Category Archives: HIPAA

Terry Edwards

Safeguarding security: 4 tactics for secure clinical communication and collaboration

By Terry Edwards  /  29 Jul 2016

I had the honor of speaking at the 2016 Becker’s Hospital Review Annual CIO/HIT + Revenue Cycle Summit, discussing the elements needed to truly secure clinical communications with some of the best minds in the healthcare world. With a number of recent high profile news stories announcing ransomware attacks in hospitals and health systems, security and the ability to secure clinical information is top of mind for many.

Those who oversee organizational data and IT systems recognize the importance of securing communication channels containing ePHI as they build a unified communications strategy. While security and regulatory mandates are essential elements of a clinical communication strategy, to create a truly successful strategy, the needs of those who provide care: physicians, nurses, therapists and others on the care team – in any setting – at any time – must be addressed flawlessly and securely.

To do so, there a few tactics to keep in mind:

Understand what the HIPAA Security Rule actually states – There’s been a lot of confusion in the industry when it comes to HIPAA compliance and communication. I often notice that many organizations think this is all about secure text messaging, which is incomplete. The Security Rule never speaks to a particular technology or communications modality, application or device. It is technology neutral.

HIPAA compliance is about the system of physical, administrative and technical safeguards that your organization puts in place to to ensure the confidentiality, integrity and availability of all ePHI it creates, receives, maintains or transmits. Because of this, there is no such thing as a HIPAA-compliant app.

Understand care team dynamics – Care team members are mobile and they employ workflows to receive communication based upon situational variables such as origin, purpose, urgency, day, time, call schedules, patient and more. The variables determine who should be contacted and how to do so for every communications event.

For this reason, third parties (hospital switchboards and answering services) and disparate technologies are used in organizations’ clinical communication processes. Understanding this variety of technologies and actors is key to accurately assessing your organization’s compliance risk. And, coming up with strategies to effectively address that risk is key.

Secure text messaging is essential, but it’s not sufficient – While secure messaging is an essential component of your overall strategy, it’s not sufficient because:

  1. it requires the sender to always know who it is they need to reach—by name.
  2. it requires the recipient to always be available to other care team members 24/7.

These requirements are inconsistent with the complexity inherent in communication workflows that enable time-sensitive care delivery processes, because they don’t address the situational variables I described above.

Secure messaging is only one piece of what should be a much larger communications strategy—one that should address clinician workflows and multi-modal communications channels for all care team members.

Your goal should be to enable more effective care team collaboration – Organizations often focus on achieving HIPAA-compliance. This is a flawed objective. The focus should be on achieving more effective care team collaboration. If this is done effectively, achieving HIPAA-compliance will come along for the ride.

Six essential capabilities – An effective secure clinical communications and collaboration strategy will include the following six elements.

  1. It will facilitate communication-driven workflows that enable time-sensitive care delivery processes. An example of a communications-driven workflow is stroke diagnosis and treatment. When a patient with stroke symptoms presents in the ED, one of the first things the ED physician does is initiate a communications workflow to contact the neurologist covering that ED at that moment in time, while simultaneously notifying and mobilizing a stroke team to complete a CT scan to determine if it is safe to administer tPA, the drug that arrests the stroke. Time is critical. Healthcare is chock full of these kinds of workflows, executed every day in every hospital by the hundreds and thousands.
  1. It will provide technology that automatically identifies and provides an immediate connection to the right care team member for any given clinical situation—this is nursing’s greatest need! Your strategy should be to bypass third parties and eliminate all the manual tools and processes used to figure out who’s in what role right now given the situation at hand. Ignoring this need means you won’t achieve adoption, which means your organization will still be at risk.
  1. It should extend beyond any department and the four walls of the hospital. It should enable cross-organizational communication workflows. This is increasingly important under value-based care where care team members must collaborate across interdependent organizations to deliver better care.
  1. It should secure the creation, transmission and access of ePHI across all communication modalities—not just text messaging. Enough said!
  1. It should integrate with your other clinical systems to leverage the data within those systems to facilitate new communication workflows. This is key to enabling “real-time healthcare.”
  1. It should provide analytics to monitor your communication processes and continuously improve those processes over time.

With these capabilities in place, secure clinical communication simply becomes another positive result of implementing a broader care team collaboration strategy, designed to address clinical efficiency and improve patient care delivery.

Terry Hayes

Balancing act: Making data security a priority in daily nursing routines

By Terry Hayes  /  24 Mar 2016

Regardless of the hospital or specialty office, nurses are an essential piece of patient-centered healthcare delivery models. As a former pediatric nurse practitioner, I know firsthand the amount of responsibilities nurses juggle, all while maintaining the personal, bedside manner needed to ensure patients and their families feel comfortable and knowledgeable about treatment and care. Nurses are often the first and last point of contact to provide care for a patient, and a critical part of the clinical communication process, especially in the digital age.

