Pagers and HIPAA Compliance

HIPAA compliance and pagers have become subject for discussion since the enactment of amendments to the Privacy and Security Rules in the Health Insurance Portability and Accountability Act (HIPAA). Although not outright mentioning pager communications, the amendments to the Security Rule stipulate that a system of physical, administrative and technology security measures must be introduced for any electronic communication to be HIPAA-compliant. The other option is not to mention any protected health information (PHI) in the body of a message.

In the context of HIPAA compliance and pagers, healthcare groups still relying on pagers as a medium of communication have to ensure that all communications are encrypted, that a system of message accountability is put in place, and that the facility is place to remotely remove messages from a pager to safeguard the integrity of PHI in the event of a pager being lost or stolen. There also has to be a process for user identification on every device, and an automatic log-out facility to prevent unauthorized access to PHI when a pager is left unattended.

Unless healthcare groups are going to stop their medical professionals from referring to any personal identifiers in pager messages, the HIPAA Security Rule effectively ended alpha numeric paging in medical facilities. As it happens, pager use is already dropping. Many medical staff are abandoning pagers in favor of personal mobile devices. However personal mobile devices are subject to the same regulations can can impact HIPAA compliance and pagers, and therefore messages sent by SMS or email still have to have the stated safeguards in place in order to be HIPAA compliant.

The demise of pagers in the healthcare sector will not be regarded as much of a loss. Even before the rules in relation to HIPAA compliance and pagers were introduced, pagers were seen as time-consuming and inefficient. Regardless of whether PHI was sent in a pager message, the recipient often has to call back the sender of the message to obtain further details and to determine its priority. This possibly results in phone tag when one party or another is not immediately at hand, and the introduction of miscommunications when messages are passed on third hand. The lack of message accountability is also a problem with pager communications.

According to a study carried out by HIMSS Analytics, many senior healthcare managers persevered with pagers due to their “perceived reliance” and their ability to reach clinicians remotely. Fewer than one in five healthcare managers thought that pagers were time-saving devices – most acknowledging that the time wasted playing phone tag (calculated to be 45 minutes per day per medical professional by an earlier Ponemon Institute study) was a compromise for the reliability and access supplied by pagers.

The same HIMSS Analytics study estimated that – for hospitals with 100 beds or greater – the average cost per user per month of managing a pager communications system is $8.40. Researchers concluded that healthcare groups are spending $179,000 per year on average on what CNN Money described in 2013 as “archaic communication technology”. The earlier Ponemon Institute study said that the manpower hours lost due to the inefficient nature of pagers was costing healthcare groups an average of $557,000 per annum – per medical facility.

Secure Messaging as an Different Option to Pagers

A solution to the problem of HIPAA compliance and pagers is secure messaging. Secure messaging works via apps that can be installed onto desktop computers or mobile devices and that operate in the same way as commercially available messaging apps including iMessage and WhatsApp. The major differences are that the secure messaging apps only link with a healthcare organization´s encrypted communications network and that they comply with the security measures of the HIPAA Security Rule.

The applications can only be used by authorized personnel, who have to verify their identity each time they log in with a centrally-issued username and PIN number. Once they can access the network, medical workers can send messages, share images and receive documents with the speed and ease of modern technology, but with no risk to the integrity of PHI. If medical professionals forget to log-out of the apps, a time-out feature deletes them from the network after a period of inactivity.

All activity on the network is reviewed and recorded – to ensure 100% message accountability – and access reports are generated so that system administrators can check on compliance and conduct risk assessments. Security measures exist to stop PHI being accidentally or maliciously sent outside a healthcare organization´s network, copied and pasted, or saved to an external hard drive. If a mobile device is lost or stolen, the facility is in place to retract all messages sent to the device and remotely PIN-lock the app.

The Advantages of Secure Messaging Compared with Pagers

For healthcare groups concerned about HIPAA compliance and pagers, there are three main benefits of secure messaging compared with pagers – HIPAA compliance, efficiency and cost. Compliance with the Privacy Act and the requirements of the Security Act is assured when using a secure messaging solution to share PHI, as all personal identifiers are encrypted at rest and on the move.

Features on the secure message solution grow the communications cycle, enable medical professionals to streamline their workflows and improve productivity. The secure messaging apps also support group messaging – allowing collaboration on patient care and the coordination of hospital admission and patient discharges. Phone tag is practically cut out and – as mentioned beforehand– all messages have 100% accountability.

As secure messaging solutions work via a cloud-based platform, there are no set-up costs or complicated software to download. Additionally, as 87% of doctors (Manhattan Research/Physician Channel Adoption Study) and 67% of nurses (American Nurse Today study) already use Smartphones in the workplace to “support their workflow”, most medical staff are already using personal mobile devices in medical centers. Due to this, the HIMSS Analytics study estimated the cost of secure messaging at less than $5.00 per authorized user every month.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.