Messenger™, also known as Facebook Messenger™, is a free instant messaging app developed in 2011 and available on desktop or mobile devices. Facebook Messenger™ allows users to send and exchange messages, photos, stickers, videos, audio, and files, in addition to supporting voice and video calls. In April of 2020 Messenger Rooms™ was launched, allowing users to video chat with up to 50 people without a time limit.
With an increased demand for telemedicine during the coronavirus pandemic, healthcare providers are seeking patient messaging solutions that are easy to integrate with their practice. Since Messenger™ has widespread adoption in the US, as one of that nation’s leading messaging platforms, many healthcare organizations are wondering if the platform can be used for telemedicine. Providers might see Messenger as an easy and familiar solution to reach patients, rather than introducing an entirely new platform. Providers can offer Messenger™ as a solution, which patients already use and are familiar with, instead of having them use a new platform.
While healthcare organizations are looking for quick and convenient turnkey solutions at this time, they should be cautious to avoid penalties and legal ramifications. Implementing a video chat solution that isn’t HIPAA compliant can have serious ramifications for your practice and the security of patient data.
For Facebook Messenger™ to be considered a HIPAA compliant telemedicine platform, it must fulfill all of the following requirements:
Employ end-to-end encryption
Implement access control
Enable audit controls
Sign a business associate agreement (BAA)
Is Facebook Messenger™ a HIPAA compliant video chat solution?
Below we assess whether Facebook Messenger™ meets the security and regulatory requirements to be considered HIPAA compliant.
Any solution that claims to be HIPAA compliant must encrypt data at all times (at rest and in transit) so PHI is not vulnerable to interception by third parties. Facebook Messenger™ does include an option to encrypt data, but users must opt-in to this feature.
Facebook Messenger™ users aren’t required to provide login details each time they view messages in the app; therefore, the platform does not implement the proper access and authentication controls. If a device is stolen that contains the Messenger™ app, an unauthorized person will be able to access the PHI shared in the app without having to log in. Due to a lack of access controls, Facebook Messenger™ is not a HIPAA compliant telemedicine platform.
HIPAA-covered entities must ensure there is an audit trail. All information sent within Facebook Messenger™ would need to be stored with the ability to examine user activity within the app. It’s easy for users to delete messages, therefore, it would be difficult to maintain an audit trail on Facebook Messenger™. Due to a lack of audit controls, Facebook Messenger™ is not a HIPAA compliant video chat solution.
Business associate agreement
Business associates are companies or persons that create, transmit, receive, or maintain PHI on behalf of any covered entity. A business associate agreement is a contract between a healthcare organization and a business associate that requires both parties to protect PHI under HIPAA’s rules and regulations. Facebook will not sign a BAA so is not a HIPAA compliant telemedicine platform.
What’s the verdict?
Facebook Messenger™ fails to meet all four HIPAA requirements and is not considered a HIPAA compliant telemedicine platform.
Discover whether the following popular video conferencing tools are HIPAA compliant.
Founder and CEO of Bridge Patient Portal, and a health IT entrepreneur and business owner of 19 years with extensive experience in Healthcare IT. Specializing in Business Development, Software Development, Patient Portals, mHealth, Patient Engagement, HIPAA, Electronic Medical Records, Web Development, and Internet Marketing. John is a Judge for the 2020 eHealthcare Leadership Awards and has appeared on multiple podcasts, including the Outcomes Rocket Podcast and the Hospital Finance Podcast.
Healthcare organizations strive to provide the best patient engagement experience possible. In order to do this, many organizations result in implementing piecemealed solutions to provide all the features patients demand today.
This patient engagement strategy may end up costing healthcare organizations and patients in the long run, as siloed patient engagement programs increase security and HIPAA compliance risks. Implementing a singular, consolidated patient engagement solution that includes in-demand features can mitigate security and compliance risks in multiple ways.
1. Respect Patient Communication Preferences
There are multiple ways a healthcare organization can communicate with their patient population. Any tools used to communicate with patients must respect a patient’s communication preferences.
Methods of communication can include the following:
IVR (Interactive Voice Response-based calls also support user-input responses like “Press 1 to confirm, or 2 to cancel your upcoming appointment.”)