Unfortunately, as healthcare data breaches surge and the need to prepare for HIPAA audits increases, nurses must also factor data security into their daily routines. Since 2010, the HHS Office for Civil Rights reported more than 1,400 breaches of unsecured protected health information affecting 500 or more individuals, and this number is expected to escalate. Given nursing’s dynamic role in communicating with team members across the care continuum (physicians, other nurses, patients, etc.), it’s important that nurses, as well as other healthcare professionals, are provided the right levels of secure connectivity to deliver quality care for patients efficiently.

Nurse must also understand the need for security in many of their day-to-day activities. Here are a few areas nurses must constantly keep in mind:

  • Within the care setting – Can the patient information be viewed (or heard) by anyone besides the patient? Are the connected medical devices in use secured? Could another care provider or visitor access the device if the nurse steps away momentarily? With the growing use of telemedicine, does the patient have the right set-up to participate in portals, video calls, etc.?
  • Outside of a care setting – Are documents sent to the correct printer and/or fax, and are those documents picked up quickly? Can non-authorized personnel easily access EHRs and other technologies? Are any BYOD technologies secure? Does the outside setting have appropriate procedures in place to assure patient confidentiality and, if so, is it monitored?
  • During a care transition – Do the appropriate care team providers have access to relevant information? Are any others that participate in care that should be considered? If so, what level of information should be shared with those providers? Are all communications channels, such as a voicemail or email system, fully secure and HIPAA-compliant?

While education is critically important to ensuring nurses understand how to keep patient information secure, it’s also important for hospitals and other providers to identify processes and technological solutions to improve security, meet HIPAA standards and protect the confidentiality and integrity of patient data. This is particularly true as nurses (along with the rest of the patient care team face) more pressures to meet the demands of value-based care.

Nurses: how do you make data security a priority in your day? What challenges have you run into while balancing efficient and personal patient care with security?

Terry Edwards

Insights from HIMSS16: Four key takeaways

By Terry Edwards  /  14 Mar 2016

Each year, thousands of health IT leaders come together over one week to network, collaborate and shine a spotlight on industry accomplishments, challenges and innovation at HIMSS. I’ve attended the show for the past ten years, and I’ve seen trends evolve over time – some fading quickly, others becoming a constant theme throughout the years – all representing the ever-advancing healthcare landscape.

This year, as I walked the HIMSS show floor and had conversations with other executives, physicians and vendors, I noticed the following:

  • The market is shifting beyond secure messaging – For three years I’ve been talking about the fact that secure messaging is an essential feature of an organizations clinical communications strategy, but it’s not sufficient in and of itself. We talked to more than one organization that experienced a failed secure messaging deployment. Having learned, those organizations and others are realizing that a secure comprehensive communication solution that can improve workflow is what is required. (It’s about time!)
  • Security continues to evolve as a top priority – Healthcare CIOs are viewing security as a major challenge, and one that must be addressed holistically. I spoke with one CIO who shared that one set of lost physician network credentials caused through a phishing scam required the reset of 20,000 user credentials – a major disruption to the entire organization. We also discussed the challenges for keeping information protected; it’s clear that more comprehensive security solutions are needed to avoid the disruptions and other setbacks caused by breaches. Healthcare security today must extend past the surface level and become integrated into workflow, communications, technology, etc.
  • Moving beyond Meaningful Use to optimization – For nearly a decade, Meaningful Use was king. Now that most providers have implemented EMRs, the conversation has shifted from fear of non-compliance to how we can do more with the EMR. More and more providers are looking for ways to optimize their EMR investment to leverage data, extend its usage and refine the technology so that it works more seamlessly within clinician workflow. Workflow plays such a critical role in care and physician coordination, and providers need platforms that are smart and holistic – ones consistent with reality.
  • Shifting viewpoints on the future of the industry – Depending on who you talk to, conversations around the state of the healthcare industry and its future, which were in no shortage over the course of the week, differ in tone. With many factors, such as regulations, driving change in the industry, it becomes easy to take on a negative mindset – physicians in particular become frustrated with balancing patient care, compliance, data and technology. One notable challenge is providers are having to figure out how to take responsibility for a whole episode of care when the patient’s full team of physicians may not all be in one system. However, innovation continues to lead the way, and this, too, was reflected in many positive conversations about the healthcare landscape today.

Healthcare will continue to build on what we have today, optimizing our existing technology to address broader issues, and do so much more comprehensively – raising new trends and challenges just in time for HIMSS 2017. See you there!

Save the date: HIMSS 2017, February 19-23 in Orlando, Florida

Don Dally

The outdated browser: breeding ground for cybercrime

By Don Dally, chief technology officer at PerfectServe  /  10 Mar 2016

Is your health system’s browser up to date? Too many organizations don’t know the answer to that question and are unaware of the consequences for using unsupported browsers. Or, if they do know the answer, they aren’t in a position to act on it.

