ClickCare Café

BYOD | Is Any Smartphone HIPAA Secure for Medical Providers?

Posted by Lawrence Kerr on Thu, Aug 14, 2014 @ 03:04 PM

iphonenew resized 600

When President Obama came into office, there was quite an uproar about whether he'd continue to be able to use a smartphone for his communications. Eventually, a lab was established where experts worked for months to create a secure smartphone for the president to use and he's now often seen typing away on his device -- called "Blackberry One."

Of course, the president's security needs are a little greater than the average person's. But with 67% of nurses using their smartphones to support clinical communications and workflow, many BYOD issues are arising for institutions, and many medical providers are using smartphones for telemedicine and other uses. So, many people have wondered:

If the president wasn't cleared to use an off-the-shelf iPhone, Android, or Blackberry, is any smartphone actually HIPAA secure for medical uses?

The short answer is yes, but only if you use the devices in certain ways. Using a smartphone, like an iPhone, to make a call or send text messages may not be secure. That's why the president couldn't use it. Further, as we know, email is never HIPAA secure, much less on a smartphone.

However, logging into an app like iClickCare on your smartphone, Android, or iPhone is actually HIPAA secure. You're absolutely HIPAA safe and protecting PHI (protected health information), including patient data, pictures and videos of the patient, and collaborations with other medical professionals, if: 

  1. Data is NOT stored locally on the device
  2. The company that makes the app promises HIPAA compliance and does rigorous and constant checking of that HIPAA compliance.

So, yes -- use technology to care for your patients. Just be smart about using the right technology for the right use.

Curious what everyone means when they talk about Hybrid Store and Forward Telemedicine as the best way to collaborate in a HIPAA safe way? Get our free guide here: 

ClickCare Quick Guide to Hybrid Store-and-Forward

Tags: telemedicine, HIPAA, HITECH, Personal Health Information, compliance

Sports Medicine | Whose Health Is It, Anyway?

Posted by Lawrence Kerr on Tue, Jun 24, 2014 @ 04:58 PM

athleteteaminterests resized 600

In high-level sports teams (whether college or professional teams), there is a lot that is done for the athletes. Logistics are coordinated for them and tutors may be arranged when necessary. Food, travel, and training are all figured out on the athletes' behalf. Schedules are usually pretty tightly controlled, and everything is customized for the individual player.

Most of the time, this is a pretty fantastic arrangement. The athlete doesn't have to worry about the details outside of his or her athletic performance (and in the case of the college athlete, his or her academic performance.) And the team is able to use its perspective and knowledge to choose the best structures and support for the team.

Things start to get a little less clear, however, when there is a health issue or injury. Very quickly, "Plan A" becomes irrelevant, and the trainer, coach, player, and medical providers have to come up with a Plan B. All of which, of course, forces the question:

When athletes are sick or injured, where do their rights end and the team's rights begin? Do trainers and coaches have a right to share health information and take part in decisions?

Especially with more severe health issues, conflicts can emerge between the interests of the team and the interests of the athlete. For instance, if an athlete could continue playing with a knee issue for a few years, but would experience restricted mobility 5 years down the road, what should be done? Often, the athlete himself would choose to keep playing despite the long-term consequences, but what if he wishes not to while the team needs him to play? Interestingly, the National Athletic Trainers Association does not seem to address this conflict in their code of ethicsAs we discussed recently: "there can sometimes be a contradiction between supporting a young athlete in reaching his full potential today and preparing him for his life after sports. Second, the athletic trainer and department must consider the needs of not just "this" athlete -- but of all the athletes on the team, present and future."

These are complex issues with no easy answer. However, as medical providers who have worked with athletes and teams from Little League to the Major Leagues, we have noticed some patterns. In short: the more that the athlete's medical providers collaborate and communicate, the fewer conflicts arise. When we've used iClickCare to facilitate communication among a surgeon, an athletic trainer, a physical therapist, and the family doctor, everyone seemed to quickly arrive at a good conclusion. However, when there is little collaboration or communication, that's when folks seem to dig in and see less alignment and more conflict.

How have you made sure that team and athlete interests are all respected when health issues occur? We'd love to learn from your experience in the comments below.

Read more about how medical collaboration changes things:

ClickCare Quick Guide to Medical Collaboration

Image courtesy of wvutech on Flickr, used under Creative Commons rights.

Tags: medical collaboration, coordinated care, HIPAA, Personal Health Information, healthcare collaboration, athletic trainers

HIPAA Violations, Audits, and Medical Collaboration

Posted by Lawrence Kerr on Mon, Feb 27, 2012 @ 09:28 PM

There are both moral and regulatory reasons to protect our patients' privacy.

HITECH and HIPAAHIPAA and HITECH, at times, seem to be over the top. The regulations have certainly been interpreted, reinterpreted, over implemented, and a plethora of “saviors” has created an entire industry around them. I doubt some of the extreme responses to fear of enforcement and fear of technology are intentional, but never-the-less, we live with the unintended consequences that make our day difficult at best, impossible at worst.

