More and more health organizations are implementing publicly-exposed web technologies containing Protected Health Information (PHI) which are subject to the laws of HIPAA. Common examples of such systems include Electronic Health Record (EHR), web portal, Patient Portal and mHealth solutions. When those systems become integrated, PHI must travel from one platform to the other – exposing the systems to considerable risks not just in transmission but the very nature that the systems are publicly-exposed. In these situations, ensuring that HIPAA regulations are met has become crucial.
Here are three things about HIPAA that you probably didn’t know:
1. There is no such thing as HIPAA certified hosting
While HIPAA compliant hosting is just a part of achieving HIPAA compliance, it is one of the more challenging aspects of HIPAA compliance. Software-as-a-Service (SaaS) applications and cloud hosting solutions are becoming the norm in healthcare. Both have lower upfront costs for healthcare organizations and require less maintenance. While many hosting providers and software vendors claim to provide HIPAA-certified solutions, the truth is that there is no such thing as a HIPAA certification – not for hosting companies, providers, or any other type of organization.
The Health Insurance Portability and Accountability Act is a set of rules and best practices. HIPAA makes little reference to technical specifications required for hardware, software or security, and it definitely doesn’t have a certifying government body.
It is possible, however, to be HIPAA compliant or seek certifications that encompass the laws of HIPAA or other laws with a similar scope of HIPAA. Examples of these include HITRUST and EHNAC or SOC 2 certifications. James Deck, CEO of Med Tech Solutions, a provider of HIPAA compliant cloud hosting services, explains that “EHNAC accreditation gives our customers the assurance that we are HIPAA compliant”. While these certifications or HIPAA audit services are a great practice for companies that specialize in hosting, they aren’t required for health organizations. James further explains that “Moving to the cloud doesn’t reduce your risk and the cloud alone isn’t necessarily HIPAA compliant. Hosting companies must provide a suite of services on top of their cloud hosting to achieve HIPAA compliance.” Companies can adhere to HIPAA regulations, put safeguards in place to ensure that policies are being met, and have the proper documentation to ensure compliance (e.g. a signed Business Associate Agreement)
2. Contact Us and Intake forms are permitted on websites
Website forms offer an easy and convenient way for patients to communicate with office staff – whether it is to schedule an appointment, complete an intake form, or to ask a general question. They are also one of the most vulnerable sections of any healthcare website because patient information is collected and inevitably transmitted online.
Despite the risks associated with contact and intake forms, they are allowed on medical websites as long as the necessary steps are taken to safeguard PHI (e.g. name, phone number and medical information), which is protected by HIPAA. What you need to do is make sure that your website properly deploys an SSL certificate. This encrypts information sent from the user’s browser to your web server. In addition to ensuring that the form is encrypted, you will want to make sure that the forms are transmitted, accessed and viewed by office staff in a secure way, like a HIPAA-compliant, encrypted email service. It is also recommended to provide a disclaimer and clear instructions for how the form should be used, essentially releasing the the healthcare organization from liability for the transmission of PHI through the form.
If you’re unsure about the security of your online forms, the best advice is to consult a HIPAA expert. They can check your website for compliance and provide best practices for medical website security. In the meantime, you may choose to add a disclaimer to your website asking patients not to enter health information in any form. Instead, they can call your office with specific medical questions, or you can direct them to your patient portal.
3. Emailing patients is okay, even if the email on their end is unencrypted
The first thing that you need to know about HIPAA and email communication with patients is that HIPAA provides very little specific guidelines about what is acceptable and what isn’t when it comes to electronic messaging. One important thing that we do know is that “the Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
Many providers think that using encrypted email is enough of a precaution; however, that is incorrect. Even though your hospital or practice encrypts its end of the email transport, there is no way to ensure that the communication is secure once it leaves your organization’s server. Still, this doesn’t mean that emailing patients is off the table.
