How Can I Use Technology in a HIPAA Compliant Manner?

The evolution of technology has made it easier and easier for professionals within the healthcare sector. However, in tandem with this growth so has grown the importance to ensure the private health information (PHI) the is being sent is 100% secure and is being handled in a manner that is compliant with HIPAA legislation.

The use of devices such a smartphones, tablets, laptop computers and palm held devices to communicate with patients means that it must alway be considered if the device is being implemented in a HIPAA compliant way.

There is lots to consider as a lot of mediums of communication are not HIPAA compliant including channels such as SMS, Skype. This is due to the fact that duplicates of the emails that are sent are held on the service providers’ servers. THere is no control over the data by the healthcare group that sent it.

The HIPAA Security Rule lists a number of conditions that must be in place for technology to be HIPAA compliant. These conditions include:

1. HIPAA & Encryption

There must be encryption of all Protected Health Information (PHI) while in transit. This is vital as, if a breach of PHI occurs, any data that is accessed will be unreadable, undecipherable and not usable by anyone who may intercept it.

In order for this to be in place on SMS, Skype and email, every user within a healthcare group must be implementing the same operating system and have the same encryption/decryption software in order for the mechanisms to be used in compliance with HIPAA.

There may also be an issues if the service providers can access to the PHI copied onto their servers. Even though the data is encrypted, they would still complete a HIPAA Business Associate Agreements. This means that they would be held responsible for the safety of encrypted data. Not all service providers are willing to do this and become subject to the potential HIPAA breach penalties.

2. Reviewing Authorized Users

A “Unique User Identifier” must be allocated to every person authorized to access and communicate PHI. This will allowed their use of PHI to be monitored. This will allow for ensuring that authorized users are adhering with secure messaging policies (a requirement of the HIPAA administrative safeguards), but also to complete risk assessments (a requirement of the HIPAA audit protocol).

This unique user identifier must be centrally allocated, so that network managers can PIN-lock the user’s access to PHI if necessary.

3. Automatically Logging Off

There must be an automatic log off on any technology that is being used. The vast majority of commercially available text-messaging apps include a log-off feature but this must be enable. This will mean that, if a mobile device or desktop computer is left unattended, the user will be logged out of the service. This stops unauthorized access to PHI by a third party.

Healthcare Messaging Solutions for Groups

Secure Messaging is one sure and safe way for healthcare groups to correspond with PHI. Basically this operates the same way as normalling messaging but everything takes place with a private communications network to allow for HIPAA compliance.

This can be implemented by authorized users on any mobile device or desktop computer. The apps connect listed authorized users with each other and support the sending of images, documents and videos.

PHI is prevented from being shared, accessed or downloaded external to the healthcare group’s network. All activity is monitored by a cloud-based “Software-as-a- Service” platform that produces activity reports and audits to permit for compliance oversight and risk assessment.

System managers can set message lifespans that mean messages are removed from a user’s app after a set length of time, and can remotely take back and erase any message that may be in breach of the healthcare group’s secure messaging policy.

It technology is used to communicate PHI with patients in a HIPAA compliant fashion it will mean that the group is adhering with the administrative, physical and technical requirements of the HIPAA Security Act. However, the technology will not automatically result in the group or organization being 100% compliant with the requirements of the Health Insurance Portability and Accountability Act. For this to be so then other steps need to be taken that we have, or will, discuss elsewhere in this section.