Pagers Putting Hospitals (and Patients) at Risk

With the Kansas City Star article making waves across the nation, there is no excuse for thinking that pagers are still an acceptable option for sending patient health information (PHI). And no one can deny that healthcare workers routinely include PHI in their pages. According to 2017 study by the Journal of Hospital Medicine, nearly 79 percent of 620 hospital-based clinicians said they are provided pagers for communications, while 49 percent said they receive patient care–related communication through pagers.

As the IT worker in the Kansas City Star article demonstrated, anyone with $20 and TV antenna can now easily stumble over or intentionally access PHI. Awareness of the security risk posed by sending PHI via pager has increased nationwide.

What is being done about it?

Red flags should be flying. Not the kind with the white cross in the middle but the kind that indicate “Danger ahead. Stop, or proceed with extreme caution and at great risk!” Using pagers to send patient health information, as practiced today in most healthcare organizations, is unsecure, puts a system at risk for significant HIPAA violations and compliance fines and creates additional vulnerabilities for the patients themselves.

To further emphasize the importance and urgency of action, just last week an administrative law judge ruled that the MD Anderson Cancer Center in Houston must pay $4.3 million in fines over a stolen laptop and two lost USB drives; an amount that cannot be easily ignored.

So the question has shifted from “can we use pagers for sending patient health information?” to “how quickly can we move to an encrypted method of communication?”. Now, more than ever, speed of deployment is of great importance but training, reliability, accuracy, and patient safety cannot be short-changed. Traditionally, changing communication tools, workflows, processes and expectations in a hospital has been more like moving a barge than racing a speedboat. Speed was definitely not a top consideration option. Several high profile incidents have changed this. Speed is now required.

Finding a Balance

So how do you quickly provide a compliant system without jeopardizing patient care?

First, every system must immediately educate employees and providers on acceptable pager use and explicitly prohibit patient health information. Actions must be taken to monitor accountability to the policy. Informal polling often finds that there continues to be confusion over what information is considered PHI and if there are certain situations where it is still “OK” to use the pager for PHI.

Second, an encrypted method of communication must be made available to all providers. This method needs to be a simple solution for quick deployment, but also a robust system that can support increased usage and complex workflows in later implementation stages. The simplest solution will be a download and go mobile communication app, which encrypts in rest and in transit.

Finally, the chosen encrypted method of communication must be easily monitored and provide tools for accountability. Monitoring will need to include real time alerts, escalations and read times analysis in order to ensure the smooth and quick flow of patient care information.

There are many more questions to be asked and issues to be addressed in the months after initial implementation such as questions involving system integrations with call schedule and EHR systems, access points, and adoption by the referral community. These questions may need to work their way through hospitals at a more “normal” speed and will benefit from the deliberate and collaborative ways that change has been traditionally implemented in large systems. Finding that balance is key.

Let us know if you would like to learn more about secure communication alternatives that are designed for physician adoption, to support health system integration and to deliver immediate value.


Hospital compliance officers must think beyond “security” when it comes to text messaging

Today, hospitals know that they need to find HIPAA compliant communication solutions, but often to struggle to identify the right solution and/or to identify (or agree on) who is actually responsible for finding the right solution.

They are starting to realize that finding the right secure communication solution is more than just a technology decision. With ultimate responsibility for adherence to health care regulatory enforcement and compliance activities, more and more compliance officers are now finding themselves playing a key role in that decision-making process. In that new role, they typically work closely with hospital administrators, IT and physician leaders to choose a solution.

We recently spoke with compliance expert John Finley about this topic. His 15-year career has spanned a number of compliance and regulatory roles at WakeMed Health & Hospitals, CHRISTUS Health, Aetna and the FDA.

Finley says that while there may be some confusion around The Joint Commission’s recommendations, there is no official ruling that prohibits hospitals from using secure texting. He knows that texting is a reality of life, and that it has become a regular practice for physicians. He says that he and probably 90% of his peers support the use of texting, if it’s done in a secure manner and doesn’t result in a breach.

“The bottom line is that physicians are already doing it, and it can help deliver better care to patients. We just need to figure out the best way to support that, while minimizing a hospital’s risk and exposure,” Finley explains.

At a minimum, a secure texting solution should meet a checklist of basic security requirements including:

  • Encrypted at rest and in motion
  • Cloud based – nothing stored on phone
  • Secure messages pincode protected (not just phone code)
  • Ability to remotely wipe if lost/stolen

But, Finley emphasized that he and his compliance counterparts need to focus on more than just security and compliance, when thinking about text messaging technology.

We agree. While checking off a list of standard security requirements is a good starting point, choosing a solution can’t stop there. Hospitals still need to balance compliance and security with overriding business goals such as:

  • Improving care
  • Reducing costs
  • Increasing growth

To support these goals, hospitals should look for a solution that offers a number of other benefits including:

  • Inpatient/outpatient integration
  • EPIC integration – particularly for consult requests
  • Designed to stay compliant with all stark/anti-kickback regulations
  • Flat license fee with ability to broadly distribute
  • Implementation process that actively engages users to promote adoption
  • Offers a solution for physicians in the OR/procedure rooms
  • Message preference routing (includes residents, fellows, mid-level providers)
  • Integrates with nurse duty phones
  • Addresses call center and ED volume issues

Finley also emphasized that technology is only one part of a true secure messaging “solution”, and that hospitals need to implement policies and practices that support the use of these technologies. They are increasingly looking to vendors to help provide these “guardrails for proper texting” and to help them think through a number of “what if scenarios” to ensure ongoing compliance and usage.

It’s also important for hospitals to think about communication outside their own four walls. Implementing a secure communication solution becomes more complicated when it has to be managed across a wider care continuum. Today, hospitals must collaborate with multiple providers and rely heavily on physician referrals. As a result, they need to communicate and share patient information across numerous organizations.

A solution that supports in-hospital communication only or in-hospital workflows only, won’t truly address their communication or compliance needs, and won’t truly improve overall patient care. The right secure communication solution should support communication, collaboration and care coordination across the entire patient care continuum.

If you would like to learn more about how MD Interconnect does just that, or to learn how WakeMed addresses the need for HIPAA-compliant messaging, let us know. You can also read the WakeMed case study here.