HIPAA and eHealth: Avoiding problems
Jean Wendland Porter
We've all heard about the dangers and pitfalls when social media mixes with healthcare. Whether it's Snapchat or Facebook, employees have run into trouble. But what we're not considering is how information technology has impacted the sharing of information, and how our “Standard Operating Procedure” may be a violation of federal law.
Widespread use of health information technology benefits our systems and our patients. It's easy to share information to provide care for people that would otherwise not be available. You have a new patient with a fracture? Let's get the X-ray from the hospital portal! You have a patient who presents with a stroke, but you don't know if she's on blood thinners? Let's get the home care med list emailed!
As long as the means of getting the information are protected, encrypted, and encoded, sharing information to provide care has never been easier and quicker. However, it's our responsibility and our obligation to keep that information private.
What constitutes protected health information? An individual's past/present/future medical or psychiatric condition, as well as the past/present/future provision of care for the individual that is “individually identifiable." It also includes the past/present/future payment-related information for the individual. “Individually Identifiable” parameters consist of 18 identifiers, including name, address, date of birth, email address, medical record number, IP addresses, and others.
When you include any of these identifiers with PHI, you're transmitting ePHI. Sending a non-encrypted email that says “We sent your insulin prescription to your drug store” has violated HIPAA, because the medication information plus an email address is considered PHI. But what happens when the patient emails information to you? Nothing. The patient doesn't violate HIPAA because the patient decides who gets her information. However, it's your responsibility to safeguard that information.
What's the penalty for HIPAA violations? The enforcement agency is the Department of Health and Human Services, a federal agency charged with safeguarding the PHI of every American who receives health or psychiatric care.
The penalty can be a hefty fine and include prison time. Ignorance of the law, pleading “this is the way we've always done it” cannot be used as an excuse. You have an encrypted server. Can you send an email to the patient or care provider? Yes, but you can't put the PHI in the subject line or in the title of the attachment, because that's visible. Can you fax information? It depends. If the fax is in a public area that's frequented by others who are not privy to PHI, you can't. If it's a private fax in an office, accessible only to those who provide care, yes you can.
Healthcare has become so reliant on faxing — make sure you're doing it right. Is texting HIPAA compliant? It depends. The texting app that came with your iPhone or your Droid probably isn't compliant. There are texting apps that are secure and HIPAA compliant, but they may be costly and everyone involved has to use the same app. The generic app for texting keeps a copy of all your texts on the provider's server. The secure texting does not. When purchasing an email or text app, make sure it's SSL-encrypted.
Emails and texts aren't secure unless they go through an SSL-encrypted (Secure Sockets Layer) server and has SSL-encrypted data transmission. Using the encrypted transmission of data ensures the secure protection of information.
"Open" and "transparent" are key words defined by HHS and reflect what we aspire to in order to provide the best and most expedient care. But it's our responsibility as providers to ensure that the information we communicate to others involved in the care of our patients retains their privacy and complies with federal law.Jean Wendland Porter, PT, CCI, is the Regional Director of Therapy Operations at Diversified Health Partners in Ohio.