Healthcare professionals have recently increased their efforts to provide patients with remote consultations and HIPAA compliant messaging. Some have turned to WhatsApp, a cross-platform messaging and VoIP (Voice over Internet Protocol) service that allows users to send text messages and voice messages, make voice and video calls, and share images, documents, user locations, and other media. But you might be wondering: Is WhatsApp a HIPAA compliant telemedicine software?
In order for a communications platform to be considered HIPAA compliant, it must fulfill the following requirements:
WhatsApp provides end-to-end encryption, but that does not mean that it is HIPAA compliant. There are other facets of HIPAA that must be satisfied before the software can be deemed compliant.
Since WhatsApp does not require users to enter a password for every session, it does not provide the required access controls.
Because messages and attachments are easily deleted from Whatsapp, audits cannot be conducted, which is necessary for HIPAA compliance.
WhatsApp lacks the controls to make sure all communications that contain ePHI (electronic personal health information) are completely deleted remotely once an employee leaves the employment of a Covered Entity.
WhatsApp has not agreed to sign a BAA with a covered entity.
Whatsapp is NOT a HIPAA compliant telemedicine software and should not be used to share ePHI or deliver online healthcare since doing so would violate HIPAA regulations. Healthcare professionals may use WhatsApp for general communication or for providing de-identified PHI.
If healthcare professionals would like to leverage a HIPAA compliant video communication tool, some companies have already stated that they will enter into a HIPAA business associate agreement and follow HIPAA compliance regulations. The Office for Civil Rights (OCR) has provided a list of HIPAA compliant telemedicine software:
The Health Insurance Portability and Accountability Act (HIPAA) protects patients’ privacy by limiting access to PHI (Protected Health Information) and governing acceptable use of their health data. The HIPAA Privacy Rule is composed of national regulations for the use and disclosure of PHI in healthcare treatment, payment, and operations by covered entities.
What Is A HIPAA Patient Portal
A HIPAA Patient Portal is a form of patient engagement in which health care providers can share information with a patient. If said information includes PHI and medical records, the patient portal must be HIPAA compliant.
Must I Have A HIPAA Patient Portal?
If you have a patient portal developed, provided by, or on behalf of a covered entity (health plan, healthcare clearinghouses, or healthcare providers), it must be HIPAA compliant.
If you are a business associate that stores, collects, processes, or transmits PHI on behalf of covered entities, your patient portal must be HIPAA compliant.
What Information Does HIPAA Protect?
Protected Health Information (PHI) is any information that is held by a covered entity regarding a patient’s health status, provision of health care, or health care payment.
There are 18 PHI Identifiers:
All geographical subdivisions smaller than a State
All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and more.
Electronic mail addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address
Biometric identifiers, including finger and voiceprints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
Tips For Offering A HIPAA Compliant Patient Portal?
Never Store Protected Health Information (PHI) on a mobile phone.
HIPAA compliant messaging requires you to exclude PHI in an SMS, email, push, or IVR notification. If you do include PHI in a notification, have your patients accept terms and conditions which permit you to use limited PHI in your notifications, clearly defining what PHI is included.
When working with a web design, hosting company, patient portal vendor, or healthcare app development company, always get a BAA (Business Associate Agreement). A BAA shares the responsibility for all patient information that is received by the company or handled by the patient portal they build.
Ensure a HIPAA expert audits the final patient portal.
Have your terms and conditions created/reviewed by an attorney that specializes in HIPAA law.
Require patients log in each time to access PHI, with a 30-minute auto-logout. To make the patient portal more convenient and user-friendly, consider using face or fingerprint recognition for logins.
Conduct regular risk assessments. Also, regularly review records of system activity, including audit logs, access reports, and security incident tracking reports.
Maintain ePHI (electronic personal health information) integrity requirements by implementing information systems that provide features or processes for automatically checking data integrity. These include checksum verification or digital signatures and providing electronic mechanisms to ensure the integrity of ePHI.
