Stay safe from HIPAA violations
with DocbookMD member benefit
Michael Senter u CEO, DocbookMD
November 2018 Dallas Medical Journal 31
In today’s connected
world of health care,
you’re right to be
concerned about
document security and
HIPAA compliance.
As the methods used by hackers mature, healthcare data
is now a high-value target. The cost of any type of breach —
either electronic or human — goes beyond the direct cost of
data loss and includes fines (up to $1.5 million for each case)
and penalties related to HIPAA violations. DocbookMD —
designed by and for physicians — has been working with
protected healthcare information since 1998, and every
DocbookMD employee undergoes HIPAA training and
assessment.
Under the Health Insurance Portability and Accountability
Act, more commonly known as HIPAA, no specific sanction
regards the use of text messaging to share Protected
Healthcare Information (PHI). However, strict regulations
prohibit the communication of PHI via any unsecure electronic
format and, as text messages are not sent or stored securely,
at least not to the high standards that HIPAA requires, texting
as a means of sharing confidential data is not an option for
HIPAA-covered entities.
However, given the prevalence of cellphones in health care
nowadays, and the ease and familiarity of text messaging as
a communication form, avoiding nonsecure text messaging
entirely is easier said than done. At times, a quick text
message to a colleague is the best or only option. In such
cases, it is critical that no PHI is exchanged.
More specifically, PHI that is linked based on the following
18 identifiers must be treated with special care:
• Names — first names and surnames.
• All geographical identifiers smaller than a state. However,
if the geographical unit identified by the first three digits
in the ZIP code contains fewer than 20,000 people, these
digits must be replaced with 000. See the HHS.gov Health
Information Policy for further details.
• Dates (other than year) directly related to an individual —
for example, date of birth and significant medical dates.
• Phone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health insurance beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers — this includes serial numbers and
license plate numbers.
• Device identifiers and serial numbers.
• Web Uniform Resource Locators (URLs).
• Internet Protocol (IP) address numbers.
• Biometric identifiers — for example, fingerprints, retinal
images and voiceprints.
• Full face photographic images and any comparable images.
• Any other unique identifying number, characteristic or
code — this excludes the unique code assigned by the
investigator to code the data.
The expense of failing to comply
Due to the efficiency and potential cost-saving benefits, many
healthcare providers have advocated a bring your own device
(BYOD) policy in their organizations. As a result, clinicians are
more tempted to communicate with each other via nonsecure
messaging apps that are familiar and more convenient — but
not HIPAA compliant, increasing the risk of sensitive data
being lost, sent to the wrong recipient, or intercepted.
An organization that commits any breach of PHI could
face fines of up to $50,000 per incident, per day, that the
breach remains unresolved. This financial burden plus any
reputational damage suffered can be a fatal combination for
small- or even medium-sized healthcare facilities.
DocbookMD offers a free solution
To avoid these costly repercussions, HIPAA-covered entities
should invest in secure tools that keep PHI protected,
streamline communications, accelerate workflows, and
enhance collaboration. DocbookMD does this and more,
and is a free DCMS member benefit. Take advantage of your
benefits and communicate in a HIPAA-compliant manner with
your DCMS colleagues. Learn how DocbookMD is improving
communication and compliance; visit www.docbookmd.com.
DMJ