For over 10 years, the healthcare industry has been in the grips of dealing with the massive HIPAA Act, a set of rules so large and vast that it has only just now started to be truly implemented across all medical organizations. HIPAA stands for the Heath Insurance Portability and Accountability Act and was initially passed in 1996 as a way to ensure that citizens would have access to their medical records when requested and ideally in an electronic format.
This led to a complete overhaul of IT systems by hospitals, private practices and other health organizations. Because of the burden of these upgrades, companies were given until 2003 to make their systems compliant with smaller plans getting until last year to be fully compliant. Now, all health records must be stored electronically and individuals have the right to request their personal medical records, which have to be turned over within 30 days.
One of the biggest pieces of HIPAA was Title II, which included the Privacy Rule. This law requires health organizations to guarantee that certain medical information, called Protected Health Information (PHI), cannot be leaked to other people other than the individual who requested it. Violations of this can lead to serious legal consequences so as noted above, many health organization had to establish much more strict security policies.
The Act also includes the ability for the patient to request the way(s) to contact them with the information. For example, do not call office but my private cell number instead or send an email at X address. Given the potential consequences of PHI falling into the wrong hands, health organizations are extremely careful how the information is disseminated.
This proved to be a Catch 22 for a lot of healthcare organizations as they struggled to balance the Privacy Rule with making the PHI easily accessible for their patients. It also meant that a lot of new technology had to be implemented to add new layers of security. The result was that any sort of ”clear text” (meaning non-encrypted) messages were widely discouraged given the potential for security breaches.
Email communications were considered to be the highest risk given its ubiquity and the prevalence of spammers/phishers. Therefore, most providers supply the PHI in an encrypted format. Such technology is on the burden of the providers as the major Internet Service Providers (ISPs) do not readily provide encryption in their offerings since they are simply a conduit to send messages. Some organizations use a private key methodology while others simply obfuscate (hide) the entire message that can only be interpreted by the recipient. Another common strategy is to use digital signatures to authenticate the sender to the receiver. Regardless of the process used, the goal is to ultimately ensure that the patient’s records aren’t intercepted by any sort of outside party. Easier said than done, of course.
With texting, it becomes even trickier as there are no true encryption standards for SMS. The carries, for example, take no responsibility for possible interception of messages and do not offer encryption, similar to an ISP in that regard. Plus, the limitation of the message size of an SMS makes this not an ideal delivery method for PHI. Most health organizations that have a text messaging component therefore use it merely as a way to notify the patient to contact them for the results. In rare cases, some have developed a pre-established code system with the patient in the event that they want to receive the PHI via text. Still, given the character restrictions of SMS, it’s not seen as a very viable method to transmit PHI.
However, texting is gaining popularity as a method to remind patients of appointments and other time-sensitive information. For example, in South London, the UK Primary Care network is using texting as a way to contact their patients with notices like surgery times and other general health information. Over the past 18 months, this has resulted in a 28% reduction in missed surgeries, something that can cost a healthcare group substantial money on a yearly basis. Much more effective than sending a post card to remind them!
Overall, HIPAA, while beneficial to patients in terms of access to information, has hindered healthcare organizations in terms of actually supplying the data electronically. The vast majority of PHI is still done the old fashioned way – a call from the doctor. Still, advances in encryption technologies within email and eventually SMS (Vodafone just announced the first encryption SMS service for its business clients) should eventually make digital communication channels the preferred way to receive patient information.
How do you want to receive your medical records, results and other health-related information? Share your thoughts in the Comments section below.
Until next time.