HIPAA compliance, patient data security top provider concerns
A comprehensive collection of articles, videos and more, hand-picked by our editors
Healthcare providers who don't have their own secure, in-house Short Message Service (SMS) texting software have...
a grave HIPAA compliance problem on their hands, because nurses and physicians are likely already using the unsecure text-messaging apps that come with their personal smartphones, according to CIOs and other senior health IT leaders that SearchHealthIT interviewed.
"If you don't provide a communications system, they will find one, and they're going to use it, regardless," said Sally Reeves, healthcare project director at Frisbie Memorial Hospital in Rochester, N.H. "Things happen too quickly now in hospitals, and information needs to be distributed at such a fast pace in order to coordinate the next thing that's needed. We're under such constraints to get patients out in certain periods of time. They only have so many hours or days here based on their diagnosis, so you have to be speedy in getting results back, setting up the next test, all of those types of things."
Potential HIPAA violations start with the lack of proper encryption, audit logging and smartphone security issues such as messages kept in-memory that can be read by whoever's using the phone. The value of texting between practitioners, however, is a no-brainer, Reeves said. Text communication not only cuts down on call volume, but it saves time and makes patient care much more efficient, because there are no callbacks, missed voicemails or misdirected messages.
"In the years that I've been involved with healthcare, nursing in particular, there've always been communication delays, difficulty finding people; you're put on hold while somebody else is coming to the phone," Reeves said.
That's been going on for years, she added, but what really "brought us to our knees" was a new workflow in which a decentralized plan put nurses at 16 substations spread over four floors of the hospital tower. Without integrated mobile devices, communications across nursing units became exponentially more complicated than the previous centralized model.
Enter secure, HIPAA-grade SMS
Secure texting systems can mitigate many, if not all, of the logistical and compliance problems that traditional phone communications and default smartphone SMS texting pose to healthcare organizations. Frisbie elected to set up a system from Voalte Inc.'s Voalte One, which connects iPhones and the hospital's computers and phones via Voice over Internet Protocol (VoIP) and logs practitioners out of the system once they leave the building.
Frisbie undertook a deliberate, measured evaluation process before choosing a vendor and implementing a secure messaging system. Here are some of the lessons Reeves and her team learned along the way:
- Benchmark existing processes to determine the new system's potential benefits. In Frisbie's case, to justify purchasing a secure texting system, Reeves and her peers conducted time studies of common workflow processes: Average time for page response, calling for a practitioner and the time it takes to get that person on the phone, etc. Their baseline averaged three to 10 minutes for most processes.
- Find pain points and analyze their cause. The emergency department was where Frisbie's thorniest communication problems were. They inventoried all the different devices practitioners were using and their communication methods for everything from summoning peers to passing on lab results. To supplement the analysis, they followed a patient through an emergency department visit, looked at each communication instance, and then mapped where each message went within and outside of the department to get a better handle on where a texting system could shore up inefficiencies. While Frisbie went with Voalte, Reeves said, the setup would not be ideal for fax-intensive workflows.
- Consider many vendor options. Frisbie examined the pros and cons of a closed system of 3G phones, communications badges and iPhone VoIP messaging systems to solve their communications problem, which they had boiled down to "eliminating the middleman" between practitioners, the person answering the phone and delivering messages.
- Check out other hospital sites. Prospective vendors will line up visits to their customers' sites; take advantage of this opportunity to talk with your counterparts there and ask them the burning questions you have about workflow and feature sets. But, Reeves advised, buyers beware: "Everywhere we went, people were happy with what they had -- but only because they had nothing before."
- Understand the nature of your clinical communications. At Frisbie and many other hospitals, Reeves suspects, the majority of practitioner-to-practitioner communications aren't long discussions or consults. Rather, it's one practitioner passing on a piece of information to another, or asking a very specific question to elicit a very specific answer. Those conversations were perfect for texting, cutting down the noise of phone conversations and making care happen more quickly.
- Decide what to pipe through the messaging system. Messages such as device alarms, pages, lab results, emergency codes and many data points beyond what practitioners type into their phones can be linked through secure messaging.
- Sell the HIPAA compliance benefits to administration. While the aforementioned data security pieces and possible EHR tracking are fairly direct HIPAA compliance benefits, you'll probably find more subtle ones, such as when a nurse is texting a question about a patient and not talking on their phone or in the hall; there's less risk those HIPAA-protected details will be overheard by people uninvolved in that patient's care.
- Consider the bring-your-own-device implications. Voalte is testing an iPhone app, and Reeves is pretty sure Frisbie will implement it when it's ready for prime time. For now, though, she points out that since her facility currently owns the iPhones practitioners use, they're configured to promote maximum HIPAA policy compliance. IT disables the camera on them, prevents Web browsing (and risking vulnerabilities to patient data through Web predators) and sets up geofencing, which erases clinical data when a phone leaves the premises.
- Consider the infrastructure upgrades the new system will require. In Frisbie's example, the implementation team had to make sure they had strong Wi-Fi wherever the iPhones would be used, lest communications ground to a halt in weak signal zones.
- Start small and expand. Build the workflow unit to unit, Reeves advised, which is much preferable to facility-wide big-bang.
- Set goals and metrics to measure your progress once the new platform is established, and work to meet them. Success to Frisbie was reducing the call volume between practitioners. Before the secure texting system, they made about 1,500 calls a week, which was reduced to fewer than 200 a month after, and now, "we only receive calls from outside the hospital," Reeves said. Practitioners send about 60,000 texts a month to each other.
- Build flexibility for expansion into the plan. While it wasn't part of the original rollout, Frisbie's implementation team quickly realized that ancillary services workers -- such as physical therapists who couldn't locate their patients for therapy because they weren't in the iPhone messaging loop, emergency preparedness staff, physician practices away from the hospital and ambulance services -- needed to be given access to Frisbie's Web client to complete the messaging workflow streamlining the system created. The medical records department now is part of the 1,000-employee legion using the system, too, using it to track down physicians who need to sign charts.
Lastly, enjoy the silence secure SMS messaging systems bring, which for Reeves was an unexpected benefit she immediately realized when visiting the step-down and intensive-care units of a Voalte hospital in Florida.
"That floor was quiet," she said. "On a monitor unit with alarms going off and phones ringing and overhead pages, that would never be the case. People weren't yelling down the corridor shouting, 'Hey, can you come help me?' It wasn't going on at all."