Now is the time to check if your workstations are using the latest browser version available. Earlier this year, Microsoft announced that it was discontinuing support for Internet Explorer versions 8, 9 and 10. The discontinuation of this support may affect more people than you think. The loss of this support means Microsoft will no longer provide vital security patches for these browser versions, increasing vulnerabilities that go unattended, and leaving healthcare organizations wide open for attacks. This should come as no surprise to healthcare stakeholders, who’ve seen cyberattacks increase in recent years, especially in the healthcare industry. Hackers will find a way to exploit these vulnerabilities. It’s not a matter or IF, but WHEN.

There are two main reasons why outdated browsers linger:

  1. A clinical application doesn’t support modern browsers—Many healthcare providers are running older versions of browsers because they use a legacy application from a vendor that will not work on more contemporary browser versions. In basic terms, the application is holding them back.
  2. The provider organization is not updating the browser—If, for whatever reason, the provider is not updating its browser, it requires vendors to spend an inordinate amount of time and effort making sure their applications will work across the various (often outdated) browser versions used by their customers.

Browser upgrades are a two way street: providers must make sure they are using the most up-to-date browser version for vital security updates while vendors must make sure that their applications and solutions can support contemporary and future browser versions so they are not holding their users back.

How to keep current

Although browser choice can be an overlooked decision, it’s important that both vendors and providers stay on top of the latest versions. Here are some steps to help providers and/or vendors break the cycle of using outdated browsers:

  • Vendors should be held accountable for keeping pace with browser evolution
  • If you have a legacy application that requires an older browser, keep the browser on the workstation current and use virtualization to serve up an older browser for the legacy app
  • Ensure your organization has procedures in place to keep your browsers updated and properly patched

If you’re not sure whether you are using the most up-to-date browser, check here to see the newest version of your browser that’s available. We all have to step up to the plate and stay current. It is no longer an issue of convenience; it is a matter of patient privacy.

Terry Hayes

HIPAA regulation: The myths around integrating compliance and patient care

By Terry Hayes  /  25 Feb 2016

Keeping healthcare information flowing to the right people, at the right time, creates the potential for more effective patient care and population health management. However, a greater number of moving parts also means greater risk. With personal health data moving more frequently through an increasing variety of digital channels, the complexity of communicating in a secure manner as mandated by HIPAA regulations is more important than ever, as is the risk to the confidentiality and integrity of patient data.

Within the healthcare industry, HIPAA is known to be intricate and difficult to navigate on the path to compliance. I’ve found that many physicians and allied healthcare professionals don’t have a solid understanding of HIPAA in terms of what’s required and how it can help to actually improve patient care. We’ve debunked a few of the most common myths:

HIPAA stands in the way of patient care – HIPAA has three core areas: confidentiality, integrity and availability. These regulations are intended to mesh with and provide a foundation for the kind of proper, efficient exchange of information that grounds new models of collaborative care. To improve clinical communication and patient care, healthcare organizations should assess how their members communicate and build compliance into the model in ways that enhance workflow. By finding secure ways to encourage and streamline the flow of information, healthcare organizations can align the need for HIPAA compliance with the trend toward greater collaboration and the goal of better patient care.

Compliance can’t pave the way of meaningful use – Organizations hold the responsibility for assessing and adopting the technologies that best serve their overall goals and structure, while being compliant with HIPAA – which creates a challenge that leads many to believe meaningful use can’t be obtained. The flexibility this responsibility provides to healthcare organizations is essential to achieving HIPAA’s third core tenet: availability of information. The ability to store and transmit data securely means that it can be shared among all those on the care team—keeping the right people informed in a timely manner. Security compliance actually encourages the exchange of information that can bring greater efficiencies and better outcomes in the healthcare model.

HIPAA’s complexity leaves no room for improvement in security strategies – Despite the emphasis on communication and security, the solutions most organizations rely on are fragmented. Instead, organizations should look into comprehensive strategies that incorporate all pieces of patient health information. According to a recent survey conducted by Harris Poll and commissioned by PerfectServe that examined causes for healthcare communications breakdowns, 13% of healthcare professionals admit that to facilitate patient care, they have sent patient health information through unsecure text or voice messages with their personal smartphone in the past year. In addition, 21% acknowledge having received unsecure communications from colleagues via the same manner.

In a world of rapidly expanding communication methods and applications, it’s easy to become misguided by these myths, keeping physicians and healthcare professional from seeing HIPAA’s true capabilities. It’s important to understand these intricacies as organizations review and work to improve their risk management strategies, and ultimately embrace more collaborative care models and technologies that make care more accessible and efficient.