Bidirectional patient text messaging (via a patient portal or mobile app)
To support the quality of care for patients, healthcare organizations should have correct patient engagement data such as contact details in addition to updated communication preferences. Providers can then more effectively reach patients and relay important information about their care, including appointment reminders, lab results, medical bills, and educational materials. Patients are more inclined to update their communication preferences and contact details on only one patient engagement platform, rather than performing the same task across multiple patient engagement systems used by the same healthcare organization.
Updated information within the healthcare organization should be shared with all patient engagement programs, including the organization’s source systems, such as Electronic Health Record (EHR), Revenue Cycle Management (RCM), and Practice Management (PM) systems. When using more than one software for patient engagement, healthcare organizations should ensure these systems can effectively communicate with each other so that any data updated within one system is shared with all other systems. If this integration is not in place, patient engagement data must be manually updated within all systems. Failure to honor a patient’s communication preferences may result in a HIPAA violation.
To be HIPAA compliant, healthcare organizations must conduct regular risk analyses, covering all software for patient engagement that interacts with electronic protected health information (ePHI). Risk analyses identify potential risks to the confidentiality, integrity, and availability of ePHI. Any risks and vulnerabilities identified must be mitigated to a reasonable and acceptable level to avoid penalties. It’s easy to ensure that one consolidated patient engagement solution is HIPAA compliant (versus a mixture of fragmented tools) and that the patient engagement solution provider will sign a business associate agreement. HIPAA also requires encryption at rest and in transit for all stored and transmitted ePHI between your connected patient engagement programs
3. Prevent Security Breaches
When a healthcare organization has multiple patient engagement programs connected to their source system (EHR, PM, RCM, LIS, RIS, etc.), they increase the risk of a security breach. This is due to the higher number of access points that have been opened for these systems. There is an increased risk of data becoming corrupt/damaged within the patient database as more software/systems are permitted to view and edit patient data. Managing one piece of software is more straightforward than ensuring multiple solutions are operating safely and securely. Furthermore, it’s easier to conduct a cybersecurity gap analysis within a centralized software solution.
Improve operational efficiencies, prioritize security and HIPAA compliance, and bolster patient satisfaction by consolidating your patient engagement solutions into a feature-rich, client-branded web application or mobile app. Bridge helps healthcare organizations streamline their business processes and enhance patient engagement with an all-in-one solution capable of retiring “one-off” tools.
Pablo architected and manages our HIPAA-compliant hosting infrastructure. He is an Amazon Web Services (AWS) Certified Solutions Architect and is about to receive a Masters degree from the University of Buenos Aires in Computer and Information Systems Security and Information Assurance. He has a passion for all things related to cybersecurity and cloud hosting. He publishes a monthly cybersecurity newsletter which is shared with our clients.
Bridge Patient Portal provides Addiction Labs with a HIPAA compliant way for their patients to view COVID-19 test results.
Dallas, TX – October 21, 2020 – Bridge Patient Portal provides Addiction Labs with a means to quickly provide patients with their COVID-19 test results in a HIPAA compliant way. Addiction Labs lends its laboratory facilities to assist in COVID testing. Currently, patients nationwide are experiencing significant delays in receiving COVID test results, which negates efforts to prevent further infections. One major factor contributing to these delays is ensuring that results are communicated in a HIPAA compliant way.
Once Addiction Labs processes the FDA – EUA approved PCR test, the patient receives an email stating that they can access their results through the portal. Patients can then log in to the lab patient portal to view their results. No PHI (Protected Health Information) is sent via email; patients need to confirm their identity before viewing their results, ensuring HIPAA compliance. Lab results are provided to the patient portal via an HL7 ORU (Observation Result) and populate data within the portal as a positive or negative result.
“Bridge Patient Portal has provided our patients a quick, simplified method to obtain their COVID-19 results during the pandemic,” said Shannon Myers, Addiction Labs Operations director. “Prior to this technology, we had to manually encrypt every test result and send it to the patients individually by email, which could take hours to complete each day. This technology is truly a time saver and ensures our patients get their results as quickly as possible.”
