As you know from my last post, I am doing some writing work in the healthcare industry:
As part of this work, I have been spending an inordinate amount of time in hospitals and doctor offices.
Part of this process is that I have learned about HIPAA (Health Insurance Portability and Accountability Act of 1996) laws:
HIP HIP HIPAA
The main purpose of HIPAA, is to “address the use and disclosure of individuals’ health information – called ‘protected health information’ by organizations subject to the Privacy Rule – called ‘covered entities,’ as well as standards for individuals’ privacy rights to understand and control how their health information is used.”
Let me give you an example. One of the thing I noticed while in hospitals and doctors offices, is that the doctors would send a text message with some patient info such as a condition and patient name to another doctor for a quick consult, or to a hospital admissions administrator.
The reason why doctors do this is because it allows them to handle more patients and the patients get better service since communication is faster.
The problem is that in order to be HIPAA compliant, the ‘protected health information’ (PHI) can only be transmitted in such a way that it can not be accessed by someone who is not authorized by the patient to view such information.
Text messages are sent on an open network, multiple copies of the messages are stored on various servers, and they are also stored on the sending and receiving phone/tablets.
This means that it is possible for an unauthorized person to get this information by hacking a server, or getting it from a stolen or lost phone. The method of transmission is on an open network, multiple copies of the message are made and the portable device is easily lost or stolen – all this means the doctors and hospitals are wide open for lawsuits from patients whose information is publicly released.
Hospitals and doctors are already exposed to a lot of lawsuits, and text messaging just open them up to a whole lot more.
Imagine Angelina Jolie’s gynecologist sent text messages about Angelina’s future baby for a consult, and later loses that phone which is found by a kid who knows how to hack it and realizes what it is and sells the images and info to TMZ who publishes it. Do you think the doctor, or the hospital she works for has enough money to survive the resulting lawsuit?
Now this is an extreme situation, but HIPAA lawsuits have been flying around since 1996 when HIPAA was passed, and it is a real cost for doctors and hospitals.
The real issue is very big, and includes more than just the healthcare industry. The main issue here is BYOD – Bring Your Own Device – which means that you/employee uses your/their own personal device such as a phone or tablet to send and receive business/work information.
From talking to IT managers, I have discovered that they think of BYOD like they think of Godzilla, earthquakes, volcanoes and asteroids from space on a collision course with Earth – all happening at the same time.
BYOD offers organizations both benefits and risks, but the fact is that almost all organization will need to deal with BYOD, and put in place some kind of BYOD policy.
For hospitals and doctors the benefits are that doctors can communicate quickly with other doctors, hospital admissions, administration and patients, which allows them to handle more patients with a higher level of care. The most use form of communication is text messages, followed by emails and phone calls.
The risks are more simple – a breach of HIPAA compliance from a BYOD communication will probably result in a very expensive lawsuit and/or fines and penalties from the government.
After digging in to the BYOD situation and talking to several IT department managers, it looks like there are two main approaches to BYOD:
1) Large complex and complete enterprise systems:
The IT department develops a BYOD policy of company issues devices only, or one of taking total control of personal devices and allowing no use of uncontrolled devices.
Then the IT department spends a lot of time and money to find, purchase and implement one of the large BYOD systems like Centrify and Enterproid.
The advantages to this, is that it puts total control of the devices and communications in the handles of the IT department. They also allow the total control and security for all forms of communications.
The disadvantages are that these systems a very costly, very hard to implement and take a long time and a lot of resources in order to train and educate everyone in the use of the systems and there is a lot of resistance from employees about the company having such control and access to their communications.
2) Piece by piece system – app based:
In this scenario, the IT department makes a flexible and developing BYOD policy, in which the users are giving devices, or use there own devices with the products/systems/apps put into the BYOD policy for security.
An example of this is that a hospital BYOD policy uses a secure text messaging app like Tigertext and it is install on all the mobile devices of doctors, nurses and admin of a hospital.
The advantages to this approach is that they are much lower in price, easy to implement, require very little training, works on company controlled devices and employee personal devices, not invasive and allows for privacy, meets HIPAA compliance and lowers risk of lawsuits, and can be used to address one area, then later address a different issue based on priority.
Disadvantages to this type of system are that they are not a complete system, but require several components to address all the areas of security and HIPAA compliance, cost of different component vary and your require multiple vendor set-ups and accounting.
HOW TO KEEP THE LAWYERS AT BAY WITH TIGERTEXT
Many hospitals don’t have the funds, time, resources or IT staff to handle implementing one of the large enterprise BYOD systems to deal with doctors using their phones to text patient information.
The hospitals like the new efficiency BYOD brings them, but they are rightfully very nervous about the security and HIPAA related law suits it opens them up to.
Since Text messaging is the most used form of communication among doctors now, hospitals can significantly lower their exposure to legal actions and fines related to PHI breeches and HIPAA violations by securing the text messaging of it’s doctors and other personnel.
I looked around for various apps to address the major areas of HIPAA related forms of communications – Text, email, messenger apps, etc.
The only area that I found something that was HIPAA compliant, was for text messaging and that is the Tigertext app.
Tigertext is an app that is installed on iPhone, iPad, Blackberry and Android devices and allows for HIPAA compliant text messaging and attachments.
Tigertext is a HIPAA compliant closed network app, that costs a hospital or doctor about $10 a month per seat. The closed network can utilize Tigertext servers, or the hospitals own servers, and can also securely archive all messages.
In addition to the control that a closed network provides, the main function of Tigertext is that it automatically deletes text messages after a user controlled period of time – which significantly reduces the likelihood that any confidential patient information (PHI) will be released or compromised.
For even more security, security network administrators can force pin lock protection as well as remotely wipe data from the app in case a device is lost or stolen.
Other important features are group messaging, an integrated company directory, and delivery and read notifications.
Since Tigertext is a simple phone or tablet app, the learning and implementation curve is measured in minutes, which makes it very quick and easy for a hospital to roll out to all it’s doctors.
I think that Tigertext offers a big advantage in the healthcare situation, and that is that doctors are very particular professionals, who don’t like the idea of someone controlling or monitoring their communications, so with many of the large enterprise BYOD systems the doctors will resist it or in doctor owned hospitals simply reject such a system.
Tigertext doesn’t have this issue, since all they see is another app on their device, that provides them HIPAA compliance for their text messages – and easy solution for them.
NOT GOING AWAY
BYOD is not going to go away, actually it is going to become a bigger part of business, life and healthcare in the next few years.
It offers the benefits of easy and efficient communication, and the risks of lost, stolen and exposed data.
In the end, the BYOD solutions may encompass many different solutions all working to together to keep all data secure.