Implement policies and procedures to protect ePHI from improper alteration or destruction.
Access controls must include unique user identification, emergency access procedure, and automatic logoff.
According to HIPAA, the information in a medical patient portal should be encrypted at all times – at rest and in transit.
What Are The Penalties For Not Being HIPAA Compliant?
There are several levels of violations based on what a covered entity did or didn’t do.
A covered entity that did not know and could not have reasonably known of an ePHI breach could be fined $100-$50,000 per incident and up to $1.5 Million.
A covered entity that “knew,” or by exercising reasonable diligence would have known of an ePHI breach but didn’t act with willful neglect could be fined $1000-$50,000 per incident and up to $1.5 Million.
A covered entity that acted with willful neglect and corrected the problem within 30 days could be fined $10,000-$50,000 per incident and up to $1.5 Million.
A covered entity that acted with willful neglect and failed to make a timely correction could be fined $50,000 per incident and up to $1.5 Million
Get your patients actively involved in their healthcare experience with Bridge’s HIPAA-compliant appointment self-scheduling solution.
Bridge’s Self-Scheduling Solution
Bridge offers a HIPAA-compliant appointment self-scheduling solution that can cut overhead, increase patient satisfaction, and decrease the number of phone calls coming into and out of your office. It can ensure proper screening while enabling patients to schedule their own appointments in a matter of minutes. This patient appointment scheduling software was built to comfortably handle complex scheduling decision trees that are adaptable to any provider/specialty group as well as the unique schedules of their providers, without any disruption in procedures or workflow.
Bridge integrates with your existing systems and procedures; it makes use of current data and settings and capitalizes on work that’s already been done. Bridge also works with you to provide Role-Based Access Control (RBAC), which regulates who has access to schedule appointments, the appointment slots to make available, and more.
The self-scheduling solution works without staff involvement but Bridge provides support whenever you need it. The solution is HIPAA-compliant and secure-in/secure-out, giving you the privacy you demand.
The Bridge Patient Portal gives patients more control over their healthcare experience, delivering self-service tools that patients have become accustomed to in other industries (e.g., travel, banking, retail, etc.). Access to the HIPAA-compliant scheduling feature is available via the secure patient portal or Bridge’s mobile app – available on iOS and Android.
Bridge’s self-scheduling solution allows patients to complete a full HIPAA compliant scheduling workflow and book appointments in real-time.
HIPAA-compliant appointment self-scheduling, security, and privacy
Patients can receive appointment reminders via email in order to help them manage their time.
In order to understand why HIPAA compliance is so important regarding all of these features, we must remember the importance of patient privacy. Healthcare providers in the U.S. must comply with HIPAA regulations, which were designed to provide privacy standards in order to protect patients’ medical records and other health information. These regulations extend to all types of healthcare technologies that doctors might use to store and manage patient information. Although there is no definitive HIPAA certification for any organization, IT companies can be HIPAA-compliant. This means that they adhere to HIPAA regulations and take the necessary steps to ensure their products effectively protect sensitive patient information.
Michael McGinley (Director of Strategic Accounts), is an accomplished sales & management executive experienced in HIT sales, data analytics, and publishing. He is certified in management information systems and has a BA in business, in addition to an MS in information systems with a concentration in healthcare. Mike possesses a true commitment to sales and customer service.
According to a 2015 Statista study, approximately 81 percent of doctors use their smartphones for professional purposes.
And the results of another study revealed that 64 percent percent of doctors surveyed use text messaging to send and receive patient data among colleagues, such as patient diagnoses, test results, and medical advice.
There’s no question that mobile devices are incredibly useful to today’s healthcare organizations, especially when it comes to simplifying tasks and making processes more efficient.
However, the uptick in mobile device usage in the healthcare space is not without its risks. With thousands and thousands of devices like smartphones, tablets, and laptops now requiring access to a healthcare network, HIPAA compliance and security have become some of the biggest issues for today’s health IT professionals.
