Why Modern Technology May Not be HIPAA Compliant
A lot of healthcare professionals today use their mobile devices to connect to healthcare networks and collaborate about patient care. Mobile devices and other technology used by healthcare providers must contain security protections in order to comply with HIPAA, although even with security protections in place, some devices and technologies may still not be HIPAA-compliant.
Some forms of commonly-used communication methods are not compliant with HIPAA Rules and must not be used in connection with electronic protected health information (ePHI). SMS, Skype, and email are channels of communication that are considered insecure because the service providers’ servers retain copies of the messages and healthcare organizations have no control over them or that data.
The HIPAA Security Rule requires safeguards to be implemented before technology can be used to create, store, receive, or transmit ePHI. These consist of:
- Encryption for all ePHI at rest or in transit, or an alternative, equivalent measure to be implemented in place of encryption.
- Every medical professional permitted to access and disclose ePHI should have a “Unique User Identifier” to facilitate the monitoring of ePHI usage.
- When using technology, it should have an automatic sign off to keep unauthorized persons from accessing the ePHI should a device be left unattended.
There are many more HIPAA requirements relating tot he use of technology, although this article is concerned with the above three requirements and explores why modern technology might not be HIPAA compliant.
Concerns with Encryption
Encryption is very important. If there is a breach, such as a hack, the data stored on compromised systems will be unreadable, undecipherable and unusable. Even though there are mechanisms for encrypting messages sent through SMS, Skype, and email, all users within a healthcare organization need to use identical an operating system and encryption/decryption software program in order for these mechanisms to work. Not all forms of encryption are the same. The end-to-end encryption is necessary and the method used should meet NIST standards.
Aside from this concern, service providers like Verizon, Google and Skype could access a copy of the ePHI sent through these communication channels because messages are stored on their servers. Even if the information is encrypted, it would still be necessary for providers to enter into a Business Associate Agreement so that they would be accountable for the confidentiality of the encrypted information.
Tracking Authorized Users
Whatever mechanism a healthcare organization chooses for for HIPAA compliance with technology, a system of monitoring the access and use of ePHI is required, as is specified in the HIPAA administrative requirements).
To keep track of the access and use of ePHI, there should be a process where every authorized user is given a unique user identifier which must be used for logging in before access is gained to ePHI. This unique user identifier should be centrally provided, in order that admins can PIN-lock the user’s access to PHI if needed.
Auto Log Offs
Automatic log offs are a security feature necessary for HIPAA compliance. The majority of commercially available text-messaging applications have a log off function, but do people use them? The automatic log off function guarantees that in case a mobile device or desktop computer is left unattended, the user will be automatically disconnected to stop unauthorized third parties from accessing PHI.
These three aspects of security are only part of HIPAA requirements. Other controls are required to secure communications, the applications used, and should incorporate other safety measures to prevent accidental ePHI exposure and unauthorized access.
Messaging Options for Healthcare Providers
One messaging solution that healthcare organizations can use to ensure HIPAA compliance is a secure texting platform. Secure texting allows physicians to benefit from the speed and ease of using mobile devices, yet the platform restricts their ePHI communications to a private, closed group.
Authorized users connect to the network using a secure texting application that can be installed in any mobile device or desktop PC, regardless of operating system. The applications link authorized users to each other and allow images, files and videos to be shared securely.
Safeguards are incorporated to prevent the transmission of PHI outside the healthcare organization’s network, and stops the copying, pasting or saving of PHI to an external hard disk. A cloud-based “Software-as-a- Service” platform monitors users’ activities and produces activity reports for audits.
System administrators can set message lifespans that remove messages from a user’s application after a certain time period, and can remotely withdraw and remove any message in case a device is lost or stolen, or the user’s access rights to PHI are revoked.
Advantages of Using Technology and HIPAA Compliance
Healthcare facilities that use secure texting solutions benefit from faster communications, streamlined workflows, enhanced productivity, and they can even improve patient outcomes.
Principally, these benefits are because of features such as delivery notifications and read receipts which reduce the length of time healthcare professionals spend on follow-up phone calls and waiting for a response to their messages. Particular areas which have benefited from utilizing technology that complies with HIPAA include:
- On-call doctors, emergency responders and local community nurses by accessing patient information on the move and for in-home visits.
- Photos, files and videos may be linked to secure text messages and accessed remotely to help make diagnoses.
- Secure texting may be employed to improve the process of administering hospital admissions and discharges – considerably minimizing patient wait times.
- Activity reports make risk assessments simple and, when incorporated into an EHR, secure texting platforms allow healthcare organizations to satisfy the prerequisites for patient electronic access under the Meaningful Use (Stage 2) incentive program.
Closing Thoughts on Using Technology and HIPAA Compliance
If used properly, technology can be HIPAA compliant and can offer tremendous benefits to healthcare providers. Secure texting solutions are simple to use and require no investment in new IT equipment.
Secure texting applications work in the same way as commercially available messaging programs but have the added protections to make them HIPAA compliant. Since most people are familiar with the style of messaging, and the platforms are intuitive, there is no need to provide extensive training on their use.
Using technology that complies with HIPAA is not going to make a healthcare organization totally compliant with the prerequisites of the Health Insurance Portability and Accountability Act because other steps must be taken, but use of appropriate technology will allow a healthcare organization to meet the requirements of the physical, administrative, and technical provisions of the HIPAA Security Rule.