Home » Readers Write » Currently Reading:

Readers Write: Think Beyond the Text: Understanding HIPAA and Its Revisions

July 31, 2013 Readers Write 1 Comment

Think Beyond the Text: Understanding HIPAA and Its Revisions
By Terry Edwards

Every day, an increasing number of physicians and other health care providers are exchanging clinical information through a wide range of modes, including smart phones, pagers, CPOE, e-mails, texts and messaging features in an EMR. It’s no surprise that hospital and health system leaders are increasingly focused on securing protected health information in electronic form (ePHI)—a trend that has certainly invoked some confusion across the industry.

As PHI data breaches increase in frequency, hospital executives must strategize ways to eliminate security threats and remain HIPAA compliant. Especially since HIPAA violations can be extremely expensive, leaving these already-strapped organizations in an even more stressful financial situation.

In order to prioritize tangibles such as patient safety, physician satisfaction and overall efficiency across processes and hospitals, health care leadership must consider ways to tackle this confusion and maximize the benefits enabled by modern technology and electronic communications.

PHI can take a variety of paths in today’s complex healthcare environment and expose a health system to risk. But time and time again I see health systems looking to implement stop-gap measures and point solutions that address part—and not all—of the problem.

While texts are commonly sent between two individuals via their mobile phones, the communication “universe” into which a text enters is actually much bigger. It also includes creating ePHI and sending messages—in text and voice modalities—from mobile carrier web sites, paging applications, call centers, answering services and hospital switchboards.

For example, a 400+ bed hospital generates more than 50,000 communication transactions to physicians each and every month. Many of these communications contain ePHI. And if they were transmitted through unsecure networks and stored in unencrypted formats, they would represent a meaningful potential security risk to both the hospital and its medical staff.

In order to identify all potential areas of vulnerability, health care leaders need to consider all mechanisms by which ePHI is transmitted and the security of those mechanisms and processes. No mode of communication can be viewed in isolation. By failing to address all transmitted ePHI, organizations become vulnerable to security breaches with adverse legal and financial consequences, as well as loss of patient trust and reputation in marketplace.

In addition, contrary to what many health leaders have been led to believe, HIPAA provisions do not call out any specific modes of communication. Text messaging is permissible under HIPAA. The law simply stipulates that a covered entity (CE) must perform a formal risk assessment; develop and implement and effective risk management strategy based upon sound policies and procedures; and monitor its risk on an ongoing basis. These regulations apply to providers communicating PHI in any electronic form.

As a result, there is no such thing as a “HIPAA-compliant app.”

HIPAA provisions emphasize the risk management process rather than the technologies used to manage risk. For hospitals and health systems, the pathway to safeguarding electronic communication of PHI lies in the creation of an overall risk management strategy.

Ideally, leaders of the CE will form an information security committee to develop and execute the strategy, which includes representatives from IT, operations, the medical staff, and nursing, as well as legal counsel. Leaders should also consider including an external security firm in the group. Once the committee is formed, the organization should take these four essential steps for protecting the security of ePHI:

  1. Organize and execute a formal risk analysis. A formal risk analysis should break down types of technology used for electronic communication as well as the transmission routes for all ePHI. To ensure HIPAA compliance, ePHI transmitted across all channels must be “minimally necessary,” which means it includes only the PHI needed for that clinical communication. This layer of complexity, which is common in clinical communication processes, underscores the need for a comprehensive security assessment and strategy appropriate for the organization, coupled with the resources necessary to implement that strategy.
  2. Establish an appropriate risk management strategy. The committee should develop a risk management strategy that’s specific to the needs and vulnerabilities of the organization and is designed to manage the risk of an information breach to a reasonable level. HIPAA does not specifically define “reasonable,” but in general, the risk management strategy should include policies and procedures that ensure the security of message data during transmission, routing, and storage. The strategy should also include specific administrative, physical, and technical safeguards for ePHI.
  3. Roll out these policies and procedures and train staff. Implementing new policies and procedures is the biggest challenge for organizational leaders, especially as a substantial proportion of reported security breaches are due in part to insufficient training of staff. As a result, appropriate individuals should be assigned specific implementation tasks for which they are held accountable, while leaders and committee members must carefully monitor the success of implementation. All staff with access to PHI must be educated about the specific policies and procedures, which will help ensure they are upheld across the organization.
  4. Monitor risk on an ongoing basis. To ensure continued compliance with security standards, organizations must conduct ongoing monitoring of their information security risk. Leaders should receive regular trend reports from the information security committee based on their ongoing assessment of ePHI security at the organization. Those reports should support the ongoing assessment of security needs as technology and health care delivery change, and act as a catalyst for changes that may need to be made to the policies and procedures over time.

