Doctors don’t plan ahead to violate HIPAA, but in this digital age, you may do it because you did not plan ahead. The recent final rule of the HITECH Act confirms that even if you are unaware of violations, you may be fined a civil penalty of $100 to $50,000 per violation. Now’s the time for even the most resistant physician practices to pay attention to how they handle protected health information (PHI).
DocbookMD partners with the ISMA to bring you a free, HIPAA-secure messaging app that uniquely provides you extra security to avoid each of these potential pitfalls. Do not hesitate to contact DocbookMD today for more information!
Visit here or call 1-888-930-2048.
Also, see the federal government’s official site for mobile devices and HIPAA.
Here are five common ways physicians are breaking HIPAA/HITECH privacy and security rules, without even knowing it.
- Texting PHI to members of your care team – The scenario is simple: You’ve just left the office, and your nurse texts you that Mr. Smith is having a reaction to the medication you’ve just prescribed. She has included his name and phone number in the text. You may know that texting PHI is not legal, but feel justified because it is a serious medical issue. Perhaps you even believe deleting the text right away will protect you – and Mr. Smith.
In reality, this text message with PHI has just passed from your nurse’s phone, through her phone carrier, to your phone carrier, and then to you – four vulnerable points where this unencrypted message could either be intercepted or breached. For secure messaging, this type of message must be encrypted as it passes through all four points of contact. Ideally, both sender and recipient should be verified and have signed a business associate agreement.
- Taking a photo of a patient on your mobile phone – To some this will sound silly; to others, it is as common as verifying a rash with a colleague or following the margins of a cellulitis day by day. Simple enough, but if these photos are viewed by eyes they are not intended for, you may be in violation of your patient’s privacy. It’s important to be aware of where and how patient information and images are stored.
Apps that allow you to take a secure photo are just as important as sending the message securely. DocbookMD allows photos to be taken within the secure messaging app itself; images are never stored on your phone or within your phone’s photo album. Always use this type of feature when taking any photo of a patient or patient information.
- Receiving text messages from your answering service – Many physicians believe receiving a text message from a third party, like an answering service, means they are not responsible for any violation of HIPAA. This is simply not true. Many services do send a patient’s name, phone number and chief complaint via SMS text. The answering service may verify that it is encrypted on their end, but if PHI pops onto the physician’s screen, it is certainly not secure on that end. And this is where the physician’s responsibility lies. Talk with your answering service today to see how they are protecting you at both ends of the communication.
- Allowing your child to borrow your phone that contains PHI – Many folks allow their kids to play with their phones – maybe play games on apps while in the car. If your phone has an app that can access PHI, you may be guilty of a HIPAA breach if the information is viewed by or sent to someone it is not intended for. The simple fix is to utilize the pin-lock feature on your messaging app – and for double protection, always password protect your phone!
- Not reporting a lost or stolen device that contains PHI – Losing your smartphone or tablet is a pain for many reasons, but did you know that if you have patient information on that device, you could be held responsible for a HIPAA breach if you don’t report the loss right away?
The ability to remotely disable an app that contains or handles PHI is an absolute must for technology that handles communications in a medical environment. Be sure to ask for this feature from any company claiming to help you be HIPAA-compliant in the mobile world.
Remember: Being HIPAA-compliant is an active process. A device can claim to be HIPAA secure, but an individual must ensure compliance.
*Reprinted with permission from Tracey Haas, D.O., M.P.H., and co-founder, DocbookMD