Mobile health — or mhealth for short — has grown considerably since the iPhone and iPad were both launched by Apple in the past decade. According to one estimate, by the year 2015, approximately 500 million people worldwide, including health care professionals, consumers and patients, will be using health care applications on their smartphones. As the use of mhealth continues to increase, so too does the need for health care professionals to become technologically saavy in order to use their wireless devices safely and securely in their daily practice.
For O&P practitioners, smartphones and tablets can be particularly useful, both inside and outside the office. By adopting some basic security measures when using mobile devices, practitioners can help protect and safeguard patient information.
For any mobile device that contains information or data concerning patient care, the first level of security is to ensure the device itself is password protected. The passwords themselves should meet a certain level of security, Clay Barrow, CO, CIO, orthotist and chief information officer for Ability Prosthetics & Orthotics Inc., told O&P Business News.
“As a company, we require a high level of security for a password to even create the password, and none of our passwords are easily remembered words. All of our passwords are in a random format — upper case, lower case, symbols and digits,” Barrow said. “That is consistent for all Ability staff logins across every system. The password has to meet a certain level of security to use it.”
Passwords also should be changed regularly. In addition, if the password is entered incorrectly a set number of times, the device should be programmed to erase all data.
Some smartphones on the market will allow users to place a lock on a device. This may be in the form of facial recognition or even fingerprint recognition, which is a feature on the iPhone 5. Barrow noted that these are all ways to ensure the identity of the user.
Another security measure to prevent unauthorized use is for mobile devices to be enterprise locked to sync with only one computer, Brett Saunders, CPO, FAAOP, owner of Saunders Prosthetics & Orthotics Group, said.
“If someone found the device, they could not pull a back-up from it or copy the data, because the device is locked to that one computer,” Saunders told O&P Business News.
In addition, he noted that all mobile devices used in his practice are location enabled so that if one is lost or stolen, it can easily be located. Another level of security is that appointments remain in the calendar of the mobile device for only a limited period of time and are then automatically erased.
OPIE mobile apps
For practices that use OPIE software, which is an electronic medical records and workflow management system designed specifically for O&P facilities, the program’s mobile application allows practitioners to access some of the software’s features on their smartphones and tablets. The mobile app, which is available for both android and iOS devices, provides some basic security functions.
“The application is password protected, number one, so you cannot just pick it up and open it, so if you were to try to interact with somebody’s OPIE electronic medical record software with the mobile app, you would be required to put an additional user name and password in to then make that connection,” Paul Prusakowski, CPO, LPO, FAAOP, chief executive officer of OPIE Software, said.
From a safety compliance perspective, the application is set up is that no information is stored on the mobile device itself. A distinct secure connection is created with the server where the medical records software is housed and then the pertinent information is transferred from the device.
“If you took photos, or if you were doing notes for the patient or capturing electronic signatures, they are not being stored on the phone except for that absolute instant, and then they are being put right onto the medical record server at the home office,” Prusakowski told O&P Business News. “Even if they lost their device, all that information is not on that device.”
The mobile app also provides some security options for users in the event that their device is lost or stolen. Once a device is registered to the OPIE mobile app, users can contact the company and ask that the password be reset or that the device be prevented from connecting to their network.
“If you call us up and say, ‘Hey, we lost our mobile app,’ we can basically freeze it so that it could not be used in the event that somebody was able to break through the two other levels of password protection,” Prusakowski said.
The risk of data being stolen by hackers can be reduced to some extent by instituting some standard practices. Unfortunately, as Saunders noted, “I think if Target is a target, then everybody else is because they spend a whole lot more on IT security than I do.”
He recommends that staff be mindful of how they use the Internet in the office. In addition, staying current on operating system patches and updates as well as installing current antivirus and malware software are ongoing practices that can help safeguard data. Encrypting data on the server can add another layer of protection.
“My data server is not attached to any name or my company’s website. All my data is in a completely different location,” Saunders said. “It is just series of numbers, so they would have to go looking for a series of numbers to find data, and I am not of any interest to anybody to want that.”
Saunders’ server also has mirrored hard drives so that if a hard drive dies, it immediately picks up on the mirrored drive. In addition, onsite and offsite back-up of hard drives occurs every 2 hours.
“If my machine dies, I have my back-up right there; I can plug a new machine in and pull it right in. If my building burns down, it is still accessible because it is also copied offsite,” Saunders noted.
Using a messaging system rather than emailing can also help protect patient data from being identified and used by hackers. Barrow encourages staff to use the OPIE messaging system to share patient information because the data never leaves the server so it is not being transmitted anywhere.
“We discourage any kind of emailing of any information,” Barrow said. “If someone does want to email anything about a patient, they know to include a patient ID instead of a patient name, so that if someone hacked into our system, they would have no idea what that meant.”
