HIPAA Compliance and Pagers
HIPAA Compliance and Pagers
How the HIPAA Security Rule Ended Paging
HIPAA compliance and pagers have become a topic for discussion since the enactment of changes to the Privacy and Security Rules in the Health Insurance Portability and Accountability Act (HIPAA). Although not specifically mentioning pager communications, the changes to the Security Rule stipulate that a system of physical, administrative and technology safeguards must be introduced for any electronic communication to be HIPAA-compliant. The alternative is not to mention any protected health information (PHI) in the content of a message.
In the context of HIPAA compliance and pagers, healthcare organizations still relying on pagers as a channel of communication have to ensure that all communications are encrypted, that a system of message accountability is implemented, and that the facility exists to remotely remove messages from a pager to protect the integrity of PHI in the event of a pager being lost or stolen. There also has to be a process for user identification on each device, and an automatic log-out facility to prevent unauthorized access to PHI when a pager is left unattended.
Unless healthcare organizations are going to prohibit their medical professionals from mentioning any personal identifiers in pager messages, the HIPAA Security Rule effectively ended alpha numeric paging in medical facilities. As it happens, pager use is already in decline. Many medical professionals are abandoning pagers in favor of personal mobile devices. However personal mobile devices are subject to the same rules as affect HIPAA compliance and pagers, and therefore messages sent by SMS or email still have to have the stipulated safeguards in place in order to be HIPAA compliant.
Pagers Were Inefficient and Costly Anyway
The death of pagers in the healthcare industry will not be regarded as much of a loss by many. Even before the rules regarding HIPAA compliance and pagers were introduced, pagers were seen as time-consuming and inefficient. Regardless of whether PHI was communicated within a pager message, the recipient often has to call back the sender of the message to obtain further details and to determine its priority within their workflow. This potentially results in phone tag when one party or another is not immediately available, and the introduction of miscommunications when messages are passed on third hand. The lack of message accountability is also an issue with pager communications.
According to a study conducted by HIMSS Analytics, many senior healthcare executives persevered with pagers due to their “perceived reliance” and their ability to reach clinicians remotely. Fewer than one in five healthcare executives thought that pagers were time-saving devices – most acknowledging that the time wasted playing phone tag (calculated to be 45 minutes per day per medical professional by an earlier Ponemon Institute study) was a compromise for the reliability and access provided by pagers.
The same HIMSS Analytics study calculated that – for hospitals with 100 beds or more – the average cost per user per month of maintaining a pager communications system is $8.40. Researchers concluded that healthcare organizations are spending $179,000 per year on average on what CNN Money described in 2013 as “archaic communication technology”. The earlier Ponemon Institute study concluded that the manpower hours lost due to the inefficient nature of pagers was costing healthcare organizations an average of $557,000 per year – per medical facility.
Secure Messaging as an Alternative to Pagers
A solution to the issue of HIPAA compliance and pagers is secure messaging. Secure messaging works via apps that can be downloaded onto desktop computers or mobile devices and that operate in the same way as commercially available messaging apps such as iMessage and WhatsApp. The major differences are that the secure messaging apps only connect with a healthcare organization´s encrypted communications network and that they comply with the safeguards of the HIPAA Security Rule.
The apps can only be used by authorized personnel, who have to authenticate their identity each time they log in with a centrally-issued username and PIN number. Once they can access the network, medical professionals can send messages, share images and receive documents with the speed and convenience of modern technology, but with no risk to the integrity of PHI. If medical professionals forget to log-out of the apps, a time-out feature removes them from the network after a period of inactivity.
All activity on the network is monitored and recorded – to ensure 100% message accountability – and access reports are produced so that system administrators can check on compliance and conduct risk assessments. Safeguards exist to prevent PHI being accidentally or maliciously sent outside a healthcare organization´s network, copied and pasted, or saved to an external hard drive. In the event that a mobile device is lost or stolen, the facility exists to retract all messages sent to the device and remotely PIN-lock the app.
The Benefits of Secure Messaging Compared with Pagers
For healthcare organizations concerned about HIPAA compliance and pagers, there are three significant benefits of secure messaging compared with pagers – HIPAA compliance, efficiency and cost. Compliance with the Privacy Act and the requirements of the Security Act is assured when using a secure messaging solution to communicate PHI, as all personal identifiers are encrypted at rest and in transit.
Features on the secure message solution increase the communications cycle, enable medical professionals to streamline their workflows and increase productivity. The secure messaging apps also support group messaging – enabling collaboration on patient care and the coordination of hospital admission and patient discharges. Phone tag is practically eliminated and – as mentioned previously – all messages have 100% accountability.
As secure messaging solutions operate through a cloud-based platform, there are no set-up costs or complicated software to install. Furthermore, as 87% of doctors (Manhattan Research/Physician Channel Adoption Study) and 67% of nurses (American Nurse Today study) already use Smartphones in the workplace to “support their workflow”, most medical professionals are already using personal mobile devices in medical facilities. Consequently, the HIMSS Analytics study calculated the cost of secure messaging at less than $5.00 per authorized user per month.
One Final Word about HIPAA Compliance and Pagers
We have used several research studies to support the case that secure messaging is a suitable alternative to pager messaging in order to resolve concerns over HIPAA compliance and pagers. We would like to refer to one more research study to demonstrate the advantages that secure messaging can have for a very important group of individuals in the healthcare industry – patients.
The Tepper School of Business at the Carnegie Mellon University conducted research into patient safety at Pennsylvania Hospitals, comparing “basic” EMRs with those that were integrated with a secure messaging solution. In addition to finding benefits such as the sharing of data entry, the elimination of information overloads and enhanced collaboration between medical professionals, researchers also discovered that when a secure messaging solution was integrated into an EMR:
- Complications from procedures and tests that compromised patient safety were reduced by 25 percent.
- Medication errors caused by miscommunication and human error decreased by 30 percent.
- The hospitals recorded 27 percent fewer patient safety incidents overall.
Three more good reasons why healthcare organizations concerned about HIPAA compliance and pagers should investigate the opportunities provided by secure messaging.