When Mac McMillan, CISSP, CEO of CynergisTek in Austin, TX, picked up the phone recently, he had a very nervous hospital administrator on the other end.
One of the three foundational security requirements is availability-the ability to access data when you really need it. Data accessibility is considered sound security practice and is a requirement per the HIPAA Security Rule (45 CFR 164.306[a][1]). If a data storage device fails, you can lose access to your patients' or health plan members' PHI. This could adversely affect patient care and service to health plan members.
The death of an infant at an Illinois hospital made national news in June 2011. Genesis Burkett passed away due to a series of errors tied to human use of the hospital's EHR systems. (The infant was born prematurely to parents who had been trying to conceive for years, and had thrived after months in neonatal intensive care until he was killed by a massive sodium chloride overdose. (You can read more about the case in the Chicago Tribune at http://tinyurl.com/8xtdqrp.)
Q Can a mental health and alcohol and chemical dependency treatment health center e-mail and text PHI between healthcare providers and between field caseworkers and patients? We have implemented a secure messaging solution, but it is the organization's policy to prohibit sending PHI via e-mail or text.