That said, there seems to be 3 active responses by providers:

  • Ignoring the rules.
  • Never confronting the problem by never coming out of one's silo.
  • Begrudgingly, following the rules, but hurting the patient.

How many times have you heard (or said): 

  • “I just send an email.”
  • “I just send an email, but I asked the patient.”
  • “I am the doctor (nurse, therapist), I do what is right, the rules are stupid and don’t matter.” 

These are dangerous (to self and patient) responses to an impossible situation. There will be continuing enforcement, and there are easier solutions. We offer a good one.

Review this graphic from OnLine Tech. First, HIPAA audits are funded. $9.2 million to KPMG for 150 audits and $182,000 to Booz Allen Hamilton for Audit Candidate Identification. The funds come from the Office of CIvil Rights. Completion date is 12/31/2012.  

Violations of HIPAA and HITECH 

    The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

    1. Private Practices;
    2. General Hospitals;
    3. Outpatient Facilities;
    4. Health Plans (group health plans and health insurance issuers); and,
    5. Pharmacies.

    Most of these are easily solved. If one removes the simple Physical causes (77%), then the risk of violation is now left to Hacking (6%) and Unauthorized access/disclosure  (16%) and unknown at !%. No one is immune from hacking, although ClickCare works hard to protect against that. No one has to use email and risk enforcement, and as you see above, it is the small guys who top the list.   

     The message here:                                   

    • This is real.                    
    • This is significant.
    • This is avoidable.

    We owe our patients more than protecting ourselves by opting out.  There is an inexpensive and easy solution.

    Click me


    HIPAA Audits Are Coming: KPMG Contracted to Perform 150 Audits Through 2012

    2011 HIPAA Violations and Audits

    HSS Office of Civil Rights (OCR)

    Award Notice


    Tags: HIPAA, HITECH, Personal Health Information, Patient Privacy

    HIPAA and HITECH: What is the Difference?

    Posted by Lawrence Kerr on Mon, Oct 24, 2011 @ 01:48 PM


    What you are expected to know, but never quite understood...

    * HIPAA – Health Insurance Portability and Accountability Act (Clinton, 1996)   
    * HITECH – Health Information Technology for Economic and Clinical Health Act (Obama, 2009)
    The United States Congress passed the Health Insurance Portability and Accountability Act, commonly known as HIPAA in 1996. For the very first time, security standards came into existence to protect health information.
    HIPAA and HITECH Guard Privacy like a Swiss Guard
    Then, in 2009, the scope and complexity of HIPAA was extended with the presentation of the Health Information Technology for Economic and Clinical Health Act (HITECH).

    Both HIPAA and HITECH have risen to great importance with the health industry’s continual acceptance of electronic information systems.  

    Electronic data date systems and applications and electronic health records (EHRs or EMR’s), have considerably upgraded billing, surveillance and productivity. However, new security threats have arisen as well. As compared to paper charts, electronic health information is at greater risk of being distributed, tampered with or stolen which could lead to public disclosure.

    In order to eradicate these threats, strict standards governing security and privacy were implemented by HIPAA and HITECH. Consequently, anyone who transmits any information in electronic form is required to comply with the standards implemented by the Department of Health and Human Services. 

    Both HIPAA and HITECH are similar rules: They address the safekeeping and discretion of healthcare protocols. Both Acts contain privacy requirements and have numerous effects on research and clinical care. But, the additions are important.  For example:

       * Section D of the HITECH Act will have significant and varied ramifications on health care participants. Four tiers of culpability and penalty are listed.

      * HITECH restructures and strenghtens civil and criminal consequences for non-compliance.  These are significant with the fine being $50,000 for each violation, not to exceed $1,500,000 for the calendar year.  Prison terms have been issued as well.
        * HITECH necessitates justifying the disclosure of PHI (Protected Health Information), even when it is done for healthcare treatment and billing.

    What does this mean practically?  
    Email cannot be used unless it is within a closed and secure system. However, secure email is not only inadequate for retrieval and study, but it is also awkward to use and available only to a few participants tightly controlled within a system. Standard email meets no HIPAA requirements whatsoever.  Beyond being public, it is increasingly the fodder of search engines. To place oneself above the law because of the perception of the higher importance of medical care and patient permission is not good for any of us.

    There’s a need for a platform that provides an all-inclusive structure to help organizations restructure and systematize all facets of HIPAA/HITECH compliance. Among other things, this would ease time-tracking, email notices and operative effectiveness with the goal of condensing the time and energy necessary for security compliance.

    Click me

    In summary, HIPAA and HITECH are two powerful entities. They should be handled with extreme caution as they are mission critical to America’s healthcare and its people.

    Tags: HIPAA, HITECH, Personal Health Information, Patient Privacy, Telemedicine and HIPAA, PHI

    Subscribe By Email

    Recent Posts

    Posts by Topic

    see all