What Healthcare’s learn from COVID? Start tele-health and m-health without knowing the risk!

Hospitals are cracked down to sustain their business during COVID pandemic and try to get adjusted with digital world but they’re unable to become accustomed with technology transformation. Even they do, the digitalization process is very slow in pace. Why? There are lot of reasons but the one of it is the crucial interest of the ‘Chairman and Board of Directors [BoD]’ to invest on the technology. Frankly speaking technology is an intangible investment but it charges a lot of dollars. So, the Chairman and the BoD hasn’t convinced enough to put dollars in somewhere where they can’t palpate. It doesn’t mean that they don’t want to invest. They’re ready to invest in high-end, state-of-art, high value equipment’s like CT scan, PET scan or MRI which is tangible but they are not still ready to put dollars on technology seems like black hole. What’s the issue? In the private hospital’s board meeting, 60-70% time spent on analyse hospital performance, and they expect their staff should put themselves into patient shoes to bring back their dollars! That’s the hard truth! The Chairman and BoD always put themselves into dollars’ shoes. That’s means any investment must calculate the return of investment [RoI] and make sure the RoI is reasonable. It doesn’t mean all of them are same, some are exceptional. Those exceptional members drive for patient safety, quality accreditation! So, it’s rational that the key drivers’ lack of interests to invest in technology has the main obstacle to transform hospitals turn into SMART one. Only thing the Chairman and BoD understand about technology till now is the electronic medical record system [eMR] and hospital information system [HIS]. That’s all, what to do?

And during COVID time, the virus hits the business bottom line and that’s one of the triggering points for BOD to think of digital transformation especially looking for telehealth and mobile health to reconstitute the business and keep the revenue stream smooth. But does hospital understand the risk of telehealth or telemedicine? Is it acceptable to use free apps like Zoom, Viber, WhatsApp, and Skypes for telehealth or telemedicine?

Let’s check with Joint Commission International Hospital Standards on latest 7th edition. In relation to this, there are four major standards are highlighted in the JCI 7th edition book:

Standard MOI.2: The hospital maintains the confidentiality, security, privacy, and integrity of data and information through processes to manage and control access.

Standard MOI.2.1: The hospital maintains the confidentiality, security, privacy, and integrity of data and information through processes that protect against loss, theft, damage, and destruction.

Standard MOI.11: Hospital leadership identifies a qualified individual to oversee the hospital’s health information technology systems and processes.

Standard MOI.12: When mobile devices are used for texting, e-mailing, or other communications of patient data and information, the hospital implements processes to ensure quality of patient care and maintains security and confidentiality of patient information.

The explanation of those standards is clearly highlighted that hospital needs to maintain the confidentiality, security, and integrity of data and information and is particularly careful about preserving confidential patient data and information. Whether a hospital uses paper and/or electronic information systems, the hospital implements measures to secure and protect data and information at all times. Data and information include patient medical records, data from medical equipment and devices, research data, quality data, billing data, human resources data, and other sources, as applicable to the organization. Security measures means to include processes to manage and control access. For example, to maintain confidentiality and security of patient medical records, the hospital determines who is authorized to access medical records and the authorized individual’s level of access to the records.

Besides, when electronic information systems are used, the hospital implements processes for assigning privileges to authorized users in accordance with their level of access. Depending on level of access, an authorized user may be able to enter, modify, and delete information, or may have read-only access or restricted access to some systems or modules. Levels of access for an electronic medical record system may identify who can make entries in the medical record, who can enter patient orders, who can access high-security patient cases, who can access quality improvement data, and so on?

Six highlighting risk identifying points are:

1. who is authorized to have access to data and information, including patient medical records;
2. the information to which an authorized individual has access (level of access);
3. the process for granting access privileges to authorized individuals;
4. the individual’s obligation to keep information confidential and secure;
5. the process for maintaining data integrity (accuracy, consistency, and completeness); and
6. The process followed when confidentiality, security, or data integrity are violated or compromised.

There should be regular security audits of access logs to check the protection of confidentiality and security including implements a process to proactively monitor access logs. Regular security audits can identify system vulnerabilities in addition to confidentiality and security policy violations. For example, as part of the process, the hospital can identify system users who have altered, edited, or deleted information and can track changes made to the electronic medical record. The results from this audit process can be used to validate that user permissions are appropriately set. Conducting security audits can also be effective in identifying vulnerabilities in security, such as user access and permissions that need to be updated or removed due to staff changes or turnover.

When documentation transcribes, or scribes, the hospital has processes to ensure protection of patient data and information. The hospital identifies the required qualifications, training, and competencies for scribes, as well as their job responsibilities, including the scope of documentation activities that a scribe can perform. As with anyone who has access to patient medical records, scribes must be authorized to access and make entries in the medical record and their level of access is identified.

When electronic medical records are used, any additional security measures for logging into the system are defined and implemented. For example, the hospital has processes to ensure that individuals log into and access the system using a unique credential assigned to only them and that credentials are not shared.

In addition to processes for managing and controlling access, the hospital ensures that paper and electronic medical records, data, and other information are protected from loss, theft, tampering, damage, and unintended destruction. It is important for the hospital to assess for vulnerabilities in the organization that pose potential risks to the security of data and information. The hospital conducts and documents an ongoing information security risk assessment, at least annually. The risk assessment considers a review of processes and new and planned services that may pose risks to data and information, wherever it is accessed or stored. Risks are prioritized from the risk assessment, and improvements are identified and implemented to address the risks. Improvements are monitored to ensure that risks are prevented or eliminated.

