Home » Readers Write » Currently Reading:

Readers Write: Think Beyond the Text: Understanding HIPAA and Its Revisions

July 31, 2013 Readers Write 1 Comment

Think Beyond the Text: Understanding HIPAA and Its Revisions
By Terry Edwards

Every day, an increasing number of physicians and other health care providers are exchanging clinical information through a wide range of modes, including smart phones, pagers, CPOE, e-mails, texts and messaging features in an EMR. It’s no surprise that hospital and health system leaders are increasingly focused on securing protected health information in electronic form (ePHI)—a trend that has certainly invoked some confusion across the industry.

As PHI data breaches increase in frequency, hospital executives must strategize ways to eliminate security threats and remain HIPAA compliant. Especially since HIPAA violations can be extremely expensive, leaving these already-strapped organizations in an even more stressful financial situation.

In order to prioritize tangibles such as patient safety, physician satisfaction and overall efficiency across processes and hospitals, health care leadership must consider ways to tackle this confusion and maximize the benefits enabled by modern technology and electronic communications.

PHI can take a variety of paths in today’s complex healthcare environment and expose a health system to risk. But time and time again I see health systems looking to implement stop-gap measures and point solutions that address part—and not all—of the problem.

While texts are commonly sent between two individuals via their mobile phones, the communication “universe” into which a text enters is actually much bigger. It also includes creating ePHI and sending messages—in text and voice modalities—from mobile carrier web sites, paging applications, call centers, answering services and hospital switchboards.

For example, a 400+ bed hospital generates more than 50,000 communication transactions to physicians each and every month. Many of these communications contain ePHI. And if they were transmitted through unsecure networks and stored in unencrypted formats, they would represent a meaningful potential security risk to both the hospital and its medical staff.

In order to identify all potential areas of vulnerability, health care leaders need to consider all mechanisms by which ePHI is transmitted and the security of those mechanisms and processes. No mode of communication can be viewed in isolation. By failing to address all transmitted ePHI, organizations become vulnerable to security breaches with adverse legal and financial consequences, as well as loss of patient trust and reputation in marketplace.

In addition, contrary to what many health leaders have been led to believe, HIPAA provisions do not call out any specific modes of communication. Text messaging is permissible under HIPAA. The law simply stipulates that a covered entity (CE) must perform a formal risk assessment; develop and implement and effective risk management strategy based upon sound policies and procedures; and monitor its risk on an ongoing basis. These regulations apply to providers communicating PHI in any electronic form.

As a result, there is no such thing as a “HIPAA-compliant app.”

HIPAA provisions emphasize the risk management process rather than the technologies used to manage risk. For hospitals and health systems, the pathway to safeguarding electronic communication of PHI lies in the creation of an overall risk management strategy.

Ideally, leaders of the CE will form an information security committee to develop and execute the strategy, which includes representatives from IT, operations, the medical staff, and nursing, as well as legal counsel. Leaders should also consider including an external security firm in the group. Once the committee is formed, the organization should take these four essential steps for protecting the security of ePHI:

  1. Organize and execute a formal risk analysis. A formal risk analysis should break down types of technology used for electronic communication as well as the transmission routes for all ePHI. To ensure HIPAA compliance, ePHI transmitted across all channels must be “minimally necessary,” which means it includes only the PHI needed for that clinical communication. This layer of complexity, which is common in clinical communication processes, underscores the need for a comprehensive security assessment and strategy appropriate for the organization, coupled with the resources necessary to implement that strategy.
  2. Establish an appropriate risk management strategy. The committee should develop a risk management strategy that’s specific to the needs and vulnerabilities of the organization and is designed to manage the risk of an information breach to a reasonable level. HIPAA does not specifically define “reasonable,” but in general, the risk management strategy should include policies and procedures that ensure the security of message data during transmission, routing, and storage. The strategy should also include specific administrative, physical, and technical safeguards for ePHI.
  3. Roll out these policies and procedures and train staff. Implementing new policies and procedures is the biggest challenge for organizational leaders, especially as a substantial proportion of reported security breaches are due in part to insufficient training of staff. As a result, appropriate individuals should be assigned specific implementation tasks for which they are held accountable, while leaders and committee members must carefully monitor the success of implementation. All staff with access to PHI must be educated about the specific policies and procedures, which will help ensure they are upheld across the organization.
  4. Monitor risk on an ongoing basis. To ensure continued compliance with security standards, organizations must conduct ongoing monitoring of their information security risk. Leaders should receive regular trend reports from the information security committee based on their ongoing assessment of ePHI security at the organization. Those reports should support the ongoing assessment of security needs as technology and health care delivery change, and act as a catalyst for changes that may need to be made to the policies and procedures over time.

In today’s increasingly complex healthcare environment, analyzing and implementing a broader policy around security across all forms of electronic communications—rather than focusing on a single mode of communication in isolation—is critical to any health system’s ability to avoid and mitigate the adverse consequences of a breach. By clarifying the confusion around electronic communications now, hospitals and health systems will be better prepared to minimize risk and maximize best-practice communication process in the future.

Terry Edwards is president and CEO of PerfectServe of Knoxville, TN.

View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Currently there is "1 comment" on this Article:

  1. Re: Ideally, leaders of the CE will form an information security committee to develop and execute the strategy, which includes representatives from IT, operations, the medical staff, and nursing, as well as legal counsel.

    I would add representatives from HIM. HIM professionals consider all text messages as electronic “documents” with the potential of becoming electronic “records”, just as voice mail and email messages are viewed as electronic documents with the potential of becoming electronic records.

    “Documents” are defined as any analog or digital, formatted, preserved, “container” of structured or unstructured data / information. Not all documents become records (e.g., “Hey Terry, what are U doing 4 dinner?”). Documents become “records” when they are considered to follow a life-cycle (creation / receipt, maintenance, use, security, and final disposition), have retention schedules assigned, have evidentiary value, and the content becomes locked once declared as records (“Hey Terry, W. Stock’s biopsy showed carcinoma of the left ovary.”).

    As such, HIM professionals are responsible for incorporating into and managing the text message (voice mail message, email message, etc.) as part of the patient’s electronic health record.

Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Founding Sponsors


Platinum Sponsors






























































Gold Sponsors
















Reader Comments

  • Seargant Forbin: @ What's with the Fairview guy? I don't think this Apple comparison is helping your case any. I bet if you spoke with de...
  • Bobby: Great point Bob. Cerner and Epic are both organic companies that value a “one big honking system” approach to thin...
  • AynRandWasDumb: "The most recent Epic trick I heard is that, now that Epic is requiring every customer to move to quarterly updates inst...
  • Bob: Even though Apple could take IP directly from the Apple ecosystem developers, their usual model is to just buy the compa...
  • You might say I'm a dreamer...: Will this Cerner dust up with the DoD now give us a real granular discussion on a national level as to what Interoperabi...
  • Eddie T. Head: To claim that Apple is a hardware company and not a software company is quite odd. Without their software, Apple's hardw...
  • DrM: Epic's model does assert the ability to use any IP in App Orchard without compensation or limitation, it's why the few v...
  • Matt: VA CIO: Expect another 10 years of VistA in facilities during new EHR rollout This is clear indication of how the VA ...
  • Satan warming up the fiddle?: Coming in to an election season where healthcare will most certainly be part of the debate are we starting to see the fi...
  • Mr. HIStalk: Nothing's amiss other than the never-ending challenge of trying to get email updates to subscribers through the malware-...

RSS Industry Events

  • An error has occurred, which probably means the feed is down. Try again later.

Sponsor Quick Links