HIPAA Compliant Communication
By Steven N. Solomon
Physician-to-Physician, Physician to patient, Physician to other Healthcare entities or any electronic communication that involves PHI (Personal Health Information) is covered by HIPAA and HITECH. Sadly the guidelines for texting, Instant Messaging and other electronic communication are minimal at best.
Generally, we are told to use a “reasonable standard” when protecting PHI. What that means is evolving everyday.
Joint Commission on Accreditation of Healthcare Organizations (JCAHO) has stepped in and has provided a two (2) sentence comment that is being applied across the board. Specifically, “…it is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.” As JCAHO is the entity that allows hospitals and other medical organizations to stay in business, this comment has become gospel.
Because the normal SMS that is provided by our mobile telephone carries do not meet this requirement, any texting done this way, containing PHI, is considered a violation of HIPAA.
Some hospitals and medical centers have built their own e-communication system since fast and reliable communication can improve patient outcomes. These systems provide encrypted transmission, a way to verify who is sending the message, and also of import, a log of the message and or conversation that can be then added to a patient’s record.
As not every healthcare practitioner is part of a big medical center, the issue then becomes what is the solo or small group practice to do? Any system needs to have your colleague’s on board and possibly your patients.
There are web portals available that allow patients and other doctors to join so that the communication is secure. For these services it is probably easier to get the patient to join rather than other medical professionals you would communicate with.
Until you are able to safely, and securely communicate electronically and properly document your electronic communications, care must be taken. Improper communication can lead to massive fines and destroy the rapport that you have with others.