Patients may be hungry for easy electronic communications with their doctors, such as text messages and email, but practices are wise to consider the risks before they proceed.
In fact, taking inventory of patient information passed through all devices and channels must be part of every practice's Health Insurance Portability and Accountability Act (HIPAA) risk assessment, as required by the U.S. Department of Health and Human Services' Office of Civil Rights (OCR), noted a recent article from Medical Economics.
As part of that risk assessment, it's also practices' responsibility to analyze the likelihood and impact of potential threats--and to put measures in place to address vulnerabilities. Failure to take this step seriously could result in steep fines from the OCR.
Even among experts, however, there's some disagreement about where to begin. "Most people say it should start from policy and training, but I disagree," Ali Pabrai, chief executive officer of the online security company ecfirst, told Vital Signs, a publication of the Massachusetts Medical Society, earlier this year. Strong security controls, such as antivirus software, antispyware, as well as encryption of information exchanged via email and text messages, are essential, he said.
"But the idea that a purely technical solution is our panacea has faded," wrote healthcare attorney Michael J. Sacopulos in a recent article for Medscape. Whether policies represent the chicken or the egg for your practice, consider the following recommendations from the article to ensure people use communications technology in the safest way possible:
- Whenever possible, keep electronic patient communications within patient portals, which not only keeps data secure but also ensures it gets included in the patient's electronic medical record (EMR), according to Sacopulos.
- For exchanges that take place outside the portal, ensure you have written permission from patients to communicate with them in that fashion, especially if messages aren't encrypted, he added.
- Ask EMR vendors about secure texting services that integrate with patients' EMRs and use if available.
- If messages do not automatically integrate into patients' EMRs, have a policy to routinely upload communications to the patient's chart.