The Three Categories of Communication Systems in Healthcare
Although there are many types of communication systems in healthcare, they generally fall into three categories – provider-to-provider, provider-to-patient, and internal. Internal communications include all forms of staff messaging, from requests to cover vacant shifts to emergency notifications.
In 2006, Dr. Enrico Coiera published an article in the Clinical Biochemist Review – Communication Systems in Healthcare – in which he wrote “if information is the lifeblood of healthcare, then communication systems are the heart that pumps it”. Inasmuch as the article was ahead of its time, it is unlikely Dr. Coiera could have conceived how quickly communication systems in hospitals would evolve.
Three years after the publication of the article, Congress passed the HITECH Act which incentivized the meaningful use of Electronic Health Records (EHRs). As a consequence, EHR adoption increased from 3.2% per year to 14.2% per year within six years. Then, in 2013, the HIPAA Omnibus Rule resulted in covered entities implementing communication systems that ensured the security and integrity of ePHI.
Communication Systems in Hospitals Continue to Evolve
Communication systems in hospitals continue to evolve in order to improve the delivery of healthcare and enhance productivity. For example, there are now systems for processing referrals, test results, and prescriptions; and systems for collaborating on patient care and aftercare with the objective of reducing readmission rates – which are also incentivized under the Hospitals Readmission Reduction Program.
Generally the different communication systems in healthcare fall into three categories. There are provider-to-provider systems used (for example) for patient transfers, external clinical procedures, and insurance transactions. There are provider-to-patient systems such as telemedicine consultations and appointment reminders; and there are internal messaging systems which cover a wide range of scenarios from requests to cover vacant shifts to emergency notifications.
Provider-to-Provider Communication Systems
In most cases, provider-to-provider communication systems in healthcare fall under the administrative, physical and administrative guidelines of the HIPAA Security Rule. This means covered entities have to protect the security and integrity of ePHI when it is sent or received in an electronic format and ensure the ePHI is not disclosed, amended, or deleted without authorization.
The rules regarding this category of communication systems in healthcare are extremely rigid. They include the necessity to implement ID authentication mechanisms, audit trails, and data encryption. The Department of Health and Human Services can issue substantial fines if the guidelines of the HIPAA Security Rule are not complied with – even if no data breach results from the HIPAA violation.
Provider-to-Patient Communication Systems
The most common provider-to-patient communication systems in healthcare have already been mentioned – telemedicine consultations and appointment reminders – and, although these systems do not require the same security measures as provider-to-provider, their use falls under the HIPAA Privacy Rule inasmuch as patient consent must be sought before any of these systems are used to communicate PHI and, when consent is receive, communications are subject to the Minimum Necessary Standard.
In addition to provider-to-patient systems, there are also patient-to-provider systems. These can range from remote clinical consultation services (i.e. consultation by email) to nurse call systems that alert healthcare professions to changes in patients´ conditions. Patient-to-provider systems can also be integrated into EHRs in order to automatically update patient records – in which case they are subject to the technical safeguards of the HIPAA Security Rule.
Internal Communication Systems
Whether or not internal communication systems are subject to the HIPAA Security Rule can depend on how they are configured. For example, systems that are protected by a firewall can be used to communicate unencrypted ePHI provided the Minimum Necessary Standard is complied with. In all cases, internal communications are subject to the HIPAA Privacy Rule – which can create challenges during emergencies, when patients have to be evacuated or a post-disaster surge occurs.
In these cases, healthcare organizations will be required to activate CMS´ mandated Emergency Preparedness Plans, which should stipulate how communications during an emergency are conducted. Unless the Department of Health and Human Services has waived HIPAA compliance, it is better for internal communication systems to support audit trails in order that accountability is ensured. This also applies to internal communication systems that automatically activate code calls.
Compliant Use is Just as Important as Compliant Systems
Regardless of which category communication systems in healthcare fall into, their compliant use is just as important as the compliance of the system. Effective training and safeguards can reduce the risk of a HIPAA breach; and for further advice about using each of the systems mentioned above in compliance with HIPAA, it is recommended healthcare organizations seek professional advice.