With more medical staff using personal mobile devices to send and collaborate on patient issues, it is important that healthcare groups address the use of technology and HIPAA compliance.
Many forms of often-used communication are not HIPAA compliant. Unsecure channels of communication typically include SMS, Skype and email because duplicates of messages are left on service suppliers’ servers over which a healthcare organization has no management.
The Security Rule includes a series of specifications for technology to adhere with HIPAA. These include:
- All Protected Health Information (PHI) must be encrypted at rest and on the move.
- Each medical worker authorized to access and send PHI must have a “Unique User Identifier” so that their use of PHI can be reviewed.
- The use of any technology to adhere with HIPAA must have an automatic log off to stop unauthorized access to PHI when a mobile device is left unattended (this is also applicable to desktop computers).
There are many more specifications for the application of technology and HIPAA compliance, but let’s start with these three and look at why new technology may not be HIPAA compliant.
Problems with Encryption
The reason why encryption is so vital is that, if a breach of PHI happens, any data that is see will be unreadable, undecipherable and unusable. Although mechanisms are in place to encrypt messages sent by SMS, Skype and email, every user within a healthcare group must be using the same operating system and have the same encryption/decryption software in order for the mechanisms to be properly implemented.
Along with this problem, service suppliers such as Verizon, Skype and Google would have access to the PHI copied onto their servers. Although the data is encrypted, they would still be obligated to sign Business Associate Agreements and would manage the integrity of the encrypted data.
Managing Authorized Users
Whatever mechanism for the use of technology and HIPAA compliance is opted for by a healthcare group, it has to have a system whereby access to and the use of PHI is reviewed. This is not only due to making sure that authorized users are adhering with secure messaging policies (a requirement of the HIPAA administrative safeguards), but also to complete risk assessments (a requirement of the HIPAA audit protocol).
In order to review access to and the use of PHI, there has to be a process whereby each authorized user is given a unique user identifier which they must use whenever signing into a mechanism that gives them access to PHI. This unique user identifier must be centrally allocated, so that admins can PIN-lock the user’s access to PHI if necessary.
Automatic Logging Users Off
Automatic log offs are an essential security feature for mechanisms created to adhere with HIPAA. Most commercially available text-messaging apps, Skype and Gmail have a log off feature, but how many people implement them? The automatic log off requirement sees to it that if a mobile device or desktop computer is left unattended, the user will be logged off from the technology to comply with hipaa in order to prevent unauthorized access to PHI by a third party.
Of course these three specifications for the use of technology and HIPAA compliance are just the beginning. Any technology to comply with HIPAA must have ensure the end-to-end security of communications and have features in place to prevent the accidental or malicious infiltration of PHI.
Messaging Solutions for Healthcare Groups
One messaging solution for healthcare groups is secure texting. Secure texting allows medical professionals to maintain the speed and convenience of mobile devices, but restricts their HIPAA-related activities to within a private communications network.
Authorized users access the network through secure texting apps that can be installed onto any mobile device or desktop computer irrespective of their operating system. The apps link authorized users with each other and support the sharing of images, documents and videos.
Safeguards exist to stop PHI from being sent beyond the healthcare group’s network, copied and pasted or saved to an external hard drive. All activity is reviewed by a cloud-based “Software-as-a- Service” platform that produces activity reports and audits for the aim of compliance oversight and risk assessment.
System administrators can set message lifespans in order that messages are deleted from a user´s app after a predetermined duration of time, and can remotely retract and delete any message that may be in breach of the healthcare group’s secure messaging policy.
The Correct Technology to Adhere with HIPAA has its Benefits
The correct use of technology and HIPAA compliance has its benefits. In medical centers where secure texting solutions have been implemented, healthcare groups have reported an acceleration of the communications cycle, leading to workflows being streamlined, productivity being improved and patient satisfaction being bolstered.
Mainly these advantages are due to features like delivery alerts and read receipts substantially bringing down the amount of time medical workers spend making follow-up calls or waiting for an answer to their messages (“phone tag”). Specific areas that have benefitted from the introduction of technology to adhere with HIPAA include:
- On-call physicians, first responders and community nurses can share PHI on the go using secure texting.
- Images, documents and videos can be included in secure text messages, which can then be used at distance to determine accurate diagnoses.
- Secure texting can be used to streamline the management process of hospital admissions and discharges – significantly minimizing patient wait times.
- Activity reports simplify risk assessments while, when linked with an EHR, secure texting also helps healthcare groups meet the requirements for patient electronic access under Stage 2 of the Meaningful Use incentive program.
When done properly, the use of technology and HIPAA compliance can be very beneficial to a healthcare group. Secure texting solutions are straightforward to put in place – requiring zero investment in new hardware or an organization’s IT resources.
The secure texting apps work in a similar fashion to commercially available messaging apps (except for the automatic log offs), so it won’t drain administrative resources to supply training – although it will be required to appoint communications security personnel to develop secure texting policies and to manage compliance.
Although the technology to adhere with HIPAA will not make a healthcare group fully compliant with the requirements of the Health Insurance Portability and Accountability Act (other measures need to be implemented to ensure full compliance), the use of the proper technology will enable a healthcare group to comply with the administrative, physical and technical requirements of the HIPAA Security Act – something that many other forms of communication fail to complete.