I had the honor of speaking at the 2016 Becker’s Hospital Review Annual CIO/HIT + Revenue Cycle Summit, discussing the elements needed to truly secure clinical communications with some of the best minds in the healthcare world. With a number of recent high profile news stories announcing ransomware attacks in hospitals and health systems, security and the ability to secure clinical information is top of mind for many.
Those who oversee organizational data and IT systems recognize the importance of securing communication channels containing ePHI as they build a unified communications strategy. While security and regulatory mandates are essential elements of a clinical communication strategy, to create a truly successful strategy, the needs of those who provide care: physicians, nurses, therapists and others on the care team – in any setting – at any time – must be addressed flawlessly and securely.
To do so, there a few tactics to keep in mind:
Understand what the HIPAA Security Rule actually states – There’s been a lot of confusion in the industry when it comes to HIPAA compliance and communication. I often notice that many organizations think this is all about secure text messaging, which is incomplete. The Security Rule never speaks to a particular technology or communications modality, application or device. It is technology neutral.
HIPAA compliance is about the system of physical, administrative and technical safeguards that your organization puts in place to to ensure the confidentiality, integrity and availability of all ePHI it creates, receives, maintains or transmits. Because of this, there is no such thing as a HIPAA-compliant app.
Understand care team dynamics – Care team members are mobile and they employ workflows to receive communication based upon situational variables such as origin, purpose, urgency, day, time, call schedules, patient and more. The variables determine who should be contacted and how to do so for every communications event.
For this reason, third parties (hospital switchboards and answering services) and disparate technologies are used in organizations’ clinical communication processes. Understanding this variety of technologies and actors is key to accurately assessing your organization’s compliance risk. And, coming up with strategies to effectively address that risk is key.
Secure text messaging is essential, but it’s not sufficient – While secure messaging is an essential component of your overall strategy, it’s not sufficient because:
- it requires the sender to always know who it is they need to reach—by name.
- it requires the recipient to always be available to other care team members 24/7.
These requirements are inconsistent with the complexity inherent in communication workflows that enable time-sensitive care delivery processes, because they don’t address the situational variables I described above.
Secure messaging is only one piece of what should be a much larger communications strategy—one that should address clinician workflows and multi-modal communications channels for all care team members.
Your goal should be to enable more effective care team collaboration – Organizations often focus on achieving HIPAA-compliance. This is a flawed objective. The focus should be on achieving more effective care team collaboration. If this is done effectively, achieving HIPAA-compliance will come along for the ride.
Six essential capabilities – An effective secure clinical communications and collaboration strategy will include the following six elements.
- It will facilitate communication-driven workflows that enable time-sensitive care delivery processes. An example of a communications-driven workflow is stroke diagnosis and treatment. When a patient with stroke symptoms presents in the ED, one of the first things the ED physician does is initiate a communications workflow to contact the neurologist covering that ED at that moment in time, while simultaneously notifying and mobilizing a stroke team to complete a CT scan to determine if it is safe to administer tPA, the drug that arrests the stroke. Time is critical. Healthcare is chock full of these kinds of workflows, executed every day in every hospital by the hundreds and thousands.
- It will provide technology that automatically identifies and provides an immediate connection to the right care team member for any given clinical situation—this is nursing’s greatest need! Your strategy should be to bypass third parties and eliminate all the manual tools and processes used to figure out who’s in what role right now given the situation at hand. Ignoring this need means you won’t achieve adoption, which means your organization will still be at risk.
- It should extend beyond any department and the four walls of the hospital. It should enable cross-organizational communication workflows. This is increasingly important under value-based care where care team members must collaborate across interdependent organizations to deliver better care.
- It should secure the creation, transmission and access of ePHI across all communication modalities—not just text messaging. Enough said!
- It should integrate with your other clinical systems to leverage the data within those systems to facilitate new communication workflows. This is key to enabling “real-time healthcare.”
- It should provide analytics to monitor your communication processes and continuously improve those processes over time.
With these capabilities in place, secure clinical communication simply becomes another positive result of implementing a broader care team collaboration strategy, designed to address clinical efficiency and improve patient care delivery.