Consider the hundreds (no, thousands) of digital communications a clinical team makes all day, every day—between nurses, physicians, radiologists, pharmacists: The list goes on and on.
Quality healthcare relies on those interactions being accurate and fast. But it also relies on them being secure to safeguard protected health information. After all, the Health Insurance Portability and Accountability Act (HIPAA) requires it.
Not abiding by HIPAA brings steep consequences, with penalties up to $250,000 per violation of “willful neglect,” according to the U.S. Health and Human Services Department.
These penalties can add up: Houston’s MD Anderson Cancer Center recently made headlines for a $4.3 million penalty incurred after three data breaches involving lost or stolen devices.
HIPAA Violations With Personal Smartphones
Of course, organizations don’t intend to make such violations. But they happen despite even the best intentions. And if anyone on your staff uses a personal device to transmit patient data, even just once, they may be making the same mistake.
After all, the temptation to pull out a personal phone and text another care team member might be higher than you think: According to a survey reported by the American Nurses Association, 67 percent of hospitals acknowledged that their nurses used their own smartphones to collaborate at work. It makes sense—texting enables rapid communication when every minute matters, and it’s often one of the best ways for nurses to reach physicians.
But beyond the obvious problems with texting on personal devices—like distractions or infection risk—this workaround can invite HIPAA missteps by putting confidential patient data in a very vulnerable place.
Considering that cyber attacks on mobile devices are on the rise and that even seemingly harmless communications can expose protected information, the problem has the potential to get more serious with every text.
The Workarounds (and Why They Don’t Work)
Some care team members may (mistakenly) think they’re in the clear if they remove patient identifiers from the text. Someone might say, for example, “Order blood for room 322.” However, the room number is itself a patient identifier—and a potential HIPAA violation.
To be on the safe side, maybe they decide they’ll strip out even more details: “I need a medication order for your 3 p.m. hysterectomy.”
That won’t work either: Even that nondescript text poses trouble, since it runs the risk of medical errors from vague information. For all their efforts to protect information, care team members might be setting each other up to mistakenly identify patients, with devastating consequences.
And all of that assumes everything else goes right. What if the device gets lost or stolen, as with MD Anderson? Or perhaps the text is accidentally sent to the wrong person? A hospital in Maine recently came under fire for accidentally sending a list of 300 patient names to a local newspaper editor.
Such mishaps can mean those communications get exposed to those who shouldn’t see them, or are otherwise up for the taking by anyone at anytime. Whether made by doctors, nurses, entire teams or just one person, a single mistake by anyone on your staff can put your whole organization at risk.
Leveraging a Secure Solution
For starters, clinical staff—all staff, for that matter—need 21st-century tools to do their job.
Mobile Heartbeat’s MH-CURE® Platform, for example, enables secure, specific communication without the need to remove patient identifiers. If they need a consult, they can say so with a direct message that pulls information from the EHR (thanks to the Patient Pick feature) and goes straight to the intended recipient—instead of blasting it to anyone and everyone.
By the way, your staff will know it’s the intended recipient because the platform displays each patient’s dynamic care team, in real time. Because, after all, inherent in HIPAA compliance is exchanging necessary but limited info with only those who need to see it. MH-CURE helps you do that.
And if the device gets lost or stolen, no worries: Our platform is passcode-protected and requires hospital credentials, and you can remotely remove access to reduce the chances of a breach.
Breaking Bad Habits, for Good
Yes, bad habits are hard to break—and even harder to break for good. Even the smallest things, like leaving discharge instructions on the printer or throwing a patient wristband in the garbage, can pose big trouble. Make sure your clinical staff doesn’t forget that texts can, too.
For hospitals, HIPAA violations can yield hefty fines and embarrassing blunders. For clinical staff, they can spell lost jobs. That’s incentive enough to prioritize the issue and fix it.
By investing in the right technology, you can sidestep those tendencies, curb the risks and reap the benefits of a HIPAA-compliant, worry-free tool for instant communication. We’re proud that MH-CURE helps clinical teams do just that.