Communicating with patients via email is perfectly acceptable as long as the patient requests to be contacted by email and is advised of the risks, ideally signing (or clicking) an opt-in agreement. Just make sure that you document the patient’s approval for your protection and are using a secure email system on your end.
The Facts about HIPAA and Email/SMS Communication with Patients
Is Skype HIPAA Compliant?
For more information about HIPAA compliance best practices and how a patient portal helps make HIPAA secure messaging easy, contact a Bridge Patient Portal sales representative.
As more healthcare providers begin to use email and text (SMS) messaging to communicate with patients, concerns about the HIPAA Security Rule and how it applies to electronic messaging have increased as much as the confusion has.
HIPAA law makes very few specific statements about what is and isn’t acceptable when it comes to electronic messaging – which leaves the execution of the law open to interpretation. Many providers are left making assumptions based on what others tell them or what their colleagues do. The reality is that very few truly understand how to apply the 400+ page 1996 HIPAA law in today’s ever-changing health IT environment.
On the Department of Health and Human Services (HHS) HIPAA FAQs page, it is stated that the Privacy Rule “allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
As patient engagement strategists, Bridge Patient Portal fully supports electronic communication to improve patient care, assuming the right precautions are taken.
The Encryption Issue: Do I need to send encrypted emails to my patients?
Before we get into best practices for communicating with patients electronically, we’d like to clear up one important matter regarding the emailing and texting of electronic patient health information (ePHI).
The word encryption is used frequently when discussing ePHI, as any covered entity should be communicating ePHI internally using encryption technology. This usually doesn’t present a problem because intra-organizational communication is quite easy to keep secure. However, if you want to use encrypted emails when communicating with a patient, things get a little bit more complicated.
While a covered entity can encrypt its end of the email transport, it’s difficult to ensure the security of the email once it leaves the organization’s server. In order for completely encrypted email communication to be achieved, the patient would need to use an email service that supports HIPAA-level encryption. The Privacy Rule recognizes this, and grants individuals access to ePHI in the format that they wish to receive it, i.e. unencrypted email. Nowadays, the issue of encryption is becoming less and less of a concern as email services such as Google and Yahoo! are implementing stricter security policies every day.
The bottom line is that the patient must request to receive unencrypted emails and be made aware of the risks. See section 45 CFR 164.524 for more details on a patient’s right to access PHI.
Applying HIPAA to your email protocol
Here are some recommendations to consider when implementing HIPAA regulations and requirements in your office and establishing your patient electronic communication protocol:
|HIPAA Standard||Practical Advice
|HIPAA Standard 164.312(d): Implement procedures to verify that persons or entities seeking access to ePHI are who they claim to be.||Double-check and triple-check to be positively sure that the email address or phone number is correct before sending.
Implement a system to help ensure that the information you receive from the patient is authentic and verified in the first place.
|HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures.||Do not use the patient’s name, initials, or medical record number in the subject line of an email.
Also, do not use direct patient identifiers in the message content. This includes:
2. All geographical subdivisions smaller than a state – including street address, city, county, precinct, zip code, and their equivalent geocodes. The initial three digits of a zip code may be acceptable, however, if according to the current publicly available data from the Bureau of the Census: (1) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. Dates. Except for year, all elements of dates directly related to an individual – including birth date, admission date, discharge date, date of death. This also includes all ages over 89 as well as all elements of dates indicative of the patient being over 89 (including year). Such ages and elements of dates may be aggregated into a single category of “age 90 or older.”
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
|HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures. (Continued)||Limit the amount of personal health record information you include in electronic communication. Don’t include any highly sensitive information, defined as:
1. Mental Illness or Developmental Disability
2. HIV/AIDS Testing or Treatment
3. Communicable Diseases
4. Venereal Disease(s)
5. Substance (i.e., alcohol or drug) Abuse
6. Abuse of an Adult with a Disability
7. Sexual Assault
8. Child Abuse and Neglect
9. Genetic Testing
10. Artificial Insemination
11. Domestic Violence
Considering that many email addresses are shared with spouses, it’s best practice to avoid sensitive information whenever possible.
