Today, most healthcare professionals have turned to using their mobile devices for connecting to the healthcare networks in order to collaborate on matters regarding patient care. It is, therefore, very important for these devices and other technology, in general, to have security protections in order to comply with HIPAA. There are also some forms of communication that are not compliant with HIPAA and should not be used with electronically protected health information. Some of these forms of communication include email, Skype, and SMS. When using Skype and emails, copies of your messages are normally left on the servers of these service providers, where a healthcare organization may have no control over it.
According to the HIPAA security rule, there is a series of specifications required for technology before it can be used in creating, storing, receiving or transmitting electronically protected health information (ePHI). The following are some of the specifications required for technology to comply with HIPAA:
- The use of any technology must have an automatic log off to prevent unauthorized access to PHI when a mobile device is left unattended (this also applies to desktop computers).
- All Protected Health Information (PHI) must be encrypted at rest and in transit.
- Each medical professional authorized to access and communicate PHI must have a “Unique User Identifier” so that their use of PHI can be monitored.
Using these three specifications, we can look into some of the reasons as to why modern technology may not be HIPAA compliant.
Tracking of Authorized Users
Whichever method a healthcare organization decides to use for technology and HIPAA compliance, a system of monitoring the access and use of ePHI is required. In addition to ensuring that authorized users comply with the secure messaging policy (which is a requirement of the HIPAA administrative safeguards), this system also helps when conducting risk assessments (also a requirement of the HIPAA audit protocol).
To be able to keep track of the use and access to PHI, there must exist a process where every authorized user is allocated a unique user identifier which is to be used for logging in order to gain access to PHI. This unique identifier is to be centrally issued, which will make it possible for the administrators to PIN-lock the user’s access to PHI whenever a need to do so arises.
Encryption Concerns
Encryption is a very important factor to be considered when looking to be HIPAA compliant. This is because if a breach of PHI happens to take place, any data acquired will end up being unusable. There are some methods that are used to encrypt messages shared via SMS, email, and Skype. Their downside is that everyone within the healthcare organization must be connected to the same operating system and have the same encryption/decryption software for this mechanism to be effective. Also, some service providers tend to have access to the PHI copied onto their serves. Even if this information is encrypted, it will still be required for the service providers to enter into a Business Associate Agreement in order for them to be accountable for the confidentiality of the encrypted information; a thing that most of them will be reluctant to do.
Use of Automated Log Offs
Automatic logoffs also important security feature required for HIPAA compliance. A number of commercially available text messaging applications have a logoff function, but it is believed that most people do not use it. This function will guarantee you that in case your computer or mobile device is left unattended to for some time; you will automatically be disconnected in order to prevent any unauthorized 3rd parties from accessing the PHI.
The above-discussed security aspects are only part of HIPAA requirements. In order to completely secure communications, other controls will be required to be implemented. For any technology to be considered compliant with HIPAA, it must have end-to-end security of communications and also have other measures in place to prevent accidental ePHI exposure and unauthorized access.
Other Messaging Options for Healthcare Providers
Secure texting platform is one messaging solution that healthcare providers can use in order to guarantee HIPAA compliance. This platform gives medics a chance to benefit from the speed and ease of using their mobile devices because it restricts their PHI communications to a private, closed, group. Any authorized users can gain access to the network by use of secure texting apps that are available for download.
There also exists safeguards that are used in preventing the transmission of PHI outside the healthcare organization’s networks, and stops the copying, pasting or saving of PHI to external hard disks. Every activity is usually monitored by a cloud-based “software-as-a-service” which produces activity reports that are used for audits.
Message life spans can also be set by the system administrators in order for the messages to be removed from a user’s application after a specified period of time. The messages can also be remotely removed in case a device is reported to have been stolen, or the user’s access rights to PHI are revoked.
The Benefits Of Using Technology And HIPAA Compliance
- Secure texting may be employed in order to improve the process of carrying out hospital admissions and discharges. This, in turn, ends up minimizing patient wait times.
- It is possible to link and have access to files, videos, and photos remotely in order for the medics to make diagnoses.
- Activity reports ensure that risk assessments are simplified, and when incorporated into an HER, secure texting also plays an important role in helping the healthcare organizations to meet the requirements for patient electronic access under stage 2 of the Meaningful Use incentive program.
- Emergency responders, on-call doctors, and local community nurses can communicate PHI on the go by the use of secure texting.