The pMD Blog
POSTS BY TAG | HIPAA


As a sales manager at pMD, I spend a lot of time with medical practices and hospitals that are evaluating our charge capture and secure messaging software - learning about the ins and outs of their businesses and how we can support them. Over the past couple of years and through the introduction of our secure text messaging platform, we’ve increasingly been curious to hear what groups are doing for communication with their colleagues, as well as with outside physicians. After all, communication is critical to providing quality patient care.

I’ve heard many startling answers. These range from, “We send regular texts with PHI all the time, we’re not worried about HIPAA” to, “What exactly do I have to text for it to be a HIPAA violation? I really have no idea, but it sounds bad“, and “We use iMessage and try to leave out PHI, which I think is secure enough.”

How can health care providers be on such drastically different pages with government regulations, especially when violation fines can cost up to $50,000 per text message? What we’ve discovered is that there is a staunch disconnect between the government bodies who write the compliance laws, the organizations that are supposed to be disseminating this information, and the providers who are supposed to be following them. The industry is still learning every day what is and isn’t OK according to these new rules and standards, and that process will take time.

There needs to be clearer direction from government agencies about how best to comply with these new rules, so providers can get back to focusing on why they got into medicine in the first place: helping patients. Implementing a good secure messaging solution is an integral step to making sure that these new regulations don’t get in the way of patient care.

2014 was beset by cyberattacks and health care privacy breaches (let’s not forget Sony’s recent escapade), so it’s no surprise that cybersecurity regulations will be heightened in 2015. Earlier this month Jocelyn Samuels, Director of the Office for Civil Rights (OCR) at the Department of Health and Human Services, addressed the severity of the current health care IT security issues:

“We are certainly seeing a rise in the number of individuals affected by hacking [and information technology] incidents, as reported by entities under our breach notification requirements, especially those due to malware compromising the security of information technology resources,” wrote Samuels. Samuels asserted the agency’s proactive HIPAA enforcement priorities for 2015 and increased focus on ePHI security.

Working with medical practices and physicians on a daily basis with charge capture, it surprises me how nonchalant many providers are when it comes to HIPAA-compliance with patient data. Their goal is to care for their patients, and seemingly tedious regulations are often ignored. But a new phase of HIPAA audits is about to take place among medical organizations and will make the regulations that much harder to ignore.

Initial HIPAA-compliance audits occurred in 2011 and 2012 to determine if health care organizations were in compliance with security regulations around health care data. The roll out of phase 2 of the HIPAA audits was delayed in 2014, but the audits are expected to start in early 2015. HIPAA regulations apply to covered health care organizations as well as their business associates; those that hold or access sensitive patient data on a regular basis are eligible. Organizations found in violation of HIPAA regulations during the audits could face financial penalties.

If you haven’t done so already, and we sure hope you have, now is the time to implement a robust HIPAA-compliance policy. This includes adopting HIPAA-compliant software such as secure messaging and other data encryption techniques. It’s important to also test your systems for vulnerabilities that can leave sensitive patient information susceptible to breaches and malware. If you were to undergo a HIPAA audit today, would you pass?

Additional information for HIPAA audits, such as timing, scope, and guidelines, will be posted on the OCR website in the coming months.

Physicians have been texting each other about patient care since the invention of the BlackBerry, if not before. Texting is the perfect medium for direct provider-to-provider communication, which is critical in the hospital environment where the sickest patients need round-the-clock care by a diverse team of specialists. Since the HIPAA Omnibus changes came into effect in late 2013, medical practices have scrambled to secure their texting so that they could continue to communicate it real time while complying with the law.

Replacing SMS text messages is not without its challenges. Traditional texting is very reliable. All you need to receive an SMS text message is the barest, most minimal cellular signal - "1x," let's say, or "EDGE."

Pagers, still a staple of the medical industry, are even more reliable. They use a different wavelength that can penetrate buildings and landscapes with ease. In an industry where getting a message means the difference between a patient getting care or not getting care, it's no wonder that the pager is beloved by so many physicians. The message always arrives.

Compared to these increasingly old-school methods, secure text messaging apps offer many benefits, such as a global address book for the practice and protection of any HIPAA-sensitive patient information. But to gain all-important physician adoption, the app needs to overcome the challenges of the hospital environment where it’s hard to find a strong and reliable data signal.

For example, a pediatric hospitalist walks into the Pediatric ICU to see some patients. This room is deep within a hospital sub-basement, and she doesn’t have any data service there - just the barest sliver of phone reception. A basic secure texting app uses its own push notifications to notify users that there’s new information, but she won’t receive that app notification until hours later when she’s done seeing patients. By that time it may be too late for her to act on it, and she may have made some medical decisions without having the most up-to-date information.

A more advanced secure text messaging app also offers fallback options if a device can't be reached in a timely fashion. Knowing that the hospitalist may not have data service if they haven’t read the message after a period of time, the advanced app can try other ways to notify her that she has a message waiting, such as sending a regular SMS text message - or even a voice call - reminder without any sensitive data. These often get through even when app push notifications don't. At this point, the hospitalist can return to a place where she has data coverage, or can find a computer on which to read the message.

The best secure text messaging apps embrace the unpredictability and constraints of the chaotic hospital environment. This is why pMD took into account the frustrating cell reception in health care facilities when we designed our HIPAA secure text messaging and mobile charge capture software. This is such a key usability factor that we engineered an entire system of notifications and reminders to make sure that providers would know they have a message waiting in pMD, even if they are outside of data service. An app is more than an app when it has a system backing it that makes sure the message gets delivered - it becomes a reliable tool to save lives. This provides the peace of mind that makes doctors happy.

How is it that we name things? Whether it be a new product or even a child, what goes into the process of naming it? When we started thinking about our new messaging application at pMD, we went through a rigorous naming expedition, constantly brainstorming, coming up with the most crazy as well as some of the most simple ideas. Our names ranged from Soteria, the Roman goddess of safety, all the way to Bleep. In total, we came up with over 120+ names, some of them thoughtful and ambitious, others droopy and just a little too spontaneous.

I picked out some of my favorites for your reading pleasure:

- Bleep
- Can't Text This
- Odin
- Howdy
- SuperTube
- Safety Pigeon
- Soteria
- Lock & Key
- Bona Note
- Bleat
- Cryptext
- Flow
- Happy Text
- Avocado

At the end of the day, we knew we wanted to keep the name simple, precise, and to the point. Unfortunately, none of the above names seemed to fit those criteria, but that didn't mean we'd stop trying.

At pMD, our users consist of mostly doctors. Interestingly, that doesn't mean that the people shopping around for pMD are always doctors, they could be practice administrators, staff, and sometimes even family. We wanted to make sure that our name meant something to anyone who came across it and that also lent itself to our brand and already popular pMD charge capture application. So, we kept it simple and precise, naming our secure messaging application, pMD Messaging. In doing so, we kept the pMD brand, the name recognition and understandability, and our sanity for another day until the likes of Safety Pigeon take over.
There are so many great mobile applications available for physicians now, ranging from mobile charge capture to mobile EHR, that smartphones have become very tightly integrated into medical practices. Data hackers may not be interested in which new diet you and your friend are currently attempting to conquer, but smartphone communication can get complicated when the subject matter is work-related and includes sensitive patient health information. It shouldn’t be a surprise that traditional SMS text messaging is not a secure way to exchange confidential information, and HIPAA enforcers do not take kindly to it.

This is one of the complex issues facing physicians, who are trying to find better ways to share patient information within their practice as quickly as possible, while also keeping protected health information, or PHI, secure. As physicians do their rounds at the hospital, they are in constant communication with others around them. This is not only true for physicians within a group who may be spread out among multiple hospitals, but also for specialists that they may work with who deal with the most critical patients where instant communication is essential.

Text messaging can greatly improve workflow inefficiencies and creates a much more effective form of communication than say, pagers or other sluggish systems. But when physicians use nonsecure text messages to send electronic PHI, it not only puts patient data at risk but can lead to exorbitant fines and legal penalties. These fines can be upward of $50,000 for a single violation of the new HIPAA regulations concerning e-PHI as part of the omnibus final rule. Despite this financial penalty, many healthcare providers continue to use texting in their medical practices because it is both quick and convenient. When the wellbeing of the patient is top priority and time is of the essence, legal compliance can often fall by the wayside. But there is a solution so that physicians can put their patients first while avoiding costly penalties and also improving communication within their practice.

Secure Messaging + Mobile Charge Capture


Secure messaging applications are excellent communication platforms that allow healthcare providers and staff alike to exchange e-PHI securely and quickly, and it’s icing on the cake if your charge capture app also has this component. In light of recent government security scandals, secure messaging applications are growing in popularity. The number of secure messaging applications on the market is rapidly increasing, varying in form and function. Some of the notable features among these apps can include group messaging, delivery/read notifications, user authentication, and a supplemental messaging web portal.

If you’re already using a mobile charge capture application, then why add yet another application to your already extensive app inventory? Your charge capture application should have a secure messaging functionality built in. This allows your information to be contained in one centralized hub where you can easily navigate within the app to message quickly and securely.