In 1996, the government enacted HIPAA, The Health Insurance Portability and Accountability Act. HIPAA is a federal law that requires the development of national standards to protect sensitive patient health data from being disclosed without the patient consent. Anyone who works in the healthcare industry is likely very familiar with HIPAA requirements, as they permeate virtually every aspect of the medical practice or facility. A HIPAA compliance guideline may be as simple as stating that a folder cannot be left unattended on a desk; or as complicated as structuring a hardened telecommunications network.
While HIPAA has existed for over 25 years, new standards were needed as medical professionals began utilizing personal mobile devices to communicate and collaborate regarding patient concerns. Therefore the Act once again requires IT attention.
Many types of standard communication devices are not HIPAA compliant. Unsecure channels typically include SMS (text messages), Skype or Facetime, and email. The vulnerability lies in the fact that copies of the communications remain on providers’ servers, and the medical facility has no control of that sensitive information.
The Security Rule applies to technical specifications and HIPAA compliance. These include:
- All Protected Health Information (PHI) must be encrypted. This applies if the data is “at rest” or in transit between two parties. Encryption is essential to privacy. If a breach occurs, any hijacked data will be unreadable and unusable. Although there are ways to encrypt SMS messages, Skype-type services, and email, these methods require that every user within the organization be on the same OS and using the same encryption/decryption software – a feat not easily achieved.
- Any user authorized to access and transmit PHI must be assigned a “Unique User Identifier” to monitor their use of PHI effectively. Whatever method a company chooses to achieve HIPAA compliance regarding their technology, it has to allow access and monitoring to PHI, ensuring that authorized users comply with secure messaging policies. The system must also be able to conduct risk assessments, a key requirement of the HIPAA audit protocols. The unique user identifier must be issued from a central system, providing admins with the ability to PIN-lock the user’s access if necessary.
- Any technology needed to comply with HIPAA regulations is required to have an automatic logoff. This feature prevents unauthorized access to PHI when a mobile or desktop device is left unattended. Automatic log-offs are a vital security feature for HIPAA compliance. Most commercially produced text-messaging and video conferencing apps and Gmail-type services provide a logoff feature to users. Still, many people never actually log off on their own. Because HIPAA requires the protection of client data, an automatic logoff ensures that an unattended mobile device or desktop computer will be disconnected to prevent unauthorized access to PHI by a third party.
Benefits of the Right Technology
Medical facilities that have integrated secure texting solutions not only achieve compliance with HIPAA, but report many other benefits, including:
- an acceleration and streamlining of the communications cycle
- Improved productivity and patient satisfaction
- On-call physicians, first responders and community nurses can communicate PHI more easily
- Images, documents and videos can be attached to secure text messages
- Hospital admissions and discharge wait times are significantly streamlined for patients
- Activity reports make risk assessments more intuitive and easy to identify
HIPAA Compliance Through Technology?
Unfortunately, implementing the right technology at your medical facility will not automatically result in comprehensive, facility-wide HIPAA compliance. However, integrating appropriate technology will allow a healthcare organization to comply with most of the administrative, physical, and technical requirements of the HIPAA Security Act.
Do you need more help? Alliance IT works specifically with HIPPA compliance professionals to help to structure a technology environment that is both productive and compliant. Call today to learn more about how we can help.
