Being available to your patients 24/7 isn’t practical for most healthcare practices. Chat services can provide a response option or even resolution until normal business hours resume. Additionally, chats can offer initial patient care or registration services. As a HIPAA-covered entity or business associate, you must consider compliance when offering this service.
Since HIPAA was designed to protect patient confidentiality and ensure that PHI (Protected Health Information) is secure and treated with sensitivity, all patient interactions must be compliant. That includes chat services.
As with any business associate relationship, you should have a BAA contract (Business Associate Agreement) in place with the vendor who provides chat services. This formal contract will offer you a guarantee that your vendor adheres to the policies and obligations of HIPAA.
HIPAA requires data availability, and that includes chat transcripts. Review any service level agreement (SLA) text that indicates uptime and backup details. You will need to understand and have facts that pertain to the data center provider as well. That means knowing whether it is a public, private, hybrid, or on-premises location. The data center should have robust security measures in place. Ask about any previous data breaches and any lost or compromised situations that the company has experienced. If information is stored in the cloud, inquire about any additional third-party vendors that are part of the process. Verify encryption of the data while in transit as well as when ‘at rest’. You must also verify that your patient data does not leave the United States.
Who Has Access?
HIPAA puts specifications around who can see or access patient data. That means that the minimum necessary information should be available to a patient-provider in order to do their job. A chat service that is HIPAA compliant would offer different roles or permission levels per user. One chat agent shouldn’t have access to another chat agent’s files and conversations unless necessary within their role. There should be audit controls in place to log who had access to any information. That data should be archived, logged, and easily accessible when necessary. Additionally, messages or chats with PHI should go to the intended recipient ONLY. This should be taken into consideration with chat transcript options.
You should regard these considerations as guidelines, for they are only part of the equation. When obtaining and maintaining compliance, it is critical that you review with a company like HIPAA Secure Now to ensure that you are mitigating your cybersecurity risk as well as meeting the guidelines of HIPAA.
This article was originally published on HIPAA Secure Now! and is republished here with permission.