Texting Just the Beginning of Communication Security Concerns for Healthcare Providers

Maintaining patient health information security and privacy is a leading concern for hospital systems and provider groups, especially since the updated HIPAA Omnibus rule, which went into effect last year, expanded privacy and security standards.

Many healthcare providers struggle with maintaining data security; practices as straightforward as encrypting laptops often don't occur, leading to new headlines nearly every week about yet another healthcare data breach caused by laptop theft.

Beyond laptops, the use of personal mobile devices to view electronic PHI, or communicate with other providers, has created yet another privacy concern. Seth Crouch, director of ambulatory services for Covenant Medical Group, the physician group of Lubbock, Texas-based Covenant Health, experienced this first-hand: Early last year, it came to his attention that a number of the group's physicians were sending texts to one another that contained patient names, birth dates and health information. A physician would request a consult from another physician in the group via text message, or communicate about patients with his or her nurse or physician assistant.

"That information was going through unsecured networks, and could lead to a breach if someone got a hold of the phone," he says, which created a liability for the medical group.

Mr. Crouch and other leaders from the group reviewed several systems for secure healthcare provider texting, eventually selecting to pilot the use of PerfectServe DocLink among a small group of physicians and their nurses. These providers quickly became champions for the tool, says Mr. Crouch, since the app (which appears alongside other apps on a user's phone) allows secure communications and includes a list of all providers at the system using the service so that providers don't have to dig through their contact lists. Users get an alert when they receive a message through the service; if the recipient doesn't open the message, a SMS text is sent to ensure the provider knows the message is waiting.

"We have drilled the doctors on the importance of security and compliance, and how important it is to keep patients' information safe," says Mr. Crouch. The piloted app ensured this, but was just as easy to use as SMS texting, so the providers' workflows weren't impacted.

An additional benefit of the app is that it allows for text messaging outside traditional SMS, which is a benefit for providers who have limited text messaging plans. And if providers prefer using laptops or desktops, the app can be accessed on these platforms as well.

"Many nurses don't have unlimited texting on their phones," explains Mr. Crouch. "Before, the nurses were complaining because the doctor was using up all her texts, costing her money."

After the pilot was deemed a success, the app was rolled out across the medical group, with its original users encouraging other physicians to sign on. Currently, 60 to 70 percent of the group's physicians use the app on a daily basis, says Mr. Crouch. And, this year, Covenant Health will offer the app to all credentialed physicians at its hospitals.

Also, later this year, the health system plans to extend the tool for use in communications beyond texting. As the health system began to examine its communications, it realized other types of communication besides texting were putting the health system at risk. For example, health system leaders foundthat a great deal of information sent from the system's answering service operators to physician practices was sent via unsecured methods.

As a result, Covenant Health plans to replace its current answering system with another PerfectServe product created specifically for larger, practice-wide communications.

"The market issues related to security and communications actually extend well beyond text messaging," says Terry Edwards, CEO of PerfectServe. "The industry as a whole is very concerned with secure texting between clinicians, but there is a whole host of additional communications that is occurring in unsecure ways, throughout other processes."

Thousands of messages are exchanged among health systems providers and staff every day, and physician-to-physician communications make up just a portion of them. Communications via text, fax and email among nurses, office staff and switchboard operators account for the remaining messages, and unless a health system is extremely vigilant, it's common for these PHI-containing messages to be sent through unsecured methods.

HIPAA requires healthcare providers audit how they transmit, receive, create and store PHI, and establish policies and procedures to help manage risk around this information. Providers who are aware of unsecured communications but fail to take steps to mitigate it are putting their organizations, and their patients' information, at risk.

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Featured Webinars

Featured Whitepapers