Additional Best Practices
- Include a disclaimer regarding patient privacy in all communication.
Sample: The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
- Seek patient consent prior to contacting patients by email or SMS, and inform them of any privacy issues. Keep a record of this acceptance. This is commonly referred to as an “opt-in agreement”.
- Educate patients. Encourage them to protect their devices/computers with passwords and enable an automatic logoff. Create an advertising campaign to make patients aware of security concerns. It is also best practice to force password changes every 6 months.
- Allow alternative options for communication upon patient request. Make these options clearly visible in the email or text message body.
The most important thing to know in applying HIPAA law
In our interpretation of HIPAA law, the bottom line is to put the patient first. Make sure they understand the risks and agreements they are entering into (using simple language – not just a lengthy terms & conditions document). Once patients feel comfortable and secure, you can confidently leverage technology (HIPAA secure messaging, HIPAA compliant email, HIPAA compliant SMS) to enhance the patient experience.
To learn more about HIPAA and healthcare application please see our three-part article series:
This material is intended for general information purposes only and does not constitute legal advice. The reader should consult legal counsel prior to implementing any HIPAA communication policy or technology (HIPAA secure messaging, HIPAA compliant email, HIPAA compliant SMS).
This is the second part of our three-part series discussing the Security Rule section of HIPAA in healthcare application development. Here, we’ll go over what needs to be audited and what is considered an appropriate level of auditing. Our previous post on user authentication decodes the Security Rule as it applies to patient portal and mHealth app development, specifically with regard to user authentication. The next post will discuss relevant issues related to data transfer.
What needs to be audited?
The auditing requirement for covered entities was created to ensure that controls are in place for monitoring activity on electronic systems that use or contain electronic protected health information (ePHI). These entities must also have policies in place to systematically review and monitor audit records to establish that all activity on these electronic systems is appropriate. Logons and logoffs, file accesses, updates, edits, and security incidents are a few examples of activities that should be monitored.
The only obligatory audit is a risk analysis, which is required regardless of a provider’s size. In this analysis, providers must accurately determine whether potential vulnerabilities and risks to the integrity, confidentiality, and availability of ePHI exist within their systems. Conventional controls for these audits generally include the application of software, hardware, and/or procedural mechanisms which analyze activity in systems containing ePHI.
How long do audit records need to be retained?
Audit records and all associated documentation must be retained for six years. This period begins either on the date of the creation of audit records and documentation, or the date for which they were last in effect (whichever is later). Logs of system activity and records of security breaches are examples of information that must be available from audits within the six-year period.
Auditing is an important part of the Security Rule section of HIPAA, but is only a small part of what the rule addresses. Read our posts on authentication and data transfer.
Of the three main components of HIPAA — the Privacy Rule, the Security Rule, and the Breach Notification Rule — the Security Rule is one that is particularly relevant to health application development in the healthcare sphere. The majority of these applications, from patient portals to mhealth apps, store or transmit electronic Protected Health Information (ePHI). It’s essential to keep this information safe, and the Security Rule has in-depth guidance on the extent to which this needs to be accomplished, but with a fair amount of flexibility as to the strategies for implementation.
Here, we decode the Security Rule as it applies to patient portal and mHealth app development, specifically in regards to user authentication. In Part 2 of this series, we cover auditing, and in Part 3 we discuss issues related to data transfer, such as encryption and notifications.
Although healthcare IT has transformed over the years, patients have held the same expectation: to be in the care a personable doctor who will communicate effectively and make health decisions that are in the patient’s best interest. However, doctors have constantly struggled to navigate the boundaries of a patient-doctor relationship and the use of new technology unfortunately could potentially complicate the issue. Below we discuss the Do’s and Don’t’s of doctor-patient interactions on online platforms. (more…)