As the number of medical professionals using personal mobile devices to communicate and collaborate on patient concerns increases it becomes more and more important to ensure that healthcare groups address the use of technology and HIPAA compliance.
Many forms of most-used communication do not comply with HIPAA. Unsecure channels of communication typically include SMS, Skype and email because copies of messages remain on service providers’ servers over which a healthcare organization has no management power.
The Security Rule lists a range of specifications for technology to comply with HIPAA. These incorporate:
- All Protected Health Information (PHI) must be encrypted at rest and on the move.
- Each medical professional given permission to access and communicate PHI must have a “Unique User Identifier” so that their use of PHI can be reviewed.
- The deployment of any technology to adhere with HIPAA must have an automatic log off to stop unauthorized access to PHI when a mobile device is left unattended (this also applies to desktop computing devices).
There are many more specifications for the deployment of technology and HIPAA compliance, but let’s begin with these three and look at why modern technology may not be HIPAA compliant.
Complications with Encryption
The reason why encryption is so vital is that, if a breach of PHI occurs, any data that is accessed will be unreadable, undecipherable and not usable. Although mechanisms exist to encrypt messages sent by SMS, Skype and email, every user within a healthcare group must be using the same operating system and have the same encryption/decryption software in order for the mechanisms to be used properly.
Along with this issue, service providers such as Verizon, Skype and Google would have access to the PHI copied onto their servers. Even though the data is encrypted, they would still have to sign Business Associate Agreements and would be charged with the integrity of the encrypted data – something we already know Skype will not do and doubt that Verizon or Google would be happy with!
Reviewing Authorized Users
Whatever mechanism for the deployment of technology and HIPAA compliance is chosen by a healthcare group, it has to have a system whereby access to and the use of PHI is reviewed. This is not only due to making sure that authorized users are adhering with secure messaging policies (a requirement of the HIPAA administrative safeguards), but also to carry out risk assessments (a requirement of the HIPAA audit protocol).
so that the use of PHI can be reviewed, there has to be a process whereby each authorized user is given a unique user identifier which they must use whenever logging into a mechanism that gives them access to PHI. This unique user identifier must be centrally allocatted, so that admins have the ability to PIN-lock the user’s access to PHI if required.
Automatically Logging Off
Automatic log offs are a vital security feature for mechanisms introduced to adhere with HIPAA. Most commercially available text-messaging apps include a log-off feature, but how many people use them? The automatic log off requirement means that that if a mobile device or desktop computer is left unattended, the user will be disconnected from the technology to adhere with hipaa in order to block unauthorized access to PHI by a third party.
Of course these three specifications for the use of technology and HIPAA compliance are just the beginning. Any technology used to adhere with HIPAA must have ensure the end-to-end security of communications and have measures in place to stop the accidental or malicious compromising of PHI.
Messaging Solutions for Healthcare Groups
One previously successful messaging solution for healthcare organizations is secure texting. Secure texting allows medical professionals to have a similar speed and convenience to mobile devices, but confines their HIPAA-related activities to a private communications network.
Authorized users log on to the network via secure texting apps that can be installed onto any mobile device or desktop computer irrespective of their operating system. The apps link authorized users with each other and support the sending of images, documents and videos.
Security measures are in place to stop PHI from being transmitted beyond the healthcare group’s network, copied and pasted or placed on an external hard drive. All activity is overseen by a cloud-based “Software-as-a- Service” platform that produces activity reports and audits to allow for compliance oversight and risk assessment.
System managers have the ability to implement message lifespans in order that messages are deleted from a user’s app after a predetermined period of time, and can remotely take back and delete any message that may be in breach of the healthcare group’s secure messaging policy.
The Correct Technology to Adhere with HIPAA has its Benefits
The appropriate implementation of technology and HIPAA compliance has its benefits. In medical centers where secure texting solutions have been put in place, healthcare groups have reported an acceleration of the communications cycle, leading to work processes being streamlined, productivity being enhanced and patient satisfaction being enhanced.
In most cases these advantages are due to features such as delivery alerts and read receipts substantially reducing the amount of time medical experts spend making follow-up calls or waiting for an answer to their messages (“phone tag”). Specific areas that have benefitted from the introduction of technology to adhere with HIPAA include:
- On-call physicians, first responders and community nurses can share private health information on the go using secure texting.
- Pictures, documents and videos can be sent with secure text messages, which can then be deployed at distance to complete accurate diagnoses.
- Secure texting can be used to focus the administration process of hospital admissions and discharges – greatly cutting patient wait times.
- Activity reports make risk assessments much more easy, when linked with an EHR, secure texting also allows healthcare groups meet the obligations for patient electronic access under Stage 2 of the Meaningful Use incentive program.
In Conclusion: The Implementation of Technology and HIPAA Compliance
When done in the proper fashion, the implementation of technology and HIPAA compliance can be extremely beneficial to a healthcare group. Secure texting solutions are simple to implement – requiring no new spending on new hardware or a group’s IT resources.
The secure texting apps work in a similar fashion to commercial messaging apps (aside from the automatic log offs), so it will not be necessary to use administrative resources to conduct HIPAA training for specific technologies– although it will be required to designate communications security personnel to develop secure texting policies and to manage compliance.
Although the technology to adhere with HIPAA will not make a healthcare group completely fully compliant with the requirements of the Health Insurance Portability and Accountability Act (other measures need to be implemented to ensure full compliance), the use of the proper technology will enable a healthcare group to adhere with the administrative, physical and technical requirements of the HIPAA Security Act – something that many other forms of communication fail to complete.