The Patient's Role in Breach Prevention

As hospitals and clinics plow ahead with their HIPAA Omnibus Rule compliance efforts, including rewriting patient privacy notices and reworking their breach notification assessment procedures, they must also remind patients to be careful when communicating their own health information.

In this digital age of being connected 24x7, many people routinely communicate through texting, social media and e-mail. Some forget that discussing health issues through these electronic means can be risky.

For starters, discussing personal health information on social media sites can be a major privacy risk. (Do you really know everyone who's reading your entries?) But losing an unencrypted mobile device containing your sensitive health information can range from being embarrassing to potentially triggering identity theft if the device falls into the wrong hands.

Unfortunately, many patients, especially younger ones, don't think about those risks. Just ask David Hoffman, Ph.D., a clinical child and adolescent psychologist based in Connecticut. He says many of his patients are accustomed to communicating with everyone else in their lives electronically, especially via text. So some assume that's also fine for discussing personal health issues with their doctor. That's why he has to educate them about the risks involved.

When patients send Hoffman a text, he asks them to call him instead, if it's urgent. Otherwise, he asks them to rely on secure messaging.

While Hoffman looks into a secure texting solution, he's communicating electronically with patients via a secure cloud-based messaging service from Enlocked.

The secure messaging system allows him to communicate via encrypted e-mail. If the patient chooses not to download the encryption app that's needed to read the secure message, patients instead are sent a message that indicates they can view the e-mail via a secure website.

"No one complains about encrypted e-mail," he says. "But you have to educate people that it's available and to use it."

Other Security Steps

To help ensure privacy, Hoffman, a solo-practitioner, doesn't keep patient information on his own mobile devices. Instead, he stores encrypted information on several cloud-based services. "If a patient e-mails me sensitive information, I put it in encrypted folders," he says.

Hoffman also uses secure fax via his cloud providers when communicating with other healthcare providers, such as his patients' pediatricians and psychiatrists.

In some rare cases, however, Hoffman will accommodate texting. "Sometimes [clinicians] are texting me at 4 a.m. from an emergency room," he says. For that kind of communication, the texts are always vague and never includes identifiable patient information, he says. "I have my own idiosyncratic system for identifying patients." And because his mobile phone is encrypted, Hoffman says his patients' information is protected if the device were to get lost or stolen.

A Reference Point

Mental health professionals deal with a lot of sensitive information. Hoffman says his instructions to patients about appropriate security measures also serve as reference points for patients to consider in their electronic communication with others.

"I try to do what I can at the highest level to protect patient privacy," he says.

Other healthcare providers should follow Hoffman's example and make sure patients are aware of the need to protect their sensitive electronic health information. That includes offering patients a secure method to communicate, whether it's via encrypted e-mail, secure texting or a secure patient portal.

But providers also should consider posting signs in waiting rooms or elevators that remind patients to guard their health information privacy online. Remember the public service announcements years ago, asking parents if they know where their kids are? How about asking patients if they know where their health information goes once they text or type on social media?

At a time when providers are busy educating their staff about the changes that HIPAA Omnibus brings to their organizations, they also need to make sure to remind patients about being cautious about how they handle their own sensitive health information.