Ophthalmology and Optometry Coding Alert

Patient Privacy:

Don't Let a Text Compromise Your Eye Practice's Security

HIPAA-compliant messaging helps practices maintain their patients’ privacy.

Your physicians, mid-level providers, and support staff probably find texting to be a convenient and quick tool to help staffers stay in touch and communicate about patient issues—but if you aren’t careful, your texting practices could get you into trouble.

The handy nature of these implementations makes people complacent, and the line between what is acceptable and what is illegal is often blurred. The ease of use allows both clinicians and administrative staff to transfer data, voice opinions, and send private patient and practice information any which way they choose. When this happens, an innocent text could become fodder for a Health Insurance Portability and Accountability Act (HIPAA) breach.

Background. The U.S. Department of Health and Human Services (HHS) requires that all covered entities—health care providers, health plans, and health care clearinghouses—follow strict mobile-use guidelines under the HIPAA security rule. The rule lists a detailed inventory of governmentally-mandated requirements that are meant to help preserve electronic protected health information (e-PHI). Some of the highlights focus on setting up administrative, technical, personal, and physical safeguards to protect all involved parties. (http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html).

Since Medicare payment has been tied to adopting Certified Electronic Health Record Technology (CEHRT) for a while now due to its necessity in the delivery of quality care, most providers and their partners have jumped on board the cyber train lest their incomes be inhibited.

“Since the implementation of the Affordable Care Act (ACA) and Meaningful Use (MU), medical providers are relying on cost effective services that take pay-for-performance into consideration. These services include texting, telemedicine, and outsourcing,” explains Michael  DeFranco, founder and CEO of Lua, a leader in health care mobility. “The growth of innovative technologies can lower the cost of delivering healthcare, and provide for better patient outcomes and patient satisfaction.”

The upside. Texting in particular speeds the daily work flow, connecting physicians, staff, and business partners with the easy distribution of information. Its efficiency and cost effectiveness can successfully reduce readmissions, coordinate the management of chronic care, help with e-Prescriptions, and increase and improve patient engagement, suggests DeFranco.

Here’s the Problem

Unfortunately, messaging abuses have become a serious problem for the health care industry, and the OIG is on the watch for violators of these HIPAA security rules. Lax office procedures, the enticement of a financial windfall from information theft, and workers with a lack of compliance education have increased the likelihood of cyber villainy and the loss of ePHI.

It’s  more  than  a  quick  fix. “Since providers text their patients and other providers ePHI, which should never be transmitted in an unsecured manner, they need a solution,” says DeFranco.

Training  matters.  The first step your practice should take involves devising a comprehensive plan that includes realistic procedures to combat the accidental and intentional loss of ePHI. Educating administrative and clinical staff on the rules related to HIPAA-compliant communication via text, interoffice messaging, and email is essential to keep your practice safe and secure. Integrating HIPAA-compliant, user-friendly software and applications across the different mobile products your group utilizes is crucial to the success of your overall plan.

“Apps for HIPAA-compliant texting meet health care industry standards for security and privacy during the communication of ePHI,” says DeFranco. “Additionally, with text messaging, and due to the features included in secure messaging solutions, it ensures that system administrators can audit access to encrypted ePHI and any transmission of confidential data in compliance with HIPAA regulations.”

Bottom  line. SMS texting is not encrypted or secure, yet providers unwittingly engage in the practice of texting often, leaving their patients and themselves vulnerable to cyberattacks and the loss of ePHI. Due to the confusing nature of the policies, it is wise to seek the advice and assistance of health care IT experts schooled in the complexities of the HIPAA security rules and regulations.