Unfortunately, if organizations do not meet requirements for mobile app HIPAA compliance, hefty HIPAA fines can follow, and, even worse, patient data can be stolen.
Factoring in Mobile to Keep Patient Health Data Safe
The federal government put HIPAA in place in 1996 to ensure we have rights over our private health information, regardless of whether it is in paper or digital format. However, many people’s understanding of HIPAA compliance is limited to the original HIPAA Privacy Rule, which primarily focuses on how healthcare organizations may use and disclose protected health information (PHI).
HIPAA Compliant Messaging main objective is to protect patient privacy. Its regulations require healthcare organizations and healthcare providers to adopt a specific set of standards to protect patients and keep data secure.
Unfortunately, a surprising number of providers today using mobile devices do not insist on appropriate privacy protections to secure patient data. And even if an organization’s mobile devices are believed to be safe, there is significant potential for devices’ users to breach HIPAA rules. Without proper controls, devices can be compromised, and ePHI stored on them accessed by cybercriminals.
So, what can healthcare teams do to protect employees’ mobile devices and the personal patient information stored on them?
HIPAA offers some basic steps that organizations can take to protect healthcare information when using a mobile device. Below, we include several highlights from HIPAA’s information. It is essential to understand that if your organization is currently utilizing a HIPAA compliant service, incorporating these extra layers of security can be extremely advantageous when dealing with healthcare information on any mobile device:
Check all devices’ encryption technologies, antivirus protection and firewall to confirm they are functioning the right way and are up-to-date.
Protect all mobile devices with a password or authentication requirement.
Enable timeout features on your devices so that they log users out after a period of inactivity.
Disable file-sharing options.
Understand that text messages are not HIPAA-compliant. To make texting safe, you must make it compliant with privacy laws, including activating data encryption and developing a well-thought-out text message usage policy organization-wide.
Always investigate mobile apps before you install them. They should be from trusted sources. Check that your mobile patient portal, practice management tool, or customer relationship management (CRM) software’s mobile app is HIPAA-ready. You can find recommendations for mobile customer and patient tools at TechnologyAdvice.com.
Use a two-part login process, like both a password and a security question.
Additionally, if a team member’s employment with your healthcare organization terminates, follow the proper steps for erasing medical information before disposing of any mobile device.
It is also recommended to use caution when it comes to employee Internet usage. For example, if your staff members access insecure websites, they run a significant risk of exposing sensitive data transmitted from their device. With this in mind, make it a priority to train employees properly to avoid visiting insecure websites or Wi-Fi networks. You also can implement antivirus protection and a VPN on every employee’s phone to secure Wi-Fi communication.
Finally, it’s important to realize that the web browser itself on an employee’s phone could also be a source of vulnerabilities, and, in some cases, can lead to browser attacks, especially on Android devices. Ensure that your team members have the most current version of whatever web browser they use to avoid issues.
Protecting Patient Data is Your Organization’s Responsibility
Regardless of the kind of technology a healthcare organization uses to help provide care, they are obligated to protect PHI. If a tablet or mobile phone is used to access, transmit, receive or store information, it must have specific security precautions in place to ensure the data cannot be altered or destroyed. Also, controls must be put in place to allow any mobile device to be audited.
As long as the appropriate security controls are put in place, the increasing use of mobile devices in the healthcare space has significant potential to improve productivity, boost efficiency, and contribute to enhanced patient outcomes.
The key is to ensure that any mobile devices you use in the process do not put patient privacy at risk or give cyber criminals easy access into your network.
Lisa C. Dunn is a writer for TechnologyAdvice and a freelance writer, copywriter and ghostwriter who develops high-quality content for businesses and non-profit organizations. For over 20 years, she has worked with numerous PR and digital marketing agencies, and her work has been featured in well-known publications including Forbes, VentureBeat, Mashable, Huffington Post, Wired, B2C, USA Today, among others.
