Journal Logo

Viewpoints

Technology and Plastic Surgery

Potential Pitfalls for Patient Confidentiality and Proposed Solutions

Patel, Ashit M.B.Ch.B.; Motakef, Saba M.D.; Ingargiola, Michael J. M.D.; Chung, Michael T. M.D.; Gupta, Subhas C. M.D., Ph.D.

Author Information
Plastic and Reconstructive Surgery: July 2015 - Volume 136 - Issue 1 - p 130e-131e
doi: 10.1097/PRS.0000000000001379
  • Free

Sir:

Technological advances have been embraced by the medical profession and lauded for their potential to facilitate communication, consultation, and coordinated patient care. These technologies are especially useful in plastic surgery. Images have long been a critical means by which plastic surgeons are able to document, evaluate, and communicate patient information. Digital imaging and mobile Internet have greatly simplified the sharing of this information. At hospitals across the nation, computers, tablets, and smartphones are used daily to discuss patient care and exchange images and other data.

Careless use of these technologies can lead to disastrous breaches in patient confidentiality. Devices may be lost or stolen, or messages containing protected health information can be intercepted. It is important to note that no device or application is Health Insurance Portability and Accountability Act compliant.1 Therefore, the Health Insurance Portability and Accountability Act–compliant use of specific technologies can only be achieved by appropriate precautions that specifically address their risks. Furthermore, any third parties that handle protected health information for a covered entity are referred to as “business associates” and are required to sign a business associate agreement to ensure compliance. Commonly used technologies and important pitfalls are discussed below2:

  • Short Messaging System messaging: These systems are not Health Insurance Portability and Accountability Act–compliant because data are not encrypted and are stored on a third-party server.
  • iMessage and FaceTime: These technologies are not Health Insurance Portability and Accountability Act compliant. Although data exchanged by means of these modalities are said to be encrypted, a business associate agreement is not currently offered by Apple for these applications.
  • Google Apps: Although Google Apps Free Edition is not Health Insurance Portability and Accountability Act compliant, Google will enter a business associate agreement to support Health Insurance Portability and Accountability Act compliance for Google Apps for Business (a fee-based service).
  • Cloud-based services: Security protocols differ for these services. DropBox keeps “metadata,” a listing of all file names, and does not maintain appropriate audit controls and is thus noncompliant. Applications that can make DropBox Health Insurance Portability and Accountability Act compliant (e.g., Sookasa) are available for a fee. Another popular, cloud-based application, 123D Catch, generates three-dimensional images from photographs. However, it remains unclear whether these data are encrypted, and a business associate agreement is not currently offered.

So how can compliance be maintained in this complicated environment? A number of strategies have been described to secure protected health information on mobile devices3:

  • Use a password or other user authentication.
  • Install and enable encryption.
  • Install and activate remote wiping and/or remote disabling.
  • Disable and do not install or use file sharing applications.
  • Install and enable a firewall.
  • Install and enable security software.
  • Keep security software up to date.
  • Research mobile applications before downloading.
  • Maintain physical control of your devices.
  • Use adequate security to send or receive protected health information over Wi-Fi networks.
  • Delete all stored protected health information before discarding or reusing mobile devices.

Most medical centers also offer physicians Health Insurance Portability and Accountability Act–compliant e-mail applications that can be used to share protected health information. Two applications that were specifically designed to support Health Insurance Portability and Accountability Act–compliant texting include TigerText and Cureatr. Of course, remember to check and follow your organization’s policies and protocols for Health Insurance Portability and Accountability Act compliance. By applying these strategies, plastic surgeons can take advantage of today’s latest technologies while safeguarding protected health information and avoiding costly penalties.

DISCLOSURE

None of the authors have a financial interest in any of the products or devices mentioned in this article.

Ashit Patel, M.B.Ch.B.

Department of Surgery

Division of Plastic Surgery

Albany Medical Center

Albany, N.Y.

Saba Motakef, M.D.

Department of Plastic Surgery

Loma Linda University

Loma Linda, Calif.

Michael J. Ingargiola, M.D.

Department of Surgery

Division of Plastic and Reconstructive Surgery

Mount Sinai Hospital

New York, N.Y.

Michael T. Chung, M.D.

Department of Surgery

Division of Plastic, Maxillofacial, and Oral Surgery

Duke University

Durham, N.C.

Subhas C. Gupta, M.D., Ph.D.

Department of Plastic Surgery

Loma Linda University

Loma Linda, Calif.

REFERENCES

1. Hardiman M, Edwards T Clarifying the confusion about HIPAA-compliant texting. Available at: https://www.perfectserve.com/hospital/docs/PerfectServe-Clarifying-Confusion-About-HIPAA-Compliant-Electronic-Communication.pdf. Accessed November 20, 2014.
2. Patel A HIPAA compliance and smartphone communications. Available at: http://journals.lww.com/plasreconsurg/blog/PRSonallySpeaking/pages/post.aspx?PostID=209. Accessed November 20, 2014.
3. Office of the National Coordinator for Health Information Technology. Take steps to protect and secure information when using a mobile device. Available at: http://www.healthit.gov/sites/default/files/fact-sheet-take-steps-to-protect-information.pdf. Accessed November 20, 2014.

GUIDELINES

Viewpoints, pertaining to issues of general interest, are welcome, even if they are not related to items previously published. Viewpoints may present unique techniques, brief technology updates, technical notes, and so on. Viewpoints will be published on a space-available basis because they are typically less timesensitive than Letters and other types of articles. Please note the following criteria:

  • Text—maximum of 500 words (not including references)
  • References—maximum of five
  • Authors—no more than five
  • Figures/Tables—no more than two figures and/or one table

Authors will be listed in the order in which they appear in the submission. Viewpoints should be submitted electronically via PRS’ enkwell, at www.editorialmanager.com/prs/. We strongly encourage authors to submit figures in color.

We reserve the right to edit Viewpoints to meet requirements of space and format. Any financial interests relevant to the content must be disclosed. Submission of a Viewpoint constitutes permission for the American Society of Plastic Surgeons and its licensees and assignees to publish it in the Journal and in any other form or medium.

The views, opinions, and conclusions expressed in the Viewpoints represent the personal opinions of the individual writers and not those of the publisher, the Editorial Board, or the sponsors of the Journal. Any stated views, opinions, and conclusions do not reflect the policy of any of the sponsoring organizations or of the institutions with which the writer is affiliated, and the publisher, the Editorial Board, and the sponsoring organizations assume no responsibility for the content of such correspondence.

©2015American Society of Plastic Surgeons