Most of the HIPAA regulations for SMS, IM and email are included within the technical safeguards of the HIPAA Security Rule. These safeguards necessitate the introduction of access controls, audit controls, integrity controls, ID authentication, and transmission security to stop unauthorized access to PHI. Among the required security measures:
- Every authorized user must be given a unique login username and PIN number for the mechanism that is being implemented to send and receive PHI. This is so all communications containing PHI can being reviewed and logged.
- Any mechanism used to send PHI must have an automatic logoff facility. This measure is needed to stop unauthorized access to PHI if a desktop computer or mobile device is left unattended.
- PHI must be encrypted in transit so that, should a message is intercepted on a public Wi-Fi network, the content of any message – and any PHI sent as an attachment – is “unreadable, undecipherable and unusable”.
These three security methods by themselves make it difficult for HIPAA covered entities to adhere with the HIPAA regulations for SMS, IM and email. It is not difficult to establish a channel of communication that requires users to log in, but to review all their online activity and have them log off when they are finished is much more difficult.
The issue of encryption is also tricky. Any encryption solution used to safely communicate PHI between healthcare groups, medical workers, Business Associates and other covered groups would have to work across multiple operating systems and devices – and have a standard decryption key. It was for this reason that an exemption was put in place for the electronic communication of PHI between medical professionals and their patients.
HIPAA Regulations for SMS, IM and Email
The HIPAA regulations for SMS, IM and email are extremely complicated, and may apply to covered groups differently depending on their size, the nature of service they provide and the volume of PHI they send. However, there is a solution that overcomes the HIPAA regulations for SMS, IM and email regardless of a group’s operating structure – secure messaging.
Secure messaging works in much the same manner as SMS or IM. Secure messaging apps can be used to share and receive encrypted text messages, share images and conduct group discussions. The apps operate across all operating systems and devices, but only once a user has authenticated their ID with a centrally-issued username and PIN number.
Security measures are in place not only to stop unauthorized access to PHI when a desktop computer or mobile device is left unattended, but also to stop the copying and pasting of PHI, the saving of PHI to an external hard drive, or the sharing of PHI to a third party outside the group’s network of authorized users.
All activity on the network is reviewed and further security measures along with the automatic logoff exist to safeguard the integrity of PHI. For example, if an authorized user´s mobile device is lost or stolen, controls on the secure messaging platform allow administrators to remotely erase any communication including PHI and lock the secure messaging app.
The Advantages of Secure Messaging
By adhering with the HIPAA regulations for SMS, IM and email by establishing a secure messaging solution there are significant advantages – especially for healthcare groups. Being able to send and receive PHI “on the go” minimizes the amount of time on-call doctors and community nurses play phone tag. Group messaging features accelerate the communications cycle and can cut the length of time it takes to complete hospital admissions and patient discharges.