HIPAA compliance, patient data security top provider concerns
A comprehensive collection of articles, videos and more, hand-picked by our editors
ATLANTA -- On one hand, a psychiatrist presenting at the 85th American Health Information Managers Association might be pushing the boundaries of HIPAA and his CIO's nerves when he did a patient video consult via FaceTime in a busy airport setting. On the other, one of the nation's top health data security experts backed him up, completely.
Iverson Bell, M.D., an assistant professor and the psychiatry residency training director at the University of Tennessee Health Science Center, presented at AHIMA. He said he's been interested in using technology to support telemedicine for decades and the iPad and iPhone, as part of the bring your own device (BYOD) movement, have recently afforded him many opportunities to manage patients on several campuses statewide. Bell said he keeps up on expert opinions written by mental health professionals regarding the HIPAA compliance ramifications of healthcare BYOD and using particular applications for patient care. He reads trade publications' security analyses to gauge how secure certain apps are. He also huddles with university IT staff to work out strategies for keeping patient data locked down.
In most cases, when the patient understands and appreciates the situation, they're going to make the choice that's best for them.
CEO, CynergisTek Inc.
But, in the end, the patient comes first.
"FaceTime is considered, more or less, HIPAA compliant and I consider that safe," Bell told SearchHealthIT. "Except if you're talking in a public place like [when] I was talking to somebody in an airport, but I was in a private area. This was an emergency; I had to see him right away."
Don't be cavalier about HIPAA
Bell sees technologies such as messaging systems and videoconferencing as enablers of care, which save both practitioners and patients valuable time and inconvenience. There's no way he could see the volume of patients he does without FaceTime, he said, considering the hundreds of miles that separate the University of Tennessee campuses he serves. Videoconferencing not only saves him and the patient time and money, considering gas prices, but also creates efficiencies and enriches care coordination when he can talk to other practitioners.
He cautions practitioners to understand the security implications of the systems they are using, however. For example: Phone texts are insecure and shouldn't be used. Some email systems, too, are insecure and unsuitable for patient care. In one example he gave in his presentation, a preteen patient sent explicit accounts of her sexual escapades to Bell, which he felt amounted to receiving child pornography. That, he said, needed to be stopped by her parents and discouraged by him.
Overall, though, he believes physicians or their IT administrators can't just close the door and prohibit all of these communication methods. They can maintain HIPAA compliance, he said, by adhering to simple principles, such as when thinking about email communication: Don't write anything in an email you wouldn't write on a postcard to a patient that anyone could see, because someone other than the recipient might see it.
"I like being able to do outreach," Bell told SearchHealthIT. "It saves everybody time and effort. You don't have to pull a kid out of school all day for an hour appointment. Or tell a geriatric patient to get up early in the morning and drive. Telepsychiatry, telemedicine allows people to do outreach."
HIMSS expert endorses the gestalt
Michael "Mac" McMillan, former Marine Corps intelligence officer and currently CynergisTek Inc. CEO, said Bell's thinking is right on the money. Many healthcare systems don't have data security leaders who can keep up with physicians like Bell who are innovating care delivery with technology tools. Unfortunately, organizations, or the consultants they hire, end up banning new technologies because of security risks instead of letting physicians use them to do what they do best: Help patients.
"[HIPAA] doesn't really say you absolutely can't do something; the rule says 'manage the risk,'" said McMillan, who is chair of the HIMSS Privacy & Security Policy Task Force. "This is going to sound terrible, but a lot of the people we have out there calling themselves security experts don't understand the theory and practice of the profession well enough to really articulate what the risk is.... Somebody who throws up walls is somebody who doesn't understand the rule well enough to find solutions."
McMillan suggested that health IT leaders should get out of the way of physicians and determine ways to assist their quest of better patient care. Instead of prohibiting tools such as FaceTime, they should ask physicians what particular workflow task they're trying to accomplish by using them. Then, figure out how to make those tools as secure and HIPAA compliant as possible in the context of the doctor's specific care workflow.
In the end, the IT staff should also work to create healthcare BYOD policies that clearly communicate security risks, be they large or minute, to the patients. Let them choose to give consent to use mobile apps like FaceTime. Or not.
"In most cases, when the patient understands and appreciates the situation, they're going to make the choice that's best for them," McMillan said. "It's their information."