More and more health organizations are implementing publicly-exposed web technologies containing Protected Health Information (PHI) which are subject to the laws of HIPAA. Common examples of such systems include Electronic Health Record (EHR), web portal, Patient Portal and mHealth solutions. When those systems become integrated, PHI must travel from one platform to the other – exposing the systems to considerable risks not just in transmission but the very nature that the systems are publicly-exposed. In these situations, ensuring that HIPAA regulations are met has become crucial.
Here are three things about HIPAA that you probably didn’t know:
1. There is no such thing as HIPAA certified hosting
While HIPAA compliant hosting is just a part of achieving HIPAA compliance, it is one of the more challenging aspects of HIPAA compliance. Software-as-a-Service (SaaS) applications and cloud hosting solutions are becoming the norm in healthcare. Both have lower upfront costs for healthcare organizations and require less maintenance. While many hosting providers and software vendors claim to provide HIPAA-certified solutions, the truth is that there is no such thing as a HIPAA certification – not for hosting companies, providers, or any other type of organization.
The Health Insurance Portability and Accountability Act is a set of rules and best practices. HIPAA makes little reference to technical specifications required for hardware, software or security, and it definitely doesn’t have a certifying government body.
It is possible, however, to be HIPAA compliant or seek certifications that encompass the laws of HIPAA or other laws with a similar scope of HIPAA. Examples of these include HITRUST and EHNAC or SOC 2 certifications. James Deck, CEO of Med Tech Solutions, a provider of HIPAA compliant cloud hosting services, explains that “EHNAC accreditation gives our customers the assurance that we are HIPAA compliant”. While these certifications or HIPAA audit services are a great practice for companies that specialize in hosting, they aren’t required for health organizations. James further explains that “Moving to the cloud doesn’t reduce your risk and the cloud alone isn’t necessarily HIPAA compliant. Hosting companies must provide a suite of services on top of their cloud hosting to achieve HIPAA compliance.” Companies can adhere to HIPAA regulations, put safeguards in place to ensure that policies are being met, and have the proper documentation to ensure compliance (e.g. a signed Business Associate Agreement)
2. Contact Us and Intake forms are permitted on websites
Website forms offer an easy and convenient way for patients to communicate with office staff – whether it is to schedule an appointment, complete an intake form, or to ask a general question. They are also one of the most vulnerable sections of any healthcare website because patient information is collected and inevitably transmitted online.
Despite the risks associated with contact and intake forms, they are allowed on medical websites as long as the necessary steps are taken to safeguard PHI (e.g. name, phone number and medical information), which is protected by HIPAA. What you need to do is make sure that your website properly deploys an SSL certificate. This encrypts information sent from the user’s browser to your web server. In addition to ensuring that the form is encrypted, you will want to make sure that the forms are transmitted, accessed and viewed by office staff in a secure way, like a HIPAA-compliant, encrypted email service. It is also recommended to provide a disclaimer and clear instructions for how the form should be used, essentially releasing the healthcare organization from liability for the transmission of PHI through the form.
If you’re unsure about the security of your online forms, the best advice is to consult a HIPAA expert. They can check your website for compliance and provide best practices for medical website security. In the meantime, you may choose to add a disclaimer to your website asking patients not to enter health information in any form. Instead, they can call your office with specific medical questions, or you can direct them to your patient portal.
3. Emailing patients is okay, even if the email on their end is unencrypted
The first thing that you need to know about HIPAA compliant messaging and email communication with patients is that HIPAA provides very little specific guidelines about what is acceptable and what isn’t when it comes to electronic messaging. One important thing that we do know is that “the Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
Many providers think that using encrypted email is enough of a precaution; however, that is incorrect. Even though your hospital or practice encrypts its end of the email transport, there is no way to ensure that the communication is secure once it leaves your organization’s server. Still, this doesn’t mean that emailing patients is off the table.
Communicating with patients via email is perfectly acceptable as long as the patient requests to be contacted by email and is advised of the risks, ideally signing (or clicking) an opt-in agreement. Just make sure that you document the patient’s approval for your protection and are using a secure email system on your end.
