Gastroenterology Coding Alert

Tech incompatibility was at the root of the breach, staffers say.

The more technologically advanced medical practices become, the more training, resources, and equipment are required. But when that technology breaks down, we often must find a workaround – and although that can be a boon for operability, it can create privacy issues.

That’s the lesson that gastroenterology staff members at a Veterans Affairs hospital in California recently learned, according to a July 31, 2019 report by the VA’s Office of Inspector General (OIG).

Incompatible Systems Drove the Issues

The problems that the OIG found stemmed from the fact that the facility’s high-resolution esophageal manometry (HRM) device was unable to interface with the VA’s EHR system starting in 2013.

“The gastroenterology (GI) provider stated that, along with the facility Biomed and IT, a decision was made to continue to use the facility’s HRM without the ability to interface with the patients’ EHR,” said John D. Daigh, Jr., MD, the assistant inspector general for healthcare inspections, in his report. “Based on this decision, the GI provider developed and implemented two workarounds that were not in accordance with VA security and privacy policies concerning sensitive personal information. These workarounds included the use of the GI provider’s personal computer and emails, a non-VA (unencrypted) flash drive, and the Cloud.”

The way the GI staffers transferred information between the two systems led to a breach of patients’ private information. In fact, 99 percent of the emails that the gastroenterologist sent from his personal email account contained patients’ sensitive personal information, as did 91.7 percent of texts between the GI provider and staff members.

In total, the OIG pinpointed 133 patients whose sensitive personal information was cited in emails and text messages from the GI provider to staff members. The OIG determined that the situation did not meet the criteria for a formal breach notification, but the facility was at risk of disclosing their personal information. “A complete/full risk assessment would have shown a possibility of disclosure based on the ease to obtain the information and the length of time the unencrypted information remained on an unprotected site,” the report noted.

Here’s How to Avoid A Similar Fate

If your practice is considering using personal text, email, or other accounts in the office, make sure you stay within the regulations with a few quick tips.

Training matters: The first step your practice should take involves devising a comprehensive plan that includes realistic procedures to combat the accidental and intentional loss of ePHI. Educating administrative and clinical staff on the rules related to HIPAA-compliant communication via text, interoffice messaging, and email is essential to keep your practice safe and secure. Integrating HIPAA-compliant, user-friendly software and applications across the different mobile products your group utilizes is crucial to the success of your overall plan.

Apps for HIPAA-compliant texting meet health care industry standards for security and privacy during the communication of ePHI. Additionally, with text messaging, and due to the features included in secure messaging solutions, it ensures that system administrators can audit access to encrypted ePHI and any transmission of confidential data in compliance with HIPAA regulations.

In addition, consider these seven tips when mobile devices are being used in your practice:

1. Eliminate the threat of sensitive data being compromised if a mobile device is stolen or lost with message recall, message lifespan, and remote wipe.
2. Segregate healthcare texting from personal texting through a HIPAA-compliant, secure application.
3. Encrypt message data in-network and in-transit on the device and the server.
4. Look for a lockout feature that erases data remotely if devices are stolen.
5. Require PIN authentication for all application users.
6. Include configurable time-out periods.
7. Block users after several unsuccessful authentication attempts.

Bottom line: SMS texting is not encrypted or secure, yet providers engage in the practice of “unsafe texting” often, leaving their patients and themselves vulnerable to cyberattacks and the loss of ePHI. Due to the confusing nature of the policies, it is wise to seek the advice and assistance of health care IT experts schooled in the complexities of the HIPAA security rules and regulations.

Resource: To read more about the case, visit www.va.gov/oig/pubs/VAOIG-17-03557-177.pdf.