The requirement for secure healthcare communications was established with amendments to the Health Insurance Portability and Accountability Act (HIPAA) enacted in 2013. There already was in place a duty of care to prevent the unauthorized disclosure of Protected Health Information (PHI) but, with the introduction of administrative, physical and technical safeguards in the HIPAA Security Rule, certain conditions were introduced before healthcare communications could be considered safe.
The amendments to HIPAA were a response to the growing trend towards BYOD policies. It has been calculated that as many as 80% of medical professionals use a personal mobile device to manage their workflows. Many of these medical worker use SMS and email to communicate PHI – channels of communication over which the sender has no management once messages have left their mobile devices. Furthermore, the absence of security mechanisms on mobile devices can expose PHI to unauthorized access.
Further points were considered when the rules for secure healthcare communications were drafted. Considerations including copies of messages indefinitely left on ISPs´ servers, and the volume of PHI breaches that were reported to the Department of Health and Human Services because a mobile device had been illegally taken. Due to this the rules for secure healthcare communications cover many different scenarios and possible weaknesses in a medical facility´s communications structure.
The Regulations for Secure Healthcare Communications
Most of the rules for secure healthcare communications appear in the previously referred to safeguards in the HIPAA Security Rule. These require that risks assessments are carried out to determine flaws in a medical facility´s communications structure and then security measures put in place to prevent unauthorized access to PHI where necessary. To confuse matters further, the rules for secure healthcare communications are split between “Required” and “Addressable”:
- Required safeguards mean that security measures have to be implemented. An example of a required safeguard is that any device used to send or receive PHI must use an automatic logoff facility to prevent unauthorized access to PHI when a desktop computer or mobile device is allowed to be unattended.
- Addressable security measures have to be implemented unless an alternate security measure offers the same level of security for PHI or there is a justifiable reason for why the safeguard is unnecessary. An instance of an addressable safeguard is that all PHI must be encrypted in transit.
Why might you not need to encrypt PHI in transit? Well, some medical facilities have internal servers protected by a firewall. Provided that all electronic communications remain within the firewall, encryption would not be required. As soon as a medical professional shares an email or SMS to anybody beyond the firewall, the encryption of PHI in transit effectively becomes a required security measure.
Safe Messaging Solutions in the Healthcare Sector
The easiest and most effective way in which to adhere with the rules for secure healthcare communications is with a secure messaging solution. Secure messaging solutions work by establishing a communications network exclusively for the use of authorized personnel within a healthcare center. All PHI that is sent on the network is encrypted, but secure messaging apps allow authorized personnel to share and receive messages just as they would with a commercial messaging app.
All activity on the network is reviewed, and access reports produced to assist with constant risk assessments. Security measures are in place to stop PHI being shared outside of the network or saved to an external hard drive, while mechanisms are available to remotely retract and delete any communication sent to or from a mobile device that is subsequently stolen. Indeed, many healthcare groups choose to activate a feature that allocates “message lifespans” to secure messages.
Secure messaging solutions adhere with all the conditions necessary for healthcare communications to be thought of as safe and have been shown to accelerate the cycle of communications in a medical clinic. This is due to the fact that mechanisms to ensure message accountability have massively reduced phone tag. This allows medical professionals to be more productive and send a higher standard of healthcare to patients.