Voiceover: Welcome to NP certification Q&A presented by Fitzgerald Health Education Associates. This podcast is for NP students studying to pass their NP certification exam. Getting to the correct test answers means breaking down the exam questions themselves. Leading NP expert Dr. Margaret Fitzgerald shares her knowledge and experience to help you dissect the anatomy of a test question so you can better understand how to arrive at the correct test answer.
So, if you're ready, let's jump right in.
Margaret Fitzgerald: A 48-year-old woman presents for follow-up on type 2 diabetes and hypertension. As part of today's visit, routine labs are ordered. Which of the following is an appropriate form of electronic communication for sharing these results with the patient?
A: Private message through Facebook or other similar social media websites with patient permission.
B: Electronic fax or scan uploaded to the patient's personal account for a third-party file sharing service, such as Dropbox.
C: Using encrypted email or other messaging service that is part of the patient's electronic medical record system.
D: Text message using the patient's personal mobile phone number.
The correct answer is C: Using an encrypted email or other messaging service that's part of the patient's electronic medical record system. What kind of a question is this? Well, not a bunch of questions like this can pop up on the NP boards.
And this would be considered to be a professional issues question. A bit of background information: a number of decades ago, the US Department of Health and Human Services, or HHS, established a set of national standards for the protection of certain health information that implement the requirement of the Health Insurance Portability and Accountability Act, or what we more commonly called HIPAA.
Yes, that's what HIPAA stands for: Health Insurance Portability and Accountability Act. The development of HIPAA corresponded with the proliferation of electronic medical records, and it is important to keep in mind that pre-electronic records, the vast majority of documentation in the healthcare setting was done on paper and therefore only available within the walls of an office, a clinic, the healthcare facility, or the like.
And then if that information needed to be shared, information had to be photocopied and shared on paper. I know that was the olden days. Major HIPAA goal is to protect an individual's health information, but still allow for the flow of information needed to provide and promote high quality healthcare. I often hear from people getting ready for the NP boards, often in a panicked voice, that they understand they might get a HIPAA question or two on the boards, and this is often followed by a comment of, ‘I don't know anything about HIPAA at the NP level.’
And my response is to remember healthcare privacy does not change due to the location of services rendered. In other words, if you're practicing at the RN level in an acute care setting where most RNs do practice, the rules of maintaining patient privacy are really at their core, the same that you would do in the outpatient or primary care setting. In other words, if you were caring for someone in the ICU and you had a set of lab values to convey to a healthcare provider, would you simply text that other healthcare provider’s personal cell phone with a message like, ‘The patient in room 303, Mr. Cake, his hematocrit remains at 25 even after two units of blood.’
Of course, you wouldn't do that because that's not protected. You're not protected. The patient is not protected. The person who received that data would not be protected. What would you more likely do? You'd alert that individual via some type of encrypted messenger system that is within your EMR or other facility-sanctioned secure app.
Another way to think of this every day: think of how you pay a credit card bill. We all have credit cards. You go to an encrypted portal and you pay your bill in that manner, as this provides protection for both you and the credit card company. In other words, use common sense and what you know from your RN experience.
With that in mind, let's take a look at the question and the options we've been given for answers. A 48-year-old woman presents for follow-up on hypertension and type 2 diabetes. As part of today's visit, routine labs are ordered. Which of the following is an appropriate form of electronic communication to share these results with the patient?
A: Private message via Facebook or other similar social media website with the patient's permission. This is incorrect. An answer like this also raises other concerns and that the provider would be messaging the patient via non-secure portal. Even if the patient said, ‘Hey, just look me up on Facebook messenger or whatever.’ Even if the patient asks to be contacted that way, the provider needs to inform the patient that this is inappropriate and not secure. B: Electronic fax or scan uploaded to the patient's personal account with third-party file sharing service, something like Dropbox.
Again, incorrect. Even if the patient says, ‘Hey, I'm the only person with access to my Dropbox,’ or whatever it is, this information would be transmitted via a method that is not considered secure on your end, and really is not secure on the patient's end. C: Using an encrypted email or other messaging service that's part of the patient's electronic medical record system.
This is, of course, the correct answer. One of the words that helps make this correct is the word encrypted. Look for that. That implies that the information has been altered so it is secure. And as I say that I'm very well-aware that EMRs, EHRs have been hacked. I’m 100% aware of this. At the same time, don‘t do a “yeah, but” on a question like this and say, ‘Yeah, but even EMRs can be hacked.’ Bingo. You're right, you're right. No argument for me on that one. Just go with what's given that's still the best answer. D: Text message via the patient's personal mobile phone number. Well, many, if not all EMRs have an app that the patient can download to their phone and get messages that are considered secure.
To use the patient's personal cell phone number to message is not an appropriate, secure way to transmit protected information. The patient might be alerted via cell phone text that there's a message waiting for them all on the secure portal but will not be able to get the results directly from the cell phone. Key takeaway: avoiding HIPAA violations go far beyond simply not talking about patients in public or other non-secure spaces. The appropriate secure transmission of electronic information to a patient is an important part of rendering HIPAA compliant healthcare.
Voiceover: Thank you for listening to NP certification Q&A presented by Fitzgerald Health Education Associates. Please rate, review, and subscribe to this podcast and for more NP resources, visit FHEA.com.