About Bridge Patient Portal
Bridge Patient Portal is an enterprise patient portal and engagement solution that empowers patients with self-service tools to better manage their care. The Bridge Patient Portal platform is client-branded and ideal for health organizations seeking to replace their existing EHR portals or connect to disparate EHR environments with a single, vendor-neutral patient portal platform available on desktop, iOS, and Android. Founded in 2012 and headquartered in Dallas, Texas, Bridge Patient Portal has installations in many healthcare’s leading clinics, hospitals, and health systems nationwide. For more information, visit https://www.bridgepatientportal.com/ or call 800-467-2321.
About Addiction Labs
Addiction Labs is a premium toxicology lab owned by American Addiction Centers. Since 2013, Addiction Labs has specialized in providing laboratory services for substance abuse and mental health facilities nationwide. Addiction Labs keeps its partners at the forefront of clinical excellence with its deep expertise, agile operations, and precise, high-end technology that translates to more reliable, insightful, and personalized solutions. For more information, visit https://addictionlabs.com/ or call 615-678-5973 or 800-772-0636.
Telehealth may seem like a new concept fueled by COVID-19, but in reality, telehealth companies have been around for many years and are growing in popularity. Due to the outbreak of COVID-19, healthcare providers and patients are turning to telehealth companies to fill the void. Providers are also asking if other prominent video conferencing software such as Apple FaceTime® can be considered a HIPAA compliant telehealth software platform.
Is Apple FaceTime® a Conduit or a Business Associate?
Before we can determine whether Apple FaceTime® is a HIPAA compliant telehealth app or not we must ascertain if it is responsible for keeping electronic protected health information (ePHI) safe. HIPAA compliance normally pertains to covered entities (health plans, health care clearinghouses, and health care providers) which Apple FaceTime® obviously isn’t. It could be argued that Apple FaceTime® may be considered a conduit or a business associate in the eyes of HIPAA. A conduit is a service that transmits ePHI and does not store it, or have the ability to access encrypted data. Telephone service providers and internet service providers are considered conduits, but cloud service providers are not. A conduit is not required to sign a Business Associate Agreement (BAA).
Business associates are organizations or persons that create, transmit, receive, or maintain PHI on behalf of any covered entity. Cloud service providers (CSP) that provide cloud services to a covered entity or business associate that involves creating, receiving, or maintaining ePHI meet the definition of a business associate, even if the CSP cannot view the ePHI.
Apple® does not store any information sent via FaceTime®, which is a peer-to-peer communication channel where voice and audio communications are transmitted between individuals and can not decrypt sessions. Apple® is considered a business associate, therefore, is required to sign a BAA.
Will Apple Sign A BAA?
Because Apple® is considered a business associate it is required to sign a BAA (Business Associate Agreement). A BAA is a contract between a covered entity and a business associate that requires both parties to protect personal health information under the rules and regulations of HIPAA. Apple® is not willing to sign a BAA, therefore its services including FaceTime®, are not technically HIPAA compliant.
HIPAA Discretion During COVID-19
Under the good faith provision of telehealth during COVID-19, covered health care providers can use Apple FaceTime®, to provide telehealth without the risk of HIPAA non-compliance penalties. Apple FaceTime® could potentially introduce security risks, and providers should enable all available encryption and privacy modes when using such applications. Other popular applications are witnessing a rise in usage for telehealth purposes including Whatsapp®, Zoom®, and Skype™. It is advisable that healthcare providers notify patients that third-party applications such as Apple FaceTime® are not HIPAA compliant and that there are other HIPAA compliant telehealth apps such as:
Skype for Business™
Zoom for Healthcare®
Cisco® Webex Meetings / Webex Teams
Spruce Health Care Messenger™
Bridge Video Visits, powered by Zoom for Healthcare®
Any application leveraged by covered entities that transmit ePHI needs to comply with certain HIPAA regulations. Given the fact that Apple FaceTime® will not sign a BAA, we can deduce that Apple FaceTime® is NOT a HIPAA Compliant Telehealth Software Platform. Any healthcare provider using non-compliant software during the leniency of COVID-19 must still strive to provide their patients with the most secure/safe environment possible.
DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge Patient Portal is not affiliated, endorsed, or sponsored in any way to the service providers mentioned in this article.
WhatsApp® provides end-to-end encryption, but that does not mean that it is HIPAA compliant. There are other facets of HIPAA that must be satisfied before the software can be deemed compliant.
Since WhatsApp® does not require users to enter a password for every session, it does not provide the required access controls.
Because messages and attachments are easily deleted from Whatsapp®, audits cannot be conducted, which is necessary for HIPAA compliance.
WhatsApp® lacks the controls to make sure all communications that contain ePHI (electronic personal health information) are completely deleted remotely once an employee leaves the employment of a Covered Entity.
WhatsApp® has not agreed to sign a BAA with a covered entity.
WhatsApp® is NOT a HIPAA compliant telemedicine software and should not be used to share ePHI or deliver online healthcare since doing so would violate HIPAA regulations. Healthcare professionals may use WhatsApp® for general communication or for providing de-identified PHI.
If healthcare professionals would like to leverage a HIPAA compliant video communication tool, some companies have already stated that they will enter into a HIPAA business associate agreement and follow HIPAA compliance regulations. The Office for Civil Rights (OCR) has provided a list of HIPAA compliant telemedicine software:
Skype for Business™
Zoom for Healthcare®
Cisco® Webex Meetings / Webex Teams
Spruce Health Care Messenger™
Bridge Video Visits, powered by Zoom for Healthcare®
DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge Patient Portal is not affiliated, endorsed, or sponsored in any way to the service providers mentioned in this article.
The Health Insurance Portability and Accountability Act (HIPAA) protects patients’ privacy by limiting access to PHI (Protected Health Information) and governing acceptable use of their health data. The HIPAA Privacy Rule is composed of national regulations for the use and disclosure of PHI in healthcare treatment, payment, and operations by covered entities.
What Is A HIPAA Patient Portal
A HIPAA Patient Portal is a form of patient engagement in which health care providers can share information with a patient. If said information includes PHI and medical records, the patient portal must be HIPAA compliant.
Must I Have A HIPAA Patient Portal?
If you have a patient portal developed, provided by, or on behalf of a covered entity (health plan, healthcare clearinghouses, or healthcare providers), it must be HIPAA compliant.
If you are a business associate that stores, collects, processes, or transmits PHI on behalf of covered entities, your patient portal must be HIPAA compliant.
What Information Does HIPAA Protect?
Protected Health Information (PHI) is any information that is held by a covered entity regarding a patient’s health status, provision of health care, or health care payment.
There are 18 PHI Identifiers:
All geographical subdivisions smaller than a State
All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and more.
Electronic mail addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address
Biometric identifiers, including finger and voiceprints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
Tips For Offering A HIPAA Compliant Patient Portal?
Never Store Protected Health Information (PHI) on a mobile phone.
HIPAA compliant messaging requires you to exclude PHI in an SMS, email, push, or IVR notification. If you do include PHI in a notification, have your patients accept terms and conditions which permit you to use limited PHI in your notifications, clearly defining what PHI is included.
When working with a web design, hosting company, patient portal vendor, or healthcare app development company, always get a BAA (Business Associate Agreement). A BAA shares the responsibility for all patient information that is received by the company or handled by the patient portal they build.
Ensure a HIPAA expert audits the final patient portal.
Have your terms and conditions created/reviewed by an attorney that specializes in HIPAA law.
Require patients log in each time to access PHI, with a 30-minute auto-logout. To make the patient portal more convenient and user-friendly, consider using face or fingerprint recognition for logins.
Conduct regular risk assessments. Also, regularly review records of system activity, including audit logs, access reports, and security incident tracking reports.
Maintain ePHI (electronic personal health information) integrity requirements by implementing information systems that provide features or processes for automatically checking data integrity. These include checksum verification or digital signatures and providing electronic mechanisms to ensure the integrity of ePHI.
Implement policies and procedures to protect ePHI from improper alteration or destruction.
Access controls must include unique user identification, emergency access procedure, and automatic logoff.
According to HIPAA, the information in a medical patient portal should be encrypted at all times – at rest and in transit.
