By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author
No, there isn’t such a rating system, but it might be something to consider. There are many different communication platforms that healthcare providers can use to communicate with each other, such as email, instant messenger systems, and even through social media sites. While these platforms can be very useful for communicating quickly and easily, they can also unintentionally expose PHI if they aren’t properly configured.
The Health Insurance Portability and Accountability Act (HIPAA) requires that all healthcare organizations ensure the privacy of their patient’s protected health information (PHI). For example, if an email is sent to the wrong person, PHI is compromised. If an instant message conversation is left open on a shared computer where others can see it, PHI may be compromised. If someone accesses protected health information through social media sites like Facebook or Twitter they are violating HIPAA security rules and regulations.
A New Way of Seeing Patients
During the pandemic, telehealth usage skyrocketed. In this once emerging but now omnipresent method, doctor and patient consultations are conducted via video. As we rushed to provide care for many people and do that in a safe way for everyone, ensuring that your software was HIPAA compliant wasn’t necessarily a top priority. As a result, the U.S Department of Health and Human Services (HHS) made provisions regarding HIPAA enforcement within the realm of the telehealth platform.
In that announcement, they Identified a list of vendors that “represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA”. While the vendors were not reviewed or endorsed by the Office for Civil Rights (OCR), they were provided as options for healthcare providers to consider. They included:
- Skype for Business / Microsoft Teams
- Updox
- VSee
- Zoom for Healthcare
- Doxy.me
- Google G Suite Hangouts Meet
- Cisco Webex Meetