMG was required to demonstrate compliance with HIPAA Rules and provide documentation to show the breach was not caused by the failure to follow HIPAA Rules.

Covered entities may fear a comprehensive HIPAA audit, but investigations into data breaches are also comprehensive. OCR often requires considerable documentation to be provided to assess compliance following any breach of protected health information. In the case of IVFCMG, OCR’s investigation was comprehensive.

Responding to OCR’s comprehensive questions in a timely manner was essential. IVFCMG, like many covered entities that are investigated or selected for an audit must be careful how they respond and all questions must be answered promptly and backed up with appropriate documentation.

As we have already seen this year, if HIPAA Rules are not followed to the letter after a data breach is experienced, fines can follow. Presense Health was fined $475,000 by OCR for potential violations of the HIPAA Breach Notification Rule following a breach of PHI.

Following the breach, IVFCMG turned to a third-party firm for assistance and contacted the Compliancy Group. By using the firm’s Breach Response Program, IVFCMG was able to ensure all of the required actions were completed, in the right time frame, and all of those processes were accurately documented.

The Breach Response Program is part of the Compliancy Group’s “The Guard” HIPAA compliance software platform. Compliancy Group simplifies HIPAA compliance, allowing healthcare professionals to confidently run their practice while meeting all the requirements of the HIPAA Privacy, Security and Breach Notification Rules. The Guard uses the “Achieve, Illustrate, and Maintain” methodology to ensure continued compliance, with covered entities guided by HIPAA compliance experts all the way.

IVFCMG’s Chief Strategic Officer, Don Caudill, said “Their experts provided us with a full report and documentation proving that our HIPAA compliance program satisfied the law – which ultimately helped us avoid hundreds of thousands of dollars in fines.” When OCR responded to the initial breach report asking questions about another aspect of HIPAA Rules, IVFCMG was able to respond in a timely fashion and provide the evidence to prove it was in compliance.

HIPAA compliance software helps covered entities pass a HIPAA audit, respond appropriately when OCR investigates data breaches and complaints, and avoid fines for non-compliance. OCR has increased its enforcement activity over the past two years and healthcare data breaches are on the rise. Non-compliance with HIPAA Rules is therefore much more likely to be discovered and result in financial penalties.

Small to medium sized HIPAA-covered entities with limited resources to dedicate to HIPAA compliance can benefit the most from using HIPAA compliance software and receiving external assistance from HIPAA compliance experts.

“Responding to a HIPAA audit requires sensitivity and expertise,” Bob Grant, Chief Compliance Officer of Compliancy Group, told HIPAA Journal. “As a former auditor, I’ve developed The Guard and our Audit Response Program to satisfy the full extent of the HIPAA regulatory requirements. Giving federal auditors everything they need to assess the compliance of your organization is our number one goal. Our Audit Response Program is the only program in the industry to give health care professionals the power to illustrate their compliance so they can get back to running their business in the aftermath of a HIPAA audit.”

The post The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit appeared first on HIPAA Journal.

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma.

As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma.

OCR has stressed that the HIPAA Privacy and Security Rules have not been suspended and covered entities must continue to follow HIPAA Rules; however, certain provisions of the Privacy Rule have been waived under the Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act.

In the event that a hospital in the disaster zone does not comply with the following aspects of the HIPAA Privacy Rule, penalties and sanctions will be waived:

  • 45 CFR 164.510(b) – Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • 45 CFR 164.510(a) – Honor requests to opt out of the facility directory.
  • 45 CFR 164.520 – Distribute a notice of privacy practices.
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications.

The waiver only applies to penalties and sanctions in relation to the above provisions of the HIPAA Privacy Rule, only to hospitals in the emergency area that have implemented their disaster protocol, and only for the time period identified in the public health emergency declaration.

The waiver applies for a maximum of 72 hours after a hospital has implemented its disaster protocol. If either the President’s or HHS Secretary’s declaration terminates within that 72-hour time period, the hospital must immediately comply with all aspects of the HIPAA Privacy Rule for all patients under its care.

In emergency situations, the HIPAA Privacy Rule does permit the sharing of PHI for treatment purposes and with public health authorities that require access to PHI to carry out their public health mission. HIPAA-covered entities are also permitted to share information with family, friends, and others involved in an individual’s care, even if a waiver has not been issued. Further details of the allowable disclosures in emergency situations are detailed in the HHS HIPAA bulletin.

In all cases, covered entities must limit disclosures to the minimum necessary information to achieve the purpose for which PHI is disclosed.

Even during natural disasters, healthcare organizations and their business associates must continue to comply with the HIPAA Security Rule and must ensure appropriate administrative, physical, and technical safeguards are maintained to ensure the confidentiality, integrity, and availability of electronic protected health information to prevent unauthorized access and disclosures.

The post Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoes

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient.

Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery. She had been struggling with addition for seven years, but prior to surgery had been clean for 6 months.

Her parents, who were at the hospital while their daughter underwent surgery, had repeatedly told doctors not to prescribe opioids unless their daughter was under the strictest supervision. However, her discharging physician gave her a prescription for 50 oxycodone tablets. Grubb overdosed and died the same night she was discharged from hospital. Her discharging doctor did not receive the information about her history of opioid use.

The bill, which was introduced by Sen. Manchin and co-sponsored by Capito, will ensure physicians are better informed about the medical histories of recovering addicts, while preserving the privacy of patients. The new bill states a “history of opioid use disorder should, only at the patient’s request, be prominently displayed in the medical records (including electronic health records).”

The Department of Health and Human Services will be required to publish guidelines on when healthcare providers are permitted to prominently display details of a patient’s history of opioid use on their medical record.

Jessie’s mother Kate Grubb said, “I am ever so grateful for the passage of Jessie’s Law; it eases a mother’s aching heart that this law will save other lives and give meaning to Jessie’s death.”

The bill will now proceed to the U.S. House of Representatives’ Committee on Energy and Commerce for consideration.

Legislation Proposed to Align Part 2 Regulations with HIPAA to Improve Patient Care

Congressmen Tim Murphy and Earl Blumenauer introduced a similar bill – The Overdose Prevention and Patient Safety (OPPS) Act (HR 3545) – late last month. The bill is intended to align 42 Code of Federal Regulations Part 2 (Part 2) with HIPAA rules and will ensure doctors have access to their patients’ complete medical histories, including details of addiction treatment. Details of addiction treatment are prohibited from being shared with doctors. However, without access to full medical records, tragic incidents such as what happened to Grubb could occur time and again.

Rep. Murphy said, “The Overdose Prevention and Patient Safety Act will allow doctors to deliver optimal, lifesaving medical care, while maintaining the highest level of privacy for the patient.” Murphy also explained that while sharing sensitive information on substance use will help patients get the care they need; patient privacy must be protected. “We do not want patients with substance use disorders to be made vulnerable as a result of seeking treatment for addiction, this legislation strengthens protections of their records.”

The Overdose Prevention and Patient Safety Act reads, “Any record…that has been used or disclosed to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient in violation of paragraphs (1) or (2), shall be excluded from evidence in any proposed or actual proceedings relating to such criminal charges or investigation and absent good cause shown shall result in the automatic dismissal of any proceedings for which the content of the record was offered.”

A coalition of more than 30 healthcare stakeholders wrote to Reps Murphy and Blumenauer to express support for the bill. In the letter, the coalition points out that while the Substance Abuse and Mental Health Services Administration (SAMHSA) recently released a final rule that will modernize Part 2, the final rule does not go far enough.

The post U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoes appeared first on HIPAA Journal.

How Often Should Healthcare Employees Receive Security Awareness Training?

Security awareness training is a requirement of HIPAA, but how often should healthcare employees receive security awareness training?

Recent Phishing and Ransomware Attacks Highlight Need for Better Security Awareness Training

Phishing is one of the biggest security threats for healthcare organizations. Cybercriminals are sending phishing emails in the millions in an attempt to get end users to reveal sensitive information such as login credentials or to install malware and ransomware. While attacks are often ransom, healthcare employees are also being targeted with spear phishing emails.

In December last year, anti-phishing solution provider PhishMe released the results of a study showing 91% of cyberattacks start with a phishing email. Spear phishing campaigns rose 55% last year, ransomware attacks increased by 400% and business email compromise (BEC) losses were up by 1,300%.

In recent weeks, there have been several phishing attacks reported to the Department of Health and Human Services’ Office for Civil Rights. Those attacks have resulted in email accounts being compromised. In July alone, 9 email-related security incidents have been reported to OCR.

The recent WannaCry ransomware attacks may have exploited unaddressed vulnerabilities, but email remains the number one vector for spreading ransomware and malware. Many of these email attacks could have been prevented if employees had been trained to detect threats and knew how to respond appropriately.

