Bringing Secure Healthcare Communications Up-to-Date
The Final Omnibus Rule brings secure healthcare messaging up-to-date almost two decades after the original guidelines were enacted, and the revised regulations acknowledge the fact that changing work practices and technological advances have increased the risk of compromising “protected” health information.
A recent survey, conducted by the Health Research Institute, concluded that 81 percent of physicians use one or more personal mobile devices to access protected health information or communicate with their patients, leading to the possibility of a breach – especially when personal mobile devices are used within areas offering open Wi-Fi Internet access or on public cell phone networks.
The potential for protected health information being compromised also exists when a mobile device is lost, stolen, or sold. Consequently, the revised HIPAA regulations for secure healthcare messaging include the following criteria:
- Organizations must develop a system of secure healthcare communications which has control over who has access to protected health information and how it is used.
- Risk assessments should be regularly conducted to identify any threat to the integrity of protected health information or breaches of secure healthcare texting.
- All patient data within the system should be encrypted in order that employees and sub-contractors can access the data without risk of a breach.
- The system should also ensure that it is not possible for employees and sub-contractors to store protected health information locally on their personal mobile devices.
- Procedures should exist in order that employees and sub-contractors can report the loss, theft or disposal of their device immediately and the user be removed from the system.
According to the HIPAA rule changes in 2013, when a breach of personal health information which is “unusable, unreadable or indecipherable” has occurred (usually because it is encrypted), it is not necessary to inform the patient or file a breach notification with the US Department of Health and Human Services.In addition to being penalized by the Department of Health and Human Services when a breach of protected health information occurs, organizations and individuals may also be subject to civil legal action brought by a patient whose personal records have been compromised.