To protect data and information, the hospital implements best practices for data security and ensures safe and secure storage of medical records, data, and information. Examples of security measures and strategies include, but are not limited to, the following:

• Ensuring that security software and system updates are current and up to-date
• Encrypting data, such as data stored in digital form
• Protecting data and information through backup strategies such as off-site storage and/or cloud backup services
• Storing physical medical records in locations where heat, water, and fire will not likely occur
• Storing active medical records in areas where only authorized health care practitioners have access
• Ensuring that server rooms and rooms for physical medical records are secured and accessible to only authorized individuals
• Ensuring that server rooms and rooms for physical medical records are kept at proper temperature and humidity levels to protect records/servers

If the hospital begins to use mobile devices to communicate patient data and information through text messages and e-mails, such as critical results, referrals, and notes about patient care with other practitioners, in and outside the hospital, or may receive text messages or e-mails from patients. Hospitals may provide mobile devices to their health care practitioners or may allow practitioners to use their personal devices. When mobile devices are used, the hospital needs to ensure that patient data and information are kept secure and confidential. For example, the hospital implements access controls with authentication of users, a secure password policy, ability to remotely disable or remove patient data and information from the mobile devices if they are lost or stolen, and other forms of security controls. When the mobile devices are provided to staff by the hospital, there are procedures to retrieve the devices when staff are no longer employed by or associated with the hospital.

Newer text messaging platforms may offer the functionality to address previous concerns related to texting and confidentiality, security of information, accuracy, timeliness, documentation, and patient safety. When the hospital allows confidential and private patient information to be transmitted through text messaging (for example, patient identification, diagnoses, history, test results, and other confidential information), the hospital ensures that a secure messaging platform is implemented and includes the following:

• a)     Secure, encrypted sign-on process(es) for authentication of users (sign-on processes that are password protected and unique to each user)
• b)     Processes for ensuring that only authorized individuals are in the platform’s directory of users who can receive messages
• c)      Delivery and read receipts for messages
• d)     Date and time stamp for messages
• e)     Processes for protecting and securing patient information against unauthorized access and use (for example, automatic logout after a period of inactivity, ability for the hospital to remotely deactivate mobile devices or wipe data from devices if lost or stolen, and so on) 

In addition, the hospital establishes processes for ensuring that text messages with patient information are documented in the medical record when the content relates to the care of the patient. For example, text messages exchanged among health care practitioners that contain information used to make decisions about a patient’s care need to be documented in that patient’s medical record.

E-mail has increasingly become part of normal communication in health care. There are many advantages to e-mail communication; however, there may be issues associated with security, confidentiality, and timeliness, such as when mobile devices are used or when patients initiate contact through e-mail with the physician. The physician or hospital may have a secure e-mail system, but patients often do not. In addition, time-sensitive issues sent via e-mail, such as urgent health matters, may not be viewed by the physician in a timely manner, thereby delaying immediate actions that may be needed. One way of ensuring confidentiality and preventing delays in urgent actions is to limit e-mail use to areas in which the risk for breach of confidentiality or delay in response is lower (for example, appointment scheduling and reporting of home records such as blood pressure or weight gain from patients with renal failure or congestive heart failure). As with text messages, the hospital establishes a process to ensure that e-mail messages with data and information relating to a patient’s care are documented in the patient’s medical record.

Another means for patients to communicate with their health care practitioners is through a patient portal. Patient portals provide a range of services that can be performed online or through an app on a mobile device, such as completing registration forms, requesting prescription refills, accessing test results, scheduling non-urgent appointments, sending/receiving messages with the physician, downloading educational materials, and making electronic payments.

Hospitals that implement patient portals ensure confidentiality and security of the patient information stored and exchanged through the portal. The implementation and use of patient portals require encryption of patient data/information; secure, sign-on process with password requirements for users; audit trails that log and record key activities; and consent from patients to participate in the patient portal.

The hospital implements a process to monitor the quality of communications conducted through text, e-mail, and patient portals, and makes improvements where needed. The hospital ensures that patients have adequate understanding of data and information received through text, e-mail, and patient portals, and encourages patients to contact their health care provider for questions. The hospital collects data to monitor the process for clarifying questions that arise from messages received via text, e-mail, and patient portals. For example, the hospital may collect data on how often staff need to clarify patient information that has been texted and the process for obtaining clarification.

And the final word is health information technology represents a major investment of resources for a hospital. For this reason, technology is carefully matched to the hospital’s current and future needs and its resources. The hospital’s information technology systems must be managed effectively and in a comprehensive and coordinated manner. The person who oversees the health information technology systems is responsible for at least the following:

• a)     Recommending space, equipment, technology, and other resources to hospital leadership to support information technology systems in the hospital
• b)     Coordinating and conducting risk assessment activities to assess information security risks, prioritize risks, and identify improvements
• c)      Ensuring that staff and others are educated and trained on information security and applicable policies and procedures
• d)     Identifying metrics to assess how systems, such as the electronic medical record system, are functioning and affecting staff and patients

There is no short cut way to handle hospital business, each component needs to analyze risk and create a risk reduction program to earn revenue.

JCI accreditation is one of the good ways to minimize hospital risk and increase reputation and sustain business. The sooner the BOD understands this JCI requirement, the better the business grows.