What Are The Penalties For Not Being HIPAA Compliant?
There are several levels of violations based on what a covered entity did or didn’t do.
A covered entity that did not know and could not have reasonably known of an ePHI breach could be fined $100-$50,000 per incident and up to $1.5 Million.
A covered entity that “knew,” or by exercising reasonable diligence would have known of an ePHI breach but didn’t act with willful neglect could be fined $1000-$50,000 per incident and up to $1.5 Million.
A covered entity that acted with willful neglect and corrected the problem within 30 days could be fined $10,000-$50,000 per incident and up to $1.5 Million.
A covered entity that acted with willful neglect and failed to make a timely correction could be fined $50,000 per incident and up to $1.5 Million
Get your patients actively involved in their healthcare experience with Bridge’s HIPAA-compliant appointment self-scheduling solution.
Bridge’s Patient Self-Scheduling Feature
Bridge offers a HIPAA-compliant appointment self-scheduling solution that can cut overhead, increase patient satisfaction, and decrease the number of phone calls coming into and out of your office. It can ensure proper screening while enabling patients to schedule their own appointments in a matter of minutes. This patient appointment scheduling software was built to comfortably handle complex scheduling decision trees that are adaptable to any provider/specialty group as well as the unique schedules of their providers, without any disruption in procedures or workflow.
Bridge integrates with your existing systems and procedures; it makes use of current data and settings and capitalizes on work that’s already been done. Bridge also works with you to provide Role-Based Access Control (RBAC), which regulates who has access to schedule appointments, the appointment slots to make available, and more.
The patient self-scheduling feature works without staff involvement but Bridge provides support whenever you need it. The solution is HIPAA-compliant and secure-in/secure-out, giving you the privacy you demand.
The Bridge Patient Portal gives patients more control over their healthcare experience, delivering self-service tools that patients have become accustomed to in other industries (e.g., travel, banking, retail, etc.). Access to the HIPAA-compliant scheduling feature is available via the secure patient portal or Bridge’s mobile app – available on iOS and Android.
Bridge’s patient self-scheduling feature allows patients to complete a full HIPAA compliant scheduling workflow and book appointments in real-time.
HIPAA-compliant appointment self-scheduling, security, and privacy
Patients can receive appointment reminders via email in order to help them manage their time.
In order to understand why HIPAA compliance is so important regarding all of these features, we must remember the importance of patient privacy. Healthcare providers in the U.S. must comply with HIPAA regulations, which were designed to provide privacy standards in order to protect patients’ medical records and other health information. These regulations extend to all types of healthcare technologies that doctors might use to store and manage patient information. Although there is no definitive HIPAA certification for any organization, IT companies can be HIPAA-compliant. This means that they adhere to HIPAA regulations and take the necessary steps to ensure their products effectively protect sensitive patient information.
Michael McGinley (Director of Strategic Accounts), is an accomplished sales & management executive experienced in HIT sales, data analytics, and publishing. He is certified in management information systems and has a BA in business, in addition to an MS in information systems with a concentration in healthcare. Mike possesses a true commitment to sales and customer service.
According to a 2015 Statista study, approximately 81 percent of doctors use their smartphones for professional purposes.
And the results of another study revealed that 64 percent percent of doctors surveyed use text messaging to send and receive patient data among colleagues, such as patient diagnoses, test results, and medical advice.
There’s no question that mobile devices are incredibly useful to today’s healthcare organizations, especially when it comes to simplifying tasks and making processes more efficient.
However, the uptick in mobile device usage in the healthcare space is not without its risks. With thousands and thousands of devices like smartphones, tablets, and laptops now requiring access to a healthcare network, HIPAA compliance and security have become some of the biggest issues for today’s health IT professionals.
Unfortunately, if organizations do not meet requirements for mobile app HIPAA compliance, hefty HIPAA fines can follow, and, even worse, patient data can be stolen.
Factoring in Mobile to Keep Patient Health Data Safe
The federal government put HIPAA in place in 1996 to ensure we have rights over our private health information, regardless of whether it is in paper or digital format. However, many people’s understanding of HIPAA compliance is limited to the original HIPAA Privacy Rule, which primarily focuses on how healthcare organizations may use and disclose protected health information (PHI).