In today’s increasingly complex healthcare environment, analyzing and implementing a broader policy around security across all forms of electronic communications—rather than focusing on a single mode of communication in isolation—is critical to any health system’s ability to avoid and mitigate the adverse consequences of a breach. By clarifying the confusion around electronic communications now, hospitals and health systems will be better prepared to minimize risk and maximize best-practice communication process in the future.

Terry Edwards is president and CEO of PerfectServe of Knoxville, TN.

View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Currently there is "1 comment" on this Article:

  1. Re: Ideally, leaders of the CE will form an information security committee to develop and execute the strategy, which includes representatives from IT, operations, the medical staff, and nursing, as well as legal counsel.

    I would add representatives from HIM. HIM professionals consider all text messages as electronic “documents” with the potential of becoming electronic “records”, just as voice mail and email messages are viewed as electronic documents with the potential of becoming electronic records.

    “Documents” are defined as any analog or digital, formatted, preserved, “container” of structured or unstructured data / information. Not all documents become records (e.g., “Hey Terry, what are U doing 4 dinner?”). Documents become “records” when they are considered to follow a life-cycle (creation / receipt, maintenance, use, security, and final disposition), have retention schedules assigned, have evidentiary value, and the content becomes locked once declared as records (“Hey Terry, W. Stock’s biopsy showed carcinoma of the left ovary.”).

    As such, HIM professionals are responsible for incorporating into and managing the text message (voice mail message, email message, etc.) as part of the patient’s electronic health record.

Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Founding Sponsors


Platinum Sponsors































































Gold Sponsors















Reader Comments

  • Annon: 100% agree, this is vaporware, they are not doing anything remotely close to interoperability. Not the only ones though,...
  • Brian Too: Wait... I thought that any voids in the brain automatically filled up with cerebro-spinal fluid? Wouldn't an air void c...
  • Ophelia: Where are you seeing the 97% MIPS claim? I'm aware of their claimed 97% attestation rate for MU, but I haven't seen anyt...
  • Sue Powell: Re: "airhead". Maybe Q04.9 Congenital malformation of brain, unspecified or G93.9 Disorder of brain, unspecified? #notac...
  • Not Mr. Bush: It is very interesting that they claim to be able to guarantee something that is so dependent on physician behavior....
  • Debtor: Athena has a long history of supporting MU and PQRS attestation. It wouldn’t surprise me if they have insight into the...
  • Frank Discussion: Cerner--the best Visual Basic 5 application our tax dollars can buy! Then there's CCL (*vomits into nearest trashcan)...
  • Stormy MU: Hi, Does anyone have any feedback on athena's claim of 97% MIPs success rate? How can they publish that when 2017 at...
  • HypocritOath: This post was all over the place, but I can't help but notice some huge inconsistencies in your stance here. In one ...
  • HIT Girl: Holmes swindles people out of millions, pays a fine (with the swindled money?!), and is sent to CEO-timeout for a few ye...

RSS Industry Events

  • An error has occurred, which probably means the feed is down. Try again later.

Sponsor Quick Links