Smartphones, text messaging and HIPAA compliance

According to the Pew Research center, nearly two-thirds of Americans own smartphones. People, including clinicians, are generally comfortable accessing information, sending text messages, recording information and scheduling, among other things, using a phone. However, in the professional healthcare setting, use of a personal smartphone or other mobile device can present challenges in remaining compliant with the regulations of the Health Insurance Portability and Accountability Act (HIPAA).

In light of the recent announcement from The Joint Commission that using text messaging to submit orders is now acceptable within certain parameters, it is fair to say that technology has evolved to the point where there are fewer barriers for practices to use text messaging and other mobile applications. However, there are a few important steps to take that may increase the likelihood of remaining compliant.

One of the most important aspects of adding any new technology to a practice is to make sure that the people using it are happy about it. Al Villarin, MD, CMIO at the Burwood Group, an IT consulting firm headquartered in Chicago, says it all begins with a contract between the technological and the clinical. In order for adoption to take place across an organization, the new tool needs to fit into the existing workflow, and the best way to make sure that happens is to involve clinicians from the beginning.

Tim Needham, executive director for the healthcare solutions delivery practice at Burwood Group agrees. “Any communication system will only succeed as much as you can involve all participants,” he says. When physicians are asked to use additional tools that do not deliver additional value, they are less efficient, adds Needham. “They default back to the app they know,” which could be an unsecured SMS platform.

Perhaps equally importantly, only technologies that are shown to be HIPAA compliant should be under consideration. Since most vendors have been focused on compliance for the last several years, most of the tools they have developed are compliant. It’s likely to be more difficult to find a tool that will be widely adopted across the organization and will also increase efficiency.

Once a platform is chosen, the next critical step is making sure that everyone is using it. Needham poses an interesting question: What if a vendor has done their part and made a tool that is compliant, and the practice as an organization has chosen to implement that tool, but after six months no one is using it? He says that any application under consideration should have an “intuitive auditing or reporting tool,” and reports can show both how individuals are using it, and can identify any out of policy usage.

Health systems have a role to play, as well, because they are in a position to “fund a common tool,” according to Needham, “as well as to bring additional value through things like physician rosters, care teams and availability and status notifications.” Although independent practices can certainly benefit from the resources and support provided by health systems, there is a price to pay. Villarin says that one of the ways health systems handle security of personal devices is through a mobility device management system [MDM], which “creates an automated firewall, so that if a phone leaves the hospital it can no longer access certain things.”

However, one protocol most health systems have in place is that the administrator of an MDM can wipe all information from a device if it is lost or stolen. Villarin says, “It’s a point of contention, looking through a health system’s eyes,” and in most cases it is mandatory. “It’s not about the physician, it’s about the patient,” he said.

Needham points out that, for independent practices, the situation can be particularly difficult. “If you refer to three different hospitals in your area, you have three different systems coming at you. It’s a very uncomfortable position to be in.” Villarin adds that the way in which regulations are issued complicates the problem. “The government tells the healthcare systems to comply, but they don’t tell them how. That’s what’s missing.”