HIPAA Compliant Messaging main objective is to protect patient privacy. Its regulations require healthcare organizations and healthcare providers to adopt a specific set of standards to protect patients and keep data secure.
Unfortunately, a surprising number of providers today using mobile devices do not insist on appropriate privacy protections to secure patient data. And even if an organization’s mobile devices are believed to be safe, there is significant potential for devices’ users to breach HIPAA rules. Without proper controls, devices can be compromised, and ePHI stored on them accessed by cybercriminals.
So, what can healthcare teams do to protect employees’ mobile devices and the personal patient information stored on them?
HIPAA offers some basic steps that organizations can take to protect healthcare information when using a mobile device. Below, we include several highlights from HIPAA’s information. It is essential to understand that if your organization is currently utilizing a HIPAA compliant service, incorporating these extra layers of security can be extremely advantageous when dealing with healthcare information on any mobile device:
Check all devices’ encryption technologies, antivirus protection and firewall to confirm they are functioning the right way and are up-to-date.
Protect all mobile devices with a password or authentication requirement.
Enable timeout features on your devices so that they log users out after a period of inactivity.
Disable file-sharing options.
Understand that text messages are not HIPAA-compliant. To make texting safe, you must make it compliant with privacy laws, including activating data encryption and developing a well-thought-out text message usage policy organization-wide.
Always investigate mobile apps before you install them. They should be from trusted sources. Check that your mobile patient portal, practice management tool, or customer relationship management (CRM) software’s mobile app is HIPAA-ready. You can find recommendations for mobile customer and patient tools at TechnologyAdvice.com.
Use a two-part login process, like both a password and a security question.
Additionally, if a team member’s employment with your healthcare organization terminates, follow the proper steps for erasing medical information before disposing of any mobile device.
It is also recommended to use caution when it comes to employee Internet usage. For example, if your staff members access insecure websites, they run a significant risk of exposing sensitive data transmitted from their device. With this in mind, make it a priority to train employees properly to avoid visiting insecure websites or Wi-Fi networks. You also can implement antivirus protection and a VPN on every employee’s phone to secure Wi-Fi communication.
Finally, it’s important to realize that the web browser itself on an employee’s phone could also be a source of vulnerabilities, and, in some cases, can lead to browser attacks, especially on Android devices. Ensure that your team members have the most current version of whatever web browser they use to avoid issues.
Protecting Patient Data is Your Organization’s Responsibility
Regardless of the kind of technology a healthcare organization uses to help provide care, they are obligated to protect PHI. If a tablet or mobile phone is used to access, transmit, receive or store information, it must have specific security precautions in place to ensure the data cannot be altered or destroyed. Also, controls must be put in place to allow any mobile device to be audited.
As long as the appropriate security controls are put in place, the increasing use of mobile devices in the healthcare space has significant potential to improve productivity, boost efficiency, and contribute to enhanced patient outcomes.
The key is to ensure that any mobile devices you use in the process do not put patient privacy at risk or give cyber criminals easy access into your network.
Lisa C. Dunn is a writer for TechnologyAdvice and a freelance writer, copywriter and ghostwriter who develops high-quality content for businesses and non-profit organizations. For over 20 years, she has worked with numerous PR and digital marketing agencies, and her work has been featured in well-known publications including Forbes, VentureBeat, Mashable, Huffington Post, Wired, B2C, USA Today, among others.
More and more health organizations are implementing publicly-exposed web technologies containing Protected Health Information (PHI) which are subject to the laws of HIPAA. Common examples of such systems include Electronic Health Record (EHR), web portal, patient portal software, and mhealth solution. When those systems become integrated, PHI must travel from one platform to the other – exposing the systems to considerable risks not just in transmission but the very nature that the systems are publicly-exposed. In these situations, ensuring that HIPAA regulations are met has become crucial.
