A CIO Guide to Electronic Mobile Device Policy and Secure Texting

The following is a guest blog post by Cliff McClintick, chief operating officer of Doc Halo. Doc Halo provides secure, HIPAA-compliant secure-texting and messaging solutions to the healthcare industry. He is a former chief information officer of an inpatient hospital and has expertise in HIPAA compliance and security, clinical informatics and Meaningful Use. He has more than 20 years of information technology design, management and implementation experience. He has successfully implemented large systems and applications for companies such as Procter and Gamble, Fidelity, General Motors, Duke Energy, Heinz and IAMS.
Reach Cliff at cmcclintick@dochalo.com.

One of the many responsibilities of a health care chief information officer is making sure that protected health information stays secure.

The task includes setting policies in areas such as access to the EMR, laptop hard drive encryption,  virtual private networks, secure texting and emailing and, of course, mobile electronic devices.

Five years ago, mobile devices hadn’t caught many health care CIOs’ attention. Today, if smartphones and tablets aren’t top of mind, they should be. The Joint Commission, the Centers for Medicare and Medicaid Services and state agencies are scrutinizing how mobile fits into organizations’ security and compliance policies.

Be assured that nearly every clinician in your organization uses a smartphone, and in nearly every case the device contains PHI in the form of email or text messages. That’s not entirely a bad thing: The fact is, smartphones make clinicians more productive and lead to better patient care. Healthcare providers depend on texts to discuss admissions, emergencies, transfers, diagnoses and other patient information with colleagues and staff. But unless proper security steps are being taken, the technology poses serious risks to patient privacy.

For creating a policy on mobile electronic devices, CIOs can choose from three broad approaches:

  • Forbid the use of smartphones in the organization for work purposes. This route includes forbidding email use on the devices. Many companies have tried this approach, but in the end, it’s not a realistic way to do business. You may forbid the use of the technology and even have members of your organization sign “contracts” to that effect. But even for the people who do comply out of fear, the organization sends the message that it’s OK to violate policy as long as no one finds out.
  • Allow smartphones in the organization but not for transmitting PHI. This approach acknowledges the benefits of the technology and provides guidelines and provisions around its use. This type of policy is better than the first option, as the CIO is taking responsibility for the use of the devices and providing some direction. In most cases there will be guidelines regarding message life, password format, password timeout, remote erase for email and other specifics. And while the sending of PHI would not be allowed, protocol and etiquette would be in place for when the issue comes up. Ultimately, though, this approach can be hard to enforce, and the possibility remains that PHI will be sent to a vendor or out-of-IT-network affiliate.
  • Create a mobile device strategy. This option embraces the technology and acknowledges that real-time communication is paramount to the success of the organization. In healthcare, real-time communication can mean the difference between life and death. With this approach the technology is fully secured and can be used efficiently and effectively.

Recent studies have shown that more than 90 percent of physicians own a smartphone. Texting PHI is common and helps clinicians to make better decisions more quickly. But allowing PHI to be transmitted without adequate security can compromise patient trust and lead to government penalties.

Fortunately, healthcare organizations can take advantage of mobile technology’s capacity to improve care while still keeping PHI safe. In a recent survey of currently activated customers of Doc Halo, a secure texting solution provider, 70 percent of respondents using real-time secure communication reported better patient care. Seamless communication integration and a state-of-the-art user experience ensure that the percentage will only rise.

Doc Halo, a leading secure physician communication application, is a proud sponsor of the Healthcare Scene Blog Network.