OnPage Report: HIPAA Compliant Messaging Myths Dispelled
In 2016, almost 85% (1) of physicians and hospital personnel reported that they brought their personal smartphones to work. At the same time, Accellion (2) also reported that 68% of healthcare security breaches were due to the loss or theft of personal mobile devices or files. These two statistics have led some healthcare institutions to conclude that they should not allow any type of healthcare-related messaging or communications on personal mobile devices among hospital staff. They feel that messaging on personal devices will leave hospitals exposed to breaches.
While BYOD’s proliferation has impacted security, officials should not assume that isolation is the solution. As the CISO at the University of Rochester Medical Center put it, (3)
Regardless of whether I agree with [BYOD] or not, that’s where we are today. You really can’t put the cat back in the bag once you’ve [started allowing BYOD]. We just have to address the problem.
The goal of this whitepaper is to highlight the MYTHs surrounding secure and HIPAA compliant messaging. With the correct policies in place, hospitals can incorporate BYOD and HIPAA secure messaging into their workplace. BYOD is not the Trojan Horse that will bring insecure communication into the workplace. Rather, BYOD along with proper HIPAA compliant messaging will allow hospitals to improve their institutions and the healthcare they provide.
HIPAA Compliant Messaging Myths 1: Text messaging is not necessary for effective healthcare.
HIPAA secure messaging applications expedite processes that formally were handled over the phone and avoid the compliance issues presented by default SMS programs.
A benefit of HIPAA secure messaging, according to HIMSS, is that it “allows patients and healthcare teams to communicate non-urgent, health related information in a private and safe computer environment.” (4)
HIPAA Compliant Messaging Myths 2: Implementing HIPAA secure communications will have no impact on patient health
Strong communication is key to effective care coordination and having the proper communication tools can have a significant impact on the quality of care provided by the hospital. The use of pagers in healthcare facilities has a negative impact on patient-care workflow. In a study by the Ponemon Institute (5) , 43% of the time spent in responding to an emergency situation is wasted due to inefficient communications.
Consequently, by providing a tool which encourages quick and secure communications among doctors and nurses, patient health can only be improved.
HIPAA Compliant Messaging Myths 3: Secure messaging and texting are available through native texting applications on the smartphone.
Texting applications such as the ones that come with the iPhone and Android are not sufficiently secure. These applications are unable to verify the identity of the person sending the text or to retain the original message as validation of the information entered into the medical record.
Furthermore, as TechTarget noted, SMS does not translate into secure messaging in healthcare:
Despite their popularity, the limitations of SMS and other consumer-grade messaging services make them a bad fit for secure messaging in healthcare (7).
Additionally, these messaging applications do not meet HIPAA protocols.
HIPAA Compliant Messaging Myths 4: We can ensure HIPAA secure messaging through prohibiting BYOD and only permit messaging on technologies that live at the hospital.
As noted above, the cat is out of the bag on BYOD. But there’s more to say on the argument. According to Gerard Nussbaum, director of Technology Services for Kurt Salomon global management:
BYOD is a huge benefit to the healthcare space for a number of reasons… [H] ealthcare providers can’t really afford to give everyone who would benefit from a device a device. So having the physician on the medical staff or an employee use their own device can provide access to mobile tools to people who might otherwise not be able to benefit from mobile tools (8).
Additionally, while some hospitals do have messaging technology that only lives at the hospital, this runs counter to the way in which most doctors wish to operate. Doctors appreciate the ability to communicate over their personal devices and work outside the confines of the hospital.
The majority of doctors surveyed have their own office hours, move from building to building, collaborated with specialists in other locations and worked at home. In many cases they’d adapted their own devices and were intent on using them at the hospital (9).
To read the other myths download our report