Regular Security Awareness Training is a Requirement of HIPAA

Security awareness training is more than just a checkbox item to tick off to demonstrate compliance with HIPAA Rules. If fact, a one-off training session does not meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

45 C.F.R. § 164.308(a)(5)(i) requires covered entities to “Implement a security awareness and training program for all members of its workforce (including management)”. As OCR recently pointed out in its July Cybersecurity Newsletter, all members of staff in an organization “can, knowingly or unknowingly, be the cause of HIPAA violations or data breaches.” It may not be possible to reduce risk to zero, but security awareness training can help to reduce risk to an acceptable level.

How Often Should Healthcare Employees Receive Security Awareness Training?

Cybercriminals are constantly changing tactics and new threats are emerging on an almost daily basis.  An effective security awareness program must therefore provide ongoing training; raising awareness of new threats as they emerge and when threat intelligence is shared by Information Sharing and Analysis Organization (ISAOs).

After the provision of initial training, HIPAA requires healthcare employees to receive periodic security updates – 45 C.F.R. § 164.308(a)(5)(ii)(A). While HIPAA does not stipulate how often these “periodic security updates” should be issued, OCR points out that monthly security updates work well for many healthcare organizations, with additional training provided bi-annually.

Some healthcare organizations may require less or more frequent updates and training sessions, which should be determined through the organization’s risk analyses.

The security updates should include details of the latest security threats including phishing and social engineering scams that have been reported by other covered entities or shared by an ISAO. The security alerts can take many forms – email bulletins, posters, newsletters, team discussions, classroom-based training or CBT sessions. It is up to the covered entity to determine which are the most appropriate. Annual or biannual training sessions should be more in-depth and should cover new risks faced by an organization and recap on previous training.

OCR also points out in its recent newsletter that covered entities must document any training provided to employees. Without documentation on the training provided, newsletters sent, updates issued and evidence of workforce participation, it will not be possible to demonstrate to OCR auditors that training has taken place. HIPAA requirements for documenting training are covered in 45 C.F.R. §§ 164.316(b) and 164.530(j).

OCR provides some training materials on privacy and security, with third-party training companies and anti-phishing solution providers offering specific training courses on the full range of cybersecurity threats.

Tailoring training to the needs of the individual will help to ensure that all employees become security assets and organizations develop a robust last line of defense against phishing attacks.

The post How Often Should Healthcare Employees Receive Security Awareness Training? appeared first on HIPAA Journal.

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years.

The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 in annual revenue.

47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years.

Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred.

Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach in the past two years that involved ransomware. 41% of those respondents said they paid the ransom to unlock their data.

70% of organizations that experienced at least one security breach in the past 2 years said a malicious actor hacked their system as a result of an unaddressed vulnerability, 54% of respondents said they had experienced a single-system based malware incident and 36% said employees had responded to phishing emails resulting in a system compromise. 26% said they had experienced a breach of a third-party device or service, while 20% said they had experienced a breach as a result of an insider.

The probability of organizations experiencing a security breach has increased considerably in the past two years, yet there was a decrease in organizations that believed cybersecurity was a board matter. In 2015, 87% of organizations believed cybersecurity was a board issue. This year, only 79% of respondents said they thought cybersecurity was a C-level issue.

KPMG Healthcare Advisory Leader Dion Sheidy said, “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate.”

Investment in cybersecurity protections has also decreased. In 2015, 88% of organizations said they had invested in information protection measures in the past 12 months. This year, only 66% said they had made such an investment.

When it comes to investment, organizations appear to be favoring technology rather than staff. Only 15% believe increases in staff numbers and higher quality staff are important for improving their security posture.

Only 41% of respondents said they were planning on investing in hiring or training staff, with 76% saying they were planning on investment more in technology. Budgets for training staff were low, with a quarter of respondents saying they were investing less than $1,000 per cybersecurity team member. 83% said improvements would be made to policies and data access controls and processes.

KPMG Cyber Security Group in Healthcare & Life Sciences Leader Michael Ebert said, “A solid cyber security program needs people, processes and technology and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach,” explaining that “Software can only protect you so far and staff is important when it comes time to respond to a data breach.

When asked what they thought the main targeted asset was, only 30% believed it was patient data. Financial information was seen as the data most likely targeted (69%), followed by patient/clinical research (63%) competitive market analysis (49%) and the PII of employees (45%).

The biggest threats were seen to be state-sponsored actors (53%), individual hackers (49%) and hactivists (47%).

The post 47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years appeared first on HIPAA Journal.

