The evolution of communication in healthcare from pagers to mobile devices, paper notes to email, hospital visits (and re-admissions) to telehealth programs improves both the speed and quality of care delivered to patients. For providers, access to secure mobile messaging and access to clinical information in real-time means being able to spend more time with patients, and less time chasing down colleagues or tapping into EMRs and other clinical systems for pending reports. For patients, it offers the opportunity to receive truly patient-centered care, with all members of their care team connected and aligned on the care plan in real time.
Yet, for healthcare IT professionals, the fact that patient data can now be easily moved, processed and shared via mobile devices creates new heightened levels of concerns about data integrity, security, privacy, and overall HIPAA compliance.
At Care Thread, we understand and empathize with the concerns of healthcare organizations when it comes to maintaining the integrity of PHI, and the significant risks posed in safeguarding data and ensuring regulatory compliance. And that’s why security is core to Care Thread’s mobile and web-based approach to clinical mobility and communication.
As healthcare organizations make their final preparations for the implementation of the HIPAA Omnibus rule on September 23rd, I would like to share a few ways in which Care Thread maintains the privacy and security of personal health information (PHI), and upholds HIPAA compliance.
- *Business Associates Agreements (BAA)* – BAAs provide an overview of how a service provider meets the security and privacy provisions set out in HIPAA and the HITECH Act, as well as its responsibilities in the event of breach. Care Thread always enters into BAAs with its customers, and per the HIPAA Omnibus Rule, we maintain BAAs with our contracted service providers.
- *Network Encryption* – All network data sent and received by mobile clients is secured with AES encryption, a FIPS-compliant standard. Access to our web app is protected with SSL.
- *Network Presence* – Program administrators may choose whether to allow remote access, or to restrict access so that users must continuously remain connected to their internal WiFi networks at specific facilities in order to use the app.
- *Two Levels of Authentication* – Leveraging your organization’s Active Directory, Care Thread’s first level of authentication requires users to complete the Login Screen, where they enter their full system credentials. This is the same username and password they would use to access your organization’s email, clinical, and other systems, and will be required to be entered when opening the app for the first time, and then after periodic timeouts or failed entries. For our second level, users are required to create a PIN. This allows quick access to Care Thread at any time from the same device, while preserving security by prompting for the PIN whenever the device has been idle or locked. Repeated failure to enter the correct PIN will return the user to the Login Screen.
- *Data Not Written to Devices* – At no time does Care Thread store protected health information to a user’s smartphone, tablet, or computer. All PHI is loaded from the network to the temporary working memory of a mobile device or secure web browser where it remains accessible only when the app is open and is flushed when locking the device, logging out, or leaving the app.
Care Thread also encourages its partners to provide periodic training to its employees on the basics of HIPAA and the organization’s own privacy and security policies. Using a variety of methods, including lunch-and-learn presentations, tips published in internal newsletters, and signs posted throughout the facility, organizations can improve provider awareness of PHI requirements and professional compliance.
In a vocation that emphasizes prevention of disease and malady, “an ounce of prevention is worth more than a pound of cure” when it comes to PHI and mobile connectivity.