Why Modern Technology May Not be HIPAA Compliant
With more medical professionals using personal mobile devices to communicate and collaborate on patient concerns, it is important that healthcare organizations address the use of technology and HIPAA compliance. READ MORE
Many forms of frequently-used communication are not HIPAA compliant. Unsecure channels of communication generally include SMS, Skype and email because copies of messages are left on service providers´ servers over which a healthcare organization has no control.
The Security Rule lists a series of specifications for technology to comply with HIPAA. These include:
- All Protected Health Information (PHI) must be encrypted at rest and in transit.
- Each medical professional authorized to access and communicate PHI must have a “Unique User Identifier” so that their use of PHI can be monitored.
- The use of any technology to comply with HIPAA must have an automatic log off to prevent unauthorized access to PHI when a mobile device is left unattended (this also applies to desktop computers).
There are plenty more specifications for the use of technology and HIPAA compliance, but let´s start with these three and look at why modern technology may not be HIPAA compliant.
Issues with Encryption
The reason why encryption is so important is that, if a breach of PHI occurs, any data that is acquired will be unreadable, undecipherable and unusable. Although mechanisms exist to encrypt messages sent by SMS, Skype and email, every user within a healthcare organization must be using the same operating system and have the same encryption/decryption software in order for the mechanisms to be effective.
In addition to this problem, service providers such as Verizon, Skype and Google would have access to the PHI copied onto their servers. Although the data is encrypted, they would still be required to sign Business Associate Agreements and would be responsible for the integrity of the encrypted data – something we already know Skype will not do and doubt that Verizon or Google would be happy with!
Monitoring Authorized Users
Whatever mechanism for the use of technology and HIPAA compliance is chosen by a healthcare organization, it has to have a system whereby access to and the use of PHI is monitored. This is not only due to making sure that authorized users are complying with secure messaging policies (a requirement of the HIPAA administrative safeguards), but also to conduct risk assessments (a requirement of the HIPAA audit protocol).
In order to monitor access to and the use of PHI, there has to be a process whereby each authorized user is allocated a unique user identifier which they must use whenever logging into a mechanism that gives them access to PHI. This unique user identifier must be centrally issued, so that admins have the ability to PIN-lock the user´s access to PHI if necessary.
Automatic Log Offs
Automatic log offs are an essential security feature for mechanisms introduced to comply with HIPAA. Most commercially available text-messaging apps, Skype and Gmail have a log off feature, but how many people use them? The automatic log off requirement ensures that if a mobile device or desktop computer is left unattended, the user will be disconnected from the technology to comply with hipaa in order to prevent unauthorized access to PHI by a third party.
Naturally, these three specifications for the use of technology and HIPAA compliance are just the tip of the iceberg. Any technology to comply with HIPAA must have ensure the end-to-end security of communications and have measures in place to prevent the accidental or malicious compromising of PHI.
Messaging Solutions for Healthcare Organizations
One tried and tested messaging solution for healthcare organizations is secure texting. Secure texting enables medical professionals to maintain the speed and convenience of mobile devices, but confines their HIPAA-related activities to within a private communications network.
Authorized users access the network via secure texting apps that can be downloaded onto any mobile device or desktop computer irrespective of their operating system. The apps connect authorized users with each other and support the sharing of images, documents and videos.
Safeguards exist to prevent PHI from being transmitted beyond the healthcare organization´s network, copied and pasted or saved to an external hard drive. All activity is monitored by a cloud-based “Software-as-a- Service” platform that produces activity reports and audits for the purposes of compliance oversight and risk assessment.
System administrators have the ability to set message lifespans in order that messages are removed from a user´s app after a predetermined period of time, and can remotely retract and delete any message that may be in breach of the healthcare organization´s secure messaging policy.
The Right Technology to Comply with HIPAA has its Advantages
The correct use of technology and HIPAA compliance has its advantages. In medical facilities where secure texting solutions have been implemented, healthcare organizations have reported an acceleration of the communications cycle, leading to workflows being streamlined, productivity being enhanced and patient satisfaction being improved.
Primarily these advantages are due to features such as delivery notifications and read receipts substantially reducing the amount of time medical professionals spend making follow-up calls or waiting for a reply to their messages (“phone tag”). Specific areas that have benefitted from the introduction of technology to comply with HIPAA include:
- On-call physicians, first responders and community nurses can communicate PHI on the go using secure texting.
- Images, documents and videos can be attached to secure text messages, which can then be used at distance to determine accurate diagnoses.
- Secure texting can be used to streamline the administration process of hospital admissions and discharges – significantly reducing patient wait times.
- Activity reports simplify risk assessments while, when integrated with an EHR, secure texting also helps healthcare organizations meet the requirements for patient electronic access under Stage 2 of the Meaningful Use incentive program.
Some Final Thoughts on the Use of Technology and HIPAA Compliance
When done correctly, the use of technology and HIPAA compliance can be exceptionally beneficial to a healthcare organization. Secure texting solutions are straightforward to implement – requiring no investment in new hardware or an organization´s IT resources.
The secure texting apps operate in a similar fashion to commercially available messaging apps (except for the automatic log offs), so it will not be necessary to drain administrative resources to provide training – although it will be necessary to appoint communications security personnel to develop secure texting policies and to oversee compliance.
Although the technology to comply with HIPAA will not make a healthcare organization fully compliant with the requirements of the Health Insurance Portability and Accountability Act (other measures need to be adopted to ensure full compliance), the use of the appropriate technology will enable a healthcare organization to comply with the administrative, physical and technical requirements of the HIPAA Security Act – something that many other forms of communication fail to achieve.