As more healthcare providers begin to use email and text (SMS) messaging to communicate with patients, concerns about the HIPAA Security Rule and how it applies to electronic messaging have increased as much as the confusion has.
HIPAA law makes very few specific statements about what is and isn’t acceptable when it comes to electronic messaging – which leaves the execution of the law open to interpretation. Many providers are left making assumptions based on what others tell them or what their colleagues do. The reality is that very few truly understand how to apply the 400+ page 1996 HIPAA law in today’s ever-changing health IT environment.
On the Department of Health and Human Services (HHS) HIPAA FAQs page, it is stated that the Privacy Rule “allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
The Encryption Issue: Do I need to send encrypted emails to my patients?
Before we get into best practices for communicating with patients electronically, we’d like to clear up one important matter regarding the emailing and texting of electronic patient health information (ePHI).
The word encryption is used frequently when discussing ePHI, as any covered entity should be communicating ePHI internally using encryption technology. This usually doesn’t present a problem because intra-organizational communication is quite easy to keep secure. However, if you want to use encrypted emails when communicating with a patient, things get a little bit more complicated.
While a covered entity can encrypt its end of the email transport, it’s difficult to ensure the security of the email once it leaves the organization’s server. In order for completely encrypted email communication to be achieved, the patient would need to use a HIPAA compliant email messaging service that supports HIPAA-level encryption. The Privacy Rule recognizes this, and grants individuals access to ePHI in the format that they wish to receive it, i.e. unencrypted email. Nowadays, the issue of encryption is becoming less and less of a concern as email services such as Google and Yahoo! are implementing stricter security policies every day.
The bottom line is that the patient must request to receive unencrypted emails and be made aware of the risks. See section 45 CFR 164.524 for more details on a patient’s right to access PHI.
Applying HIPAA compliant email messaging to your protocol
Here are some recommendations to consider when implementing HIPAA regulations and requirements in your office and establishing your patient electronic communication protocol:
HIPAA Standard 164.312(d): Implement procedures to verify that persons or entities seeking access to ePHI are who they claim to be.
Double-check and triple-check to be positively sure that the email address or phone number is correct before sending.
Implement a system to help ensure that the information you receive from the patient is authentic and verified in the first place.
HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures.
Do not use the patient’s name, initials, or medical record number in the subject line of an email.
Also, do not use direct patient identifiers in the message content. This includes:
2. All geographical subdivisions smaller than a state – including street address, city, county, precinct, zip code, and their equivalent geocodes. The initial three digits of a zip code may be acceptable, however, if according to the current publicly available data from the Bureau of the Census: (1) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. Dates. Except for year, all elements of dates directly related to an individual – including birth date, admission date, discharge date, date of death. This also includes all ages over 89 as well as all elements of dates indicative of the patient being over 89 (including year). Such ages and elements of dates may be aggregated into a single category of “age 90 or older.”
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures. (Continued)
Limit the amount of personal health record information you include in electronic communication. Don’t include any highly sensitive information, defined as:
1. Mental Illness or Developmental Disability
2. HIV/AIDS Testing or Treatment
3. Communicable Diseases
4. Venereal Disease(s)
5. Substance (i.e., alcohol or drug) Abuse
6. Abuse of an Adult with a Disability
7. Sexual Assault
8. Child Abuse and Neglect
9. Genetic Testing
10. Artificial Insemination
11. Domestic Violence
Considering that many email addresses are shared with spouses, it’s best practice to avoid sensitive information whenever possible.
Additional Best Practices
Include a disclaimer regarding patient privacy in all communication.
Sample: The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Seek patient consent prior to contacting patients by email or SMS, and inform them of any privacy issues. Keep a record of this acceptance. This is commonly referred to as an “opt-in agreement”.
Educate patients. Encourage them to protect their devices/computers with passwords and enable an automatic logoff. Create an advertising campaign to make patients aware of security concerns. It is also best practice to force password changes every 6 months.
Allow alternative options for communication upon patient request. Make these options clearly visible in the email or text message body.
The most important thing to know in applying HIPAA law
In our interpretation of HIPAA law, the bottom line is to put the patient first. Make sure they understand the risks and agreements they are entering into (using simple language – not just a lengthy terms & conditions document). Once patients feel comfortable and secure, you can confidently leverage technology (HIPAA secure messaging, HIPAA compliant email, HIPAA compliant SMS messaging) to enhance the patient experience.
To learn more about HIPAA and healthcare application please see our three-part article series:
This material is intended for general information purposes only and does not constitute legal advice. The reader should consult legal counsel prior to implementing any HIPAA communication policy or technology (HIPAA secure messaging, HIPAA compliant email, HIPAA compliant SMS messaging).
This is the second part of our three-part series discussing the Security Rule section of HIPAA compliant messaging in healthcare application development. Here, we’ll go over what needs to be audited and what is considered an appropriate level of auditing. Our previous post on user authentication decodes the Security Rule as it applies to patient portal and mHealth app development, specifically with regard to user authentication. The next post will discuss relevant issues related to data transfer.
What needs to be audited?
The auditing requirement for covered entities was created to ensure that controls are in place for monitoring activity on electronic systems that use or contain electronic protected health information (ePHI). These entities must also have policies in place to systematically review and monitor audit records to establish that all activity on these electronic systems is appropriate. Logons and logoffs, file accesses, updates, edits, and security incidents are a few examples of activities that should be monitored.
The only obligatory audit is a risk analysis, which is required regardless of a provider’s size. In this analysis, providers must accurately determine whether potential vulnerabilities and risks to the integrity, confidentiality, and availability of ePHI exist within their systems. Conventional controls for these audits generally include the application of software, hardware, and/or procedural mechanisms which analyze activity in systems containing ePHI.
How long do audit records need to be retained?
Audit records and all associated documentation must be retained for six years. This period begins either on the date of the creation of audit records and documentation, or the date for which they were last in effect (whichever is later). Logs of system activity and records of security breaches are examples of information that must be available from audits within the six-year period.
Auditing is an important part of the Security Rule section of HIPAA, but is only a small part of what the rule addresses. Read our posts on authentication and data transfer.
Of the three main components of HIPAA (the Privacy Rule, Security Rule, and Breach Notification Rule) the Security Rule is particularly relevant to healthcare mobile app development. The majority of these applications, from patient portals to mhealth apps, store or transmit electronic protected health information (ePHI). It’s essential to keep this information safe, and the Security Rule has in-depth guidance on the extent to which this needs to be accomplished, but with a fair amount of flexibility as to the strategies for implementation.
Here, we decode the Security Rule as it applies to the patient portal and mHealth app development, specifically in regards to user authentication. In Part 2 of this series, we cover auditing, and in Part 3, we discuss issues related to data transfer, such as encryption and notifications.
What is an Appropriate Level of Authentication for Online Patient Access to Health Information?
During HIPAA compliant healthcare application registration, healthcare organizations need to set up procedures that verify the person’s identity requesting access to ePHI. There is a false belief that the only way to ensure the user is who they claim to be is for registration to be done in person, within the practice — aided by a staff member. While this is an option — considered outdated by some — it is not a HIPAA requirement. An alternative option is for a patient to provide an email address over the phone and receive an invitation to register for the healthcare mobile app platform. Providing your email address in person is considered more credible than most setup authentications on the web, where the email address is entered into a registration form. Patients could also register autonomously, also referred to as self-registration. While these two remote options are less secure than in-person authentication, they are preferred for convenience. Additional verification can be added by asking the patient challenge questions produced by a 3rd party such as IDology during registration.
A simplified registration process increases healthcare application use, such as a patient portal. And increased patient portal use results in improved patient engagement, more efficient patient appointment scheduling and cancellations, and enhanced treatment plan adherence.
At Bridge Patient Portal, one of the most common complaints made by healthcare organizations using other patient portals (typically bundled with their EHR vendor) is the cumbersome process patients must undergo to register.
Multi-factor authentication is defined as requiring a patient to produce more than one type of credential when logging into an application. The majority of logins only need a user to enter information such as a username and password. In multi-factor authentication, additional information is required such as a code on a card, security token, SMS message, and/or by direct verification of identity, like a fingerprint or challenge questions. As passwords and access to email accounts can easily be compromised, multi-factor authentication is growing in popularity for healthcare mobile app platforms. While the HIPAA Security Rule does not require multi-factor authentication, it is important to thoroughly consider its provisions on information access management and access control to determine how to best account for them in your HIPAA compliant healthcare application.
How Strong Do Passwords Need to Be?
More and more mobile app platforms now require users to adopt “strong” passwords. While HIPAA requires the use of passwords, there is no legal specification on password strength. Therefore, each healthcare organization can decide on password requirements during the application development phase. We recommend following the NIST Digital Identity Guidelines, which recommends that a password should be between 8 to 64 characters long, and all ASCII characters, including the space character, are acceptable.
It’s also essential that when a user creates or changes a password, it be tested against the following:
Passwords obtained from previous data breaches (One can check if an account has been compromised in a data breach on a website such as https://haveibeenpwned.com/.)
Repetitive or sequential characters (e.g. “aaaaaa” or “1234abcd”)
Context-specific words, such as the name of the service, the username, and derivatives thereof.
How Should Passwords Be Managed and Monitored?
HIPAA does include addressable implementation specifications on password management and login monitoring. Addressable means that an organization can decide to implement the specification as is, choose to put an alternate security measure or measures in place, or even — if the specification is not reasonable or appropriate to the particular entity — implement nothing. The key is that the decision and reasoning behind the implementation must be documented in written form, with in-depth consideration and appropriate justification demonstrated.
In this case, HIPAA stipulates that Covered Entities and Business Associates include several important features in their security awareness programs. One is to train staff on procedures for creating, changing, and safeguarding passwords. The other is that staff also learn how to monitor login attempts by external users and report any potentially problematic login activity, such as failed login attempts. Each organization needs to fully consider these addressable matters to plan, document, and implement its strategy.
What Are the Login Timeout Requirements, and How Does This Apply to a Personal Mobile Device?
HIPAA includes automatic logoff — when the application ends a user’s session after a specific period of inactivity — as another addressable implementation specification. However, the time to logoff is not stated. In choosing the number of minutes of allowed inactivity before a session is terminated, it’s essential to consider on what device and in what environment the application will be used. If you’re working with a mhealth app or HIPAA compliant messaging that will be used by patients on their phones anywhere they go, including crowded areas, a short time to logout of 2 to 3 minutes is advisable. However, if you’re working on the physician’s side of an application used in a private doctor’s office, a longer time to log out, like 10 to 15 minutes, is acceptable.
After a predetermined period of inactivity, a patient is required to re-enter their long-form, complex, secure password. Biometric authentication simplifies the login process and allows patients to seamlessly verify their identity through fingerprint or facial recognition technology before accessing the HIPAA compliant healthcare application.
We’ve only scratched the surface of the Security Rule. Check out Part 2 (HIPAA auditing) and Part 3 (encryption, servers, and notifications to patients).
Pablo architected and manages our HIPAA-compliant hosting infrastructure. He is an Amazon Web Services (AWS) Certified Solutions Architect and is about to receive a Masters degree from the University of Buenos Aires in Computer and Information Systems Security and Information Assurance. He has a passion for all things related to cybersecurity and cloud hosting. He publishes a monthly cybersecurity newsletter which is shared with our clients.
Although healthcare IT has transformed over the years, patients have held the same expectation: to be in the care of a personable doctor who will communicate effectively and make health decisions that are in the patient’s best interest. However, doctors have constantly struggled to navigate the boundaries of a patient-doctor relationship and the use of new technology, unfortunately, could potentially complicate the issue. Below we discuss the Do’s and Don’t’s of doctor-patient interactions on online platforms. (more…)