Establishing a virtual private network (VPN) adds another level of security on top of a practice’s local network connection. A VPN tunnel allows transfer of data in unsecured networks. Prusakowski recommends having a local IT specialist or company set up a VPN for practices that use mobile devices.
“I would not recommend setting up a VPN to a dabbler. When you are dealing with security, you want to pay somebody who knows what they are doing,” Prusakowski said.
With a VPN, the connection between authorized mobile devices and a practice’s server is encrypted, protecting data from unauthorized access and interception while being transmitted.
When it comes to safety and compliance, Prusakowski also stressed that technology can only do so much and that there has to be an equal balance between the significance of policy and technology.
“There has to be policy that supports the technology and vice versa,” he said. “The policies within a practice are what ensure the technology gets used appropriately.”
He suggested that practices should have written guidelines for all mobile device users to follow. In addition, the practice should ensure that users have a thorough understanding of those guidelines and follow the company’s internal policy.
“Strong policies support strong technology, but if you do not have good policies, even the strongest technology still has opportunities to not be as effective as it could be,” he added.
The portability and versatility of both smartphones and tablets enable O&P practitioners and their staff to use these mobile devices in a variety of ways. In the front office, tablets or iPads can be used to review intake forms and documents with patients, and patients can even sign when necessary using a digitally encrypted signature.
“For those instances where patients might be in a wheelchair or they just might have a harder time standing up and walking to the front counter, we can use an iPad and bring those documents to them to sign,” Saunders said.
Some of the documents reviewed via tablet at intake include Health Insurance Portability and Accountability (HIPAA) disclosures, assignment of benefits, communication policies, financial policies, and even photograph consent. Saunders added that patients also often sign delivery receipts on a tablet as well as receipts indicating that they received written documentation on the care and use of their device.
Outside the office, practitioners can use their smartphones to access patients’ clinical notes and answer questions about prior treatment plans. In addition, because the smartphones generally have good cameras, practitioners can take photographs of virtually anything.
“Another big way that we are using the mobile apps from OPIE is that we are able to take pictures of all kinds of things and put them directly into the chart — images of the devices, images of the patient, images of their insurance card, images of the delivery receipt — you name it,” Barrow said. “They literally just take the picture and within 5 seconds, it is where it is supposed to be because they can tell it through the OPIE mobile app where they want that picture to be.”
Barrow noted that practitioners also can use their smartphones to pull up their patient schedule for the day, and then check patients in for the day. Practitioners then can view any pertinent notes pertaining to those patients and also dictate patient notes.
“They have the ability to go to the dictation area of that app and record their note, which would then later get transcribed. So they pretty much just do their note verbally. The mobile app sends that to our OPIE server, and then from that server, it automatically shoots the voice file to the transcription service,” Barrow said.
After the voice file is transcribed, the file is automatically sent back to the patient file via an ftp server. The transcribed note then populates into that patient’s chart.
“From the practitioner’s standpoint, it is like magic,” Barrow said. “They dictate a note and within 24 hours, they see it populate into the system. They do not know what is going on in the background and who is doing what.”
The mobile apps give practitioners the ability to have instant access to a patient’s chart and focus on each patient. Barrow noted that practitioners can consult with other care providers such as physical therapists without having to contact the office for additional information.
Prusakowski noted that the mobile apps provide a sliver of what the full program allows by isolating “the things that will allow a practitioner to be more effective at gaining information that their administrative staff needs immediately and gaining information that the practitioners need at the moment. When they are offsite, they are getting the features and benefits that they want when they are with a patient.”
The proliferation of mobile devices will continue in the future, and new models can be expected to have improved as well as additional features. The use of smartphones and tablets in O&P practices also can be expected to grow and be used in novel ways. Saunders said he currently uses his smartphone to address Medicare audits.
“I don’t know how anyone can survive in this business climate without digital records. I am getting Medicare audits on different things almost weekly, and I can respond to those audits in 10 or 15 minutes because I have all the documents needed,” Saunders said, noting that writing the cover letter takes the most time.
Barrow agreed that practitioners should avail themselves of “the efficiencies of mobile computing and mobile apps in the current reimbursement climate and the current requirements and regulations and paperwork necessity.” He noted that if practitioners are not already moving to these kinds of tools, they “are dead in the water in the profession at this point, and that is just the reality of it.”
Barrow said his goal is to eventually outfit all the company’s practitioners with a tablet, and he also looks forward to expansion of mobile applications that will allow practitioners to do even more things. He would like to see a future where the technology of tablets and smartphones will obviate the need for paperwork of any kind.
“In the future, more and more of these things will just automatically go into the system. With less data entry, and scanning, and that kind of thing for our office to do, we can spend more time coordinating patient care and less time doing the mundane rote things that we have to do to right now to keep up with the system,” Barrow said. — by Mary L. Jerrell, ELS
Disclosure: Barrow and Saunders have no financial disclosures. Prusakowski is owner and chief executive officer of OPIE Software.