There has been a significant amount of well-deserved publicity regarding HIPAA violations arising from security breaches of electronic health records (EHRs). Even a well-intentioned company which developed a certification process (which included privacy and security) for mobile medical apps encountered its own vulnerabilities. The practice of copy and pasting of EHRs has garnered attention from the government which has investigated its use in the context of fraud. In response to this, the American Health Information Management Association (AHIMA) issued a paper on Appropriate Use of the Copy and Paste Functionality. Just as there are risk management issues like those just mentioned, digital health technologies can also be used to mitigate risk. Some of these have been discussed at length in both IT and risk management forums. However, when examining the subject from a clinical perspective, one can identify opportunities for risk prevention which have heretofore not been approached in a proactive manner. I will attempt to set forth a brief risk prevention strategy utilizing technologies and processes currently available. As a disclosure, I have no financial relationship with any commercial entities mentioned.
1. Patient education. Gordon Gekko in the movie ‘Wall Street’ stated that information is the most valuable commodity. Certainly this applies to a patient as well. The overused term ‘patient engagement’ implies optimization of the patient’s ability to take fullest advantage of the healthcare options available. This is based in my view on two principles; that the best information is made available (along with provider recommendations) and that the decision making process is shared. Digitally prescribed patient education tools such as that offered by Emmi Solutions are the future of digital patient education. It provides guideline –derived visual and animated material and is designed with informed consent requirements in mind. The provider can track how many times, for how long, and what segments of the material the patient and/or caregiver viewed. This type of patient education as well as the documentation of patient participation will understandably mitigate risk pertaining to informed consent issues.
2. Patient navigation tools. Apps which help patients find physicians and book an appointment, check ER waiting times, provide hospital directories are some examples of apps which are consumer oriented. Others such as The Mayo Clinic Health Community provide information as well as social networking. There is an app to help determine and record advance directives. The need for apps which help people navigate healthcare-related governmental services is significant. Though most seniors now lack smartphones, caregivers have them. THEY are the forgotten critical component of the provider-patient relationship. Navigation tools can also be in the form of online patient support groups. Some noteworthy ones are Smart Patients, Treatment diaries, and I have previously described why navigating the health care system is more important than healthcare delivery itself. Frustrations from patients and caregivers are felt even before a first office visit or before an ER doc sees a patient. Having tools which make the process easier is something everyone would appreciate, translating into risk mitigation.
3. Real time HCAHPS surveys. HCAHPS surveys are patient surveys which measure patient satisfaction. Hospital reimbursement is tied to these survey results. Whatever one might think about the merits of satisfaction-tied reimbursement is, the process itself is extremely flawed. Patients receive the detailed survey weeks after a hospitalization and the data (for evaluation and comparison to similar facilities) is only available almost a year later. Hospitals therefore cannot improve (or to address a patient’s needs) until way after the fact. Having real-time surveys available to be taken on a tablet at the bedside (after each phase of hospitalization: ER, surgery, etc) might facilitate better communications and more timely corrective measures. Companies like HCXperience saw a need for a real-time tool years ago. Medicare regulations do not accommodate such tools at the present time. Having real-time feedback from patients might very well mitigate risk.
4.‘Connecting’ patients. Having patients ‘connected’ at the bedside can mitigate risk in a number of ways. Wouldn’t it be nice to know if a patient spikes a fever 3 hrs and 59 minutes before the next set of vital signs is taken? Continuous vital sign monitoring (made available on the provider’s mobile device) thus has intuitive risk mitigation implications. In addition, there are digital technologies, Patients ‘connected’ in other ways also mitigates risk. The key to success of many digital health tools is that they are deployed at the point of care. The utilization of a mobile device to record patient information, transmit it, and communicate with providers saves time, efficiency, and decreases the risk of error. Patientsafe solutions is one example of a mobile health company developed to answer practical clinical safety issues. Another way to mitigate risk is for increased hospitalized patient satisfaction with improved communications and services delivered via bedside patient mobile devices. On another note regarding connected patients, it must be said that patients will be increasingly remotely monitored from home by devices transmitting data consisting of vital signs, diary entries, and other health and demographic information via wireless devices. Care must be taken to investigate from technical and policy standpoints what has been done to protect patients from the manufacturer and app developer sides.
5. BYOD: The elephant in the room: According to a 2013 report by Cisco, 89% of healthcare BYODers (those who bring their own [mobile] device to work, perform work from their smartphone and 40% of them don’t have these phones protected with a password. In addition, 53% of the workers access unsecured wireless networks with these phones. Measures used to improve security of data on these devices were examined in the 3rd annual HIMSS Analytics survey. 98% of those surveyed (most were persons in positions of IT responsibility for an organization) used password protection, 71% used data encryption, 69% utilized remote wipe capability, 15% had automated data disintegration and 9% had biometric ID programs. Surprisingly 29% stated that mobile devices retain personal health information. Having a BYOD policy Policy and procedure risks include the absence of an “acceptable use” policy, lack of privacy breach protocols, and not having a minimum password requirement. Most security breaches result from errors in human behavior and not the result of hackers. A BYOD policy is therefore critical to proactively mitigate risk. Adequate security policy training on all levels of employment in the enterprise cannot be overstated either.
Digital health technology is a daunting consideration from a risk management standpoint. This is due to the fact that consequences are high and the risk is not appreciated until there is a breach. However, as I hoped to have conveyed, digital technology can also be used to decrease risk by improving patient safety, enhancing communication and patient care, and by giving patients tools they need to become engaged. Let us embrace technology and use it to protect us. However, this too boils down to human behavior related to implementing both best technologies and practices built around them.