One of my favorite blogs recently surveyed its advisory panel – comprised of hospital CIOs and CMIOs, practicing physicians, and a few vendor executives – to see whether their organizations were paying any attention to the HIPAA Omnibus Rule. To me, the responses were quite shocking. While suppliers viewed the final ruling as a huge priority over the next several months – primarily because we now have skin in the HIPAA game, as we too are now regulated under the ruling – providers didn’t seem to be giving it much of a focus.
That’s not to say provider plates aren’t already full enough, but many of them indicated it’s “business as usual” for their organizations and leadership teams when it comes to HIPAA. I think this stems primarily from a lack of awareness as to the many forms PHI can take and the many ways in which it can be shared and communicated between clinicians. And it’s not entirely their fault. Some vendors are doing a great job of causing confusion, pushing providers to tackle security issues in the wrong ways.
For example, when it comes to hospital-to-physician communication, it may surprise some that only a small fraction of the hundreds of thousands of clinical communications we process on behalf of our customers every month – millions every year – are mobile device- to-mobile device text messages (which seems to be all the hype these days). Approximately 90% of those communications are initiated via a phone call or the web, and most result in a secure text, alpha page, SMS text or secure voice message. These transactions represent the security risks that one should be concerned about.
A big change in the final ruling means suppliers are now also under the gun to ensure that the PHI collected, stored and transmitted by their solutions are HIPAA compliant. So it’s not surprising to me that vendors are making security of PHI a huge focus over the next several months. This is true for us, and clients are benefiting because we’ve made this a priority.
The time to wait is over. Whether you’re a supplier of technologies that support the exchange of ePHI or a health care provider, the final HIPAA ruling has implications for your organization that need to be addressed now. The financial and reputational risks are too great for organizations that experience HIPAA violations. We all have more skin in the game now, and providers will stand to benefit from increased diligence by the industry.