Only One Third of Patients Use Patient Portals to View Health Data

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits patients to access the health information held by their providers, yet relatively few patients are exercising that right, according to a recent U.S. Government Accountability Office (GAO) report, at least through patient portals.

The Medicare Electronic Health Record Incentive Program encouraged healthcare providers to transition from paper to electronic medical records and now almost 90% of patients of participating providers have access to patient portals where they can view their health data. Even though patients have been provided with access, fewer than a third of patients are using patient portals to view their health information.

GAO looked at patient health information access from the patients’ perspective, conducting interviews with patients to find out why they are not taking advantage of this valuable resource.

Out of the healthcare organizations that participated in the Medicare EHR Program, 88% of hospitals and 87% of professionals offered patients access to their health information online, yet only 15% of hospital patients and 30% of other providers’ patients accessed their data online.

When patient portals are used to access health data it is usually preceding a medical appointment or soon afterwards to view medical test results. Information is also commonly accessed in order to share health data with a new healthcare provider. However, mostly, patients were using the portals to schedule appointments, set reminders or order medication refills.

The problem does not appear to be a lack of interest in viewing or obtaining health information, rather it is one of frustration. The process of setting up access to patient portals and viewing health data is time consuming. Patients usually have multiple healthcare providers and must repeat the process for each provider. In order to view all their health information, they must use a different portal for each provider and manage separate login information for each. Further, patient portals are not standardized. Each requires patients to learn how to access their information and familiarize themselves with the portal.

When the patient portals have been set up, patients often discover incomplete or inaccurate information, with information inconsistent among different providers. It would make life easier if all information could be transferred electronically between each provider or aggregated in one place, yet patients were confused by the process and were unaware if this was possible, and if so, how it could be done. Many patients did not even know if their health information could be downloaded or transmitted.

GAO pointed out that while the HHS has been encouraging healthcare providers to give patients access to health data via patient portals, there does not appear to have been any follow up. GAO says the HHS appears to be unaware of how effective its program has been. GAO has recommended HHS set up some performance measures to determine whether its efforts are actually working.

The post Only One Third of Patients Use Patient Portals to View Health Data appeared first on HIPAA Journal.

Survey Shows Only a Quarter of Hospitals Have Implemented a Secure Text Messaging Platforms

The use of secure text messaging platforms in healthcare has grown over the past few years, although a recent survey published in the Journal of Hospital Medicine suggests adoption of HIPAA-compliant messaging systems remains relatively low, with only a quarter of hospitals using a secure platform for sending messages to clinicians.

The survey was conducted on 620 hospital-based clinicians identified from the Society of Hospital Medicine database.

Secure text messaging platforms comply with HIPAA Rules and feature end-to-end encryption to prevent messages from being intercepted. Access controls are also incorporated to ensure only the intended recipient can view messages. Since messages cannot be sent outside the system, the platforms prevent accidental disclosures of PHI. Multi-media messages can also be sent, including test results and images.

Secure text messaging platforms are a natural replacement for outdated pagers, allowing much more meaningful communication, although the survey suggests only 26.6% of hospitals have introduced the systems. Even when secure messaging systems have been implemented, they were not widely used by clinicians. Only 7.3% of respondents said a secure messaging system was being used by most clinicians.

Pagers remain the most commonly used communication systems and are still used by 79.8% of hospitals to communicate with clinicians. 49% of respondents said they use pagers for patient care–related (PCR) communications.

The survey also revealed that standard text messages are being extensively used, often to communication PHI, even though sending PHI over the SMS network is a violation of HIPAA Rules. Standard text messages are not encrypted, do not have access controls and can easily result in the accidental disclosure of PHI to unauthorized individuals.

52.9% of clinicians said they received standard text messages for PCR communications at least once a day and 21.5% of respondents said they received standard text messages including the individually identifiable information of patients. 41.3% said they received some identifiable information such as patients initials along with health care related information. 21% said text messages regarding urgent healthcare information were received at least once a day.

Text messages are a convenient method of communication for use in hospitals. The majority of physicians carry mobile phones at work, although without a secure messaging platform, there is considerable potential for a HIPAA violation.

The HHS’ Office of the National Coordinator for Health IT has made it clear that standard text messaging is not secure and should not be used to communicate PHI since there is no encryption or access controls.

ONC suggests, “Implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices.”

The post Survey Shows Only a Quarter of Hospitals Have Implemented a Secure Text Messaging Platforms appeared first on HIPAA Journal.