Here are three things about HIPAA that you probably didn’t know:
1. There is no such thing as HIPAA certified hosting
While HIPAA compliant cloud hosting is just a part of achieving HIPAA compliance, it is one of the more challenging aspects of HIPAA compliance. Software-as-a-Service (SaaS) applications and cloud hosting solutions are becoming the norm in healthcare. Both have lower upfront costs for healthcare organizations and require less maintenance. While many hosting providers and software vendors claim to provide HIPAA-certified solutions, the truth is that there is no such thing as a HIPAA certification – not for hosting companies, providers, or any other type of organization.
The Health Insurance Portability and Accountability Act is a set of rules and best practices. HIPAA makes little reference to technical specifications required for hardware, software or security, and it definitely doesn’t have a certifying government body.
It is possible, however, to be HIPAA compliant or seek certifications that encompass the laws of HIPAA or other laws with a similar scope of HIPAA. Examples of these include HITRUST and EHNAC or SOC 2 certifications. James Deck, CEO of Med Tech Solutions, a provider of HIPAA compliant cloud hosting services, explains that “EHNAC accreditation gives our customers the assurance that we are HIPAA compliant”. While these certifications or HIPAA audit services are a great practice for companies that specialize in hosting, they aren’t required for health organizations. James further explains that “Moving to the cloud doesn’t reduce your risk and the cloud alone isn’t necessarily HIPAA compliant. Hosting companies must provide a suite of services on top of their cloud hosting to achieve HIPAA compliance.” Companies can adhere to HIPAA regulations, put safeguards in place to ensure that policies are being met, and have the proper documentation to ensure compliance (e.g. a signed Business Associate Agreement)
2. Contact Us and Intake forms are permitted on websites
Website forms offer an easy and convenient way for patients to communicate with office staff – whether it is to schedule an appointment, complete an intake form, or to ask a general question. They are also one of the most vulnerable sections of any healthcare website because patient information is collected and inevitably transmitted online.
Despite the risks associated with contact and intake forms, they are allowed on medical websites as long as the necessary steps are taken to safeguard PHI (e.g. name, phone number and medical information), which is protected by HIPAA. What you need to do is make sure that your website properly deploys an SSL certificate. This encrypts information sent from the user’s browser to your web server. In addition to ensuring that the form is encrypted, you will want to make sure that the forms are transmitted, accessed and viewed by office staff in a secure way, like a HIPAA-compliant email service. It is also recommended to provide a disclaimer and clear instructions for how the form should be used, essentially releasing the healthcare organization from liability for the transmission of PHI through the form.
If you’re unsure about the security of your online forms, the best advice is to consult a HIPAA expert. They can check your website for compliance and provide best practices for medical website security. In the meantime, you may choose to add a disclaimer to your website asking patients not to enter health information in any form. Instead, they can call your office with specific medical questions, or you can direct them to your patient portal.
3. Emailing patients is okay, even if the email on their end is unencrypted
The first thing that you need to know about HIPAA compliant messaging and HIPAA compliant emailcommunication with patients is that HIPAA provides very little specific guidelines about what is acceptable and what isn’t when it comes to electronic messaging. One important thing that we do know is that “the Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
Many providers think that using encrypted email is enough of a precaution; however, that is incorrect. Even though your hospital or practice encrypts its end of the email transport, there is no way to ensure that the communication is secure once it leaves your organization’s server. Still, this doesn’t mean that emailing patients is off the table.
Communicating with patients via email is perfectly acceptable as long as the patient requests to be contacted by email and is advised of the risks, ideally signing (or clicking) an opt-in agreement. Just make sure that you document the patient’s approval for your protection and are using a secure email system on your end.
For more information about HIPAA compliance best practices and how a patient portal helps make HIPAA secure messaging easy, contact a Bridge Patient Portal sales representative.
As more healthcare providers begin to use email and text (SMS) messaging to communicate with patients, concerns about the HIPAA Security Rule and how it applies to electronic messaging have increased as much as the confusion has.
HIPAA law makes very few specific statements about what is and isn’t acceptable when it comes to electronic messaging – which leaves the execution of the law open to interpretation. Many providers are left making assumptions based on what others tell them or what their colleagues do. The reality is that very few truly understand how to apply the 400+ page 1996 HIPAA law in today’s ever-changing health IT environment.
On the Department of Health and Human Services (HHS) HIPAA FAQs page, it is stated that the Privacy Rule “allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
The Encryption Issue: Do I need to send encrypted emails to my patients?
Before we get into best practices for communicating with patients electronically, we’d like to clear up one important matter regarding the emailing and texting of electronic patient health information (ePHI).
The word encryption is used frequently when discussing ePHI, as any covered entity should be communicating ePHI internally using encryption technology. This usually doesn’t present a problem because intra-organizational communication is quite easy to keep secure. However, if you want to use encrypted emails when communicating with a patient, things get a little bit more complicated.
While a covered entity can encrypt its end of the email transport, it’s difficult to ensure the security of the email once it leaves the organization’s server. In order for completely encrypted email communication to be achieved, the patient would need to use a HIPAA compliant email messaging service that supports HIPAA-level encryption. The Privacy Rule recognizes this, and grants individuals access to ePHI in the format that they wish to receive it, i.e. unencrypted email. Nowadays, the issue of encryption is becoming less and less of a concern as email services such as Google and Yahoo! are implementing stricter security policies every day.
The bottom line is that the patient must request to receive unencrypted emails and be made aware of the risks. See section 45 CFR 164.524 for more details on a patient’s right to access PHI.
Applying HIPAA compliant email messaging to your protocol
Here are some recommendations to consider when implementing HIPAA regulations and requirements in your office and establishing your HIPAA compliant messaging protocol:
HIPAA Standard 164.312(d): Implement procedures to verify that persons or entities seeking access to ePHI are who they claim to be.
Double-check and triple-check to be positively sure that the email address or phone number is correct before sending.
Implement a system to help ensure that the information you receive from the patient is authentic and verified in the first place.
HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures.
Do not use the patient’s name, initials, or medical record number in the subject line of an email.
Also, do not use direct patient identifiers in the message content. This includes:
2. All geographical subdivisions smaller than a state – including street address, city, county, precinct, zip code, and their equivalent geocodes. The initial three digits of a zip code may be acceptable, however, if according to the current publicly available data from the Bureau of the Census: (1) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. Dates. Except for year, all elements of dates directly related to an individual – including birth date, admission date, discharge date, date of death. This also includes all ages over 89 as well as all elements of dates indicative of the patient being over 89 (including year). Such ages and elements of dates may be aggregated into a single category of “age 90 or older.”
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures. (Continued)
Limit the amount of personal health record information you include in electronic communication. Don’t include any highly sensitive information, defined as:
1. Mental Illness or Developmental Disability
2. HIV/AIDS Testing or Treatment
3. Communicable Diseases
4. Venereal Disease(s)
5. Substance (i.e., alcohol or drug) Abuse
6. Abuse of an Adult with a Disability
7. Sexual Assault
8. Child Abuse and Neglect
9. Genetic Testing
10. Artificial Insemination
11. Domestic Violence
Considering that many email addresses are shared with spouses, it’s best practice to avoid sensitive information whenever possible.
Additional Best Practices
Include a disclaimer regarding patient privacy in all communication.
Sample: The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Seek patient consent prior to contacting patients by email or SMS, and inform them of any privacy issues. Keep a record of this acceptance. This is commonly referred to as an “opt-in agreement”.
Educate patients. Encourage them to protect their devices/computers with passwords and enable an automatic logoff. Create an advertising campaign to make patients aware of security concerns. It is also best practice to force password changes every 6 months.
Allow alternative options for communication upon patient request. Make these options clearly visible in the email or text message body.
The most important thing to know in applying HIPAA law
In our interpretation of HIPAA law, the bottom line is to put the patient first. Make sure they understand the risks and agreements they are entering into (using simple language – not just a lengthy terms & conditions document). Once patients feel comfortable and secure, you can confidently leverage technology (HIPAA compliant messaging, HIPAA compliant email, HIPAA compliant SMS messaging) to enhance the patient experience.
To learn more about HIPAA and healthcare application please see our three-part article series:
This material is intended for general information purposes only and does not constitute legal advice. The reader should consult legal counsel prior to implementing any HIPAA communication policy or technology (HIPAA secure messaging, HIPAA compliant email, HIPAA compliant SMS messaging).