Most of the time, we're astounded by our our fellow medical providers' ingenuity, insight, and and intelligence.
However, new technologies bring new challenges. And new challenges can bring, well, not-so-smart ideas. As we've talked to doctors, nurses, aides, administrators, and lawyers in the medical field, we've heard some truly terrible ideas about how to protect patient data, photos, and information in HIPAA secure ways.
In service of helping you avoid these HIPAA mistakes and misunderstandings, we bring you the 5 worst ways we've seen of protecting Protected Health Information (PHI) in the medical field:
- Do nothing. We've heard a lot of providers say that they can't worry about HIPAA because they're "taking care of patients," and a lot of organizations say that the EHR implementation is their first (read: only) priority. These justifications lead to an approach of denial and neglect, neither of which help the patient, or the provider. The patient comes first -- of course -- but part of caring for them is caring for their data.
- Wait for the EMR to incorporate pictures. We've been hearing people say they're waiting for the coming of the pictures for 10 years. Along with the chance that your EMR provider will never effectively incorporate pictures, the focus on this misses the point. Collaboration that only happens through EMRs precludes the inclusion of any provider, anywhere, as part of the team. That means that providers at different points in the spectrum of care, less traditional providers, or providers in other places or institutions can't be part of care -- which is inefficient and ineffective.
- Never do anything that's not interoperable. Interoperability is important, and it's a fantastic priority to work toward. However, many fantastic, interoperable systems need to start with some systems that aren't interoperable -- but are the best tools for the job. Then, gradually, the organization can find ways to weave those tools together based on how the providers use them and their effect on patient care. And don't forget we need to educate ourselves and others. Comparison over time and visual trends are invaluable not only for education, but for delivering care as well.
- Only allow devices approved by the institution. In the same way that smart companies give employees the discretion to spend money if it's in service of the customer, smart institutions ensure their providers have the right tools to care for patients. Sometimes it's best if all providers use the same tools and devices. Other times, it makes more sense for providers to BYOD (Bring Your Own Device) and for a culture of trust and standards to be developed around HIPAA. Policies that help providers make the best choice around technology are most respectful of providers' -- and patients' -- lives, work, and roles.
- Prohibit any pictures or photos. We heard the General Counsel for a major health organization say that "no photos" was their HIPAA policy, and it is something we hear frequently. However, it's really impossible to turn back the tide of smartphones and digital cameras. The fact is that people, families, and providers will use photos for medical care. (And this data can be an incredible boon to progress, medical education, and collaboration.) The only question is how to provide the tools and support to make these photos safe for PHI, for patients, and for providers.