To find the right solution for your organization, you must understand how and why employees are using messaging and email services.
"You want a solution that's easy to use, and that's within the work environment of whoever is sending the message," Apgar says. Apgar's case in point is Oregon's state-sponsored CareAccord Direct Secure Messaging email service. The service doesn't connect to all EHRs or an organization's email service. Users have to log in through the website to send a message. Busy employees, he points out, particularly clinical staff like physicians, are unlikely to use a service that requires them to go out of their way, making it a poor choice.
Text messaging solutions directed at the healthcare industry were not always common and user friendly. Until about a year ago, there were few mature products on the market for securing text messages, Apgar says. The ones that did provide good security had serious usability limitations as most could only be used to communicate with other people in your network. A specialist, Apgar says, wouldn't have been able to send a quick, secure text to his or her patient's primary care doctor if the doctor was not part of the specialist's organization. Some services, like Tiger Text and HipaaChat, offer a solution to this problem. (See the March 2015 issue of BOH for more information about Tiger Text.) If the sender uses Tiger Text, but the recipient does not, Tiger Text delivers a text message that includes a link to the now encrypted text message. When the recipient clicks the link, the browser on the mobile device opens up to the text message, which is encrypted at a National Institute of Standards and Technology standard 256-bit encryption.
Keep in mind, however, that you have to treat text messaging the same as email. Device security and storage need to be analyzed. Burton warns that some may not realize the text messages on their phones leave traces of data behind.
Apgar agrees. "They don't understand that ultimately the cell phone carrier has servers that back up your texts, and you have it [stored] on your phone," he says.
Submit your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com and we will work with our experts to provide you with the information you need.
Q: Our front desk receptionist has asked the following question regarding residents who are admitted to our long-term care facility. If someone calls the front desk asking for information on a resident, such as "Is (resident) in your facility?" or "What is their room number?", would this information be considered PHI?
A: The answer is not straightforward when it comes to long-term care. It all depends on the care setting. If care is provided in an assisted living facility and the assisted living facility does not provide healthcare services, such as nursing care related to treatment or a clinic on-site, the information is not PHI. On the other hand, if the facility is a skilled nursing facility (SNF) and is providing what HIPAA defines as healthcare, it would be considered PHI. That doesn't mean the receptionist cannot share the information about whether a resident is at the facility or the resident's room number. Similar to a hospital, a long-term care facility could maintain a facilities directory. Unless the resident has specifically requested he or she not be included in the facility directory, you can share whether a resident is at the facility and where the resident is located in the facility. Providing more information would be prohibited. Review the long-term care regulations in the state in your state.
Editor’s note: Chris Apgar, CISSP, president of Apgar and Associates in Portland, Oregon, answered this question. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.
Prevention is better than a cure. In the world of HIPAA privacy and security, training and awareness are among the most important aspects of prevention. The best laid policies and procedures won't keep your patient's PHI safe if no one knows how or why to follow them. But effective and engaging training methods can be elusive. Employees and administrators might begin to treat their annual training as routine, going through the motions to get their certificate, and then falling victim to a phishing attack that could have been avoided. New hires may be overwhelmed by the scope of HIPAA?it's a huge law?or struggle to connect it to their job duties. Developing education and awareness strategies that capture employees' attention and build privacy and security into the culture of their workplace can be a tall order.
Security officers may sometimes feel that they're asked to do too much with too little. Limitations surrounding staffing, budgets, or resources, or an administration that simply doesn't understand the importance of information security, can make a difficult task even more complicated. In some organizations, information security is a relatively new department and might lack the connections and relationships that more well-established departments rely on for support. Security needs allies. Fortunately, there's one they may already work closely with who is ideally suited: internal auditors.
Q: What is the recommendation for retaining hard copies of medical records once they have been transferred to an EMR system?
A: This varies quite a bit depending on your storage capabilities and state retention laws. I am aware of some organizations that keep these records for 3?6 years (until the statute of limitations has run out), but this is a very conservative approach. I have also seen six months and one month. I would suggest ensuring you have a rigorous scanning quality control process to reassure yourself that you in fact have the scanned documents and they are readable. I would recommend that you keep the hard copies for at least one month after scanning. You might also want to consult legal counsel on this matter.
Editor's note: Simons, director of health information and privacy officer at Maine General Medical Center in Augusta, answered these questions. She is also a HIM Briefings advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Send your questions related to HIPAA compliance to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com.
