Healthcare Information Security

Patient Privacy News

Improving Patient Privacy, Workflow with HIPAA Compliant Forms

Indiana Health Group implemented HIPAA compliant forms to help maintain patient privacy without impeding provider workflow.

HIPAA compliant forms help Indiana Health Group with patient privacy and daily workflow.

Source: Thinkstock

By Elizabeth Snell

- Cloud-based services are quickly becoming more common in healthcare, especially as organizations are trying to find HIPAA compliant ways of keeping ePHI secure. However, these tools cannot hinder how physicians and staff members perform daily operations.

Indiana Health Group (IHG) recently implemented HIPAA compliant forms through Formstack, which lets patients manage forms across multiple touchpoints. It is a cloud-based data capture tool, and is a much more efficient way to collect and store sensitive data securely, according to IHG President Dr. Chris Bojrab.

Bojrab explained that he is a board certified psychiatrist and has been practicing for about 20 years. IHG is a large, multidisciplinary mental health practice that has been around for 30 years.

“We have a total of about 55 clinical staff and about 15 support staff,” Bojrab said. “We have psychiatrists, psychologists, and therapists. We're multidisciplinary across multiple fields but it's all mental health.”

Bojrab added that he does outpatient psychiatry, which means that he sees patients in the office for evaluations, and assessments. Then most of what he does is outpatient pharmacology, which is medication management and specializing in more treatment refractory patients.

READ MORE: Enabling Providers to Use Truly HIPAA Compliant Email

“I do see a handful of therapy patients, but most of my day is spent working with patients on the medication and their treatment plan.”

The forms are essentially the new patient questionnaire, Bojrab explained.

“It just collects their demographic data, their insurance data, and then, essentially, past medical and psychiatric history,” he said. “This is a fairly substantial set of paperwork that we would've previously mailed out to the patient ahead of time.”

A very small percentage of patients would be willing to arrive 45 minutes prior to their scheduled appointment to handle the paperwork, Bojrab noted. This is why another option was needed.

Patients would arrive and IHG would either be forced to run far behind or they would say, "Well, if you don't have it just come on in the office and we'll just try to do that on the fly," Bojrab recalled.

READ MORE: DirectTrust PHI Sharing Grew 21% from 2016 to 2017

That made the time with the patient less efficient, he pointed out. The idea of having a more fluid way of collecting that information ahead of time was very appealing.

Previously, IHG had been using a different online form provider. However, as HIPAA regulations became more clarified, Bojrab said he was becoming increasingly uncomfortable that there was even the slightest possibility IHG was not meeting all guidelines.

After shopping around – even considering options through Google – Bojrab explained that they came across Formstack. He had worked with them before, albeit in a more limited way. Even so, Bojrab said he was familiar with their system and saw that Formstack was offering a HIPAA compliant system for a fraction of the cost of other companies were talking about charging.   

Bojrab admitted that he is also “a real technophile,” and that he loves the concept of cloud-based services.

“Anything that we can shuffle off to the cloud and let other people manage who are experts in that field, just makes all the sense in the world,” he stated.

READ MORE: Provider Secure Messaging May Encourage Patient Communication

Bojrab continued that he is very interested in anything that can be done to help with efficiency, as that's one of the main ways to affect cost savings for patients in the long run.

He has also supported the concept of electronic health records since its onset, Bojrab added.

“We were relatively early adopters of that technology,” he said. “We started using our electronic health record back in 2006, when I started beta testing it with the company that we use. We did a little horse trading with them.”

“We were their first mental health practice,” he continued. “I basically traded some of my time to help them develop some of their templates for use in mental health and they gave us a discount on the service.”

However, Bojrab said not having a very “fleshed out” patient portal was a frustrating part of having the EHR.

“In our effort to try to do some online data collection that was always a challenge,” he explained. “Unfortunately, we found that when we would try to mail out patient questionnaires that frequently patients would either not complete them. Or, they would complete them and forget to bring the forms with them, and they would show up and have to do them again.”

The IHG forms are fairly comprehensive, Bojrab said, and may take patients 30 or 40 minutes to complete.

“Patients are usually not arriving that far ahead of their appointment,” he stated. “Is just becomes a real patient flow difficulty when we were doing things on a paper basis. I really liked the idea of trying to see what we could collect online ahead of time as opposed to paper things that we had to mail out and rely on patients completing and bringing back.”

How the online forms keep patient data secure

“The cloud based system that we're using is HIPAA compliant, it's an encrypted system,” Bojrab said. “I'm not sure if it's 128 or 256 encryption but it certainly meets the requirements for storage of information.”

Additionally, IHG can maintain a good audit trail, allowing it to track individual users and know who is logging in to access what types of information.

“We have the ability to specify which people in our organization have access to which pieces of information,” he stated. “That of course, has been a really critical part and probably one of the biggest points of vulnerability for a lot of what other practices are doing.”

For example, having just one login and password inherently opens up the possibility for data breaches, Bojrab said. This is especially the case when an employee leaves a practice, or if staff members are not being as attentive to things as they should.

“Essentially, this is never sending information in the open,” Bojrab explained. “The model is a notification via generic e-mail. When a patient logs on to the website, they're redirected to the Formstack page with our patient questionnaire. They can enter their data there and that all stays secure on the encrypted server.”

“The only thing that's communicated to us is, ‘Hey you have a new patient registration,’” he continued. “Every day our new patient coordinators log on to that secure server using their individual identity and password and are able to, capture and either download or import that patient's questionnaire directly from the system. It's never being sent in an unencrypted fashion.”

A similar approach is taken with patient communication, Bojrab said. If individuals go to the IHG website, its "Contact Us" page links to another Formstack form. IHG uses it for a more compliant communication system.

“Whether they're requesting a refill of a medication, whether they have a question or concern, if they have a billing issue, or if they're wanting to change or make an appointment, they can select that option that helps to route the notification,” he explained.

“What we receive on our end is simply, ‘Check the server for this message,’” Bojrab observed. “Then the appropriate person, whether it's a biller, one of our medical assistants, or one of our scheduling people, they can then log into the system, capture that information, import it into our system, and contact the patient to address the issue.”

Maintaining patient privacy without compromising workflow

It can be especially tough for healthcare organizations to find that right balance between innovation and security, Bojrab said. It can also largely depend on the type of entity. Larger hospital systems will have the resources and the personnel to manage that at a very high level.

“If I'm an employed position working for a large hospital system, I don't have to worry about this,” he pointed out. “The hospital's taking care of this and taking care of me and I'm sure that they're really making sure that every T is crossed and I is dotted.”

“For those of us in the private practice model I think we worry much more about that,” Bojrab continued. “A quarter of a million dollar fine for a security breach may sting a little bit if you're a hospital system, but that could just be devastating to an individual medical practice.”

For the most part, healthcare workers may worry about potential security incidents more than the patients, he suggested. Patients sometimes value convenience almost more than they value security.

For example, a patient might not want to go through the messaging system, and instead wants to send his or her physician a direct email. There are forms where patients can give consent to using a less secure method of communication if they want, but Bojrab says they recommend against it. However, patients can still technically opt for it.

The secure messaging options are also in fact a time saver for physicians and clinicians, Bojrab added. If he receives an unsecure text or email, he then needs to ask that patient to go to the website and submit this information in through the IHG form.

Then, he needs to get to a computer, log into the EHR system, look the patient up, create a note, paste the information in there, and then take care of whatever needs to be functionally completed.

“However, if you simply send this through the regular channels that all happens automatically and it saves me probably, 30 minutes of time,” Bojrab explained. “Having that kind of process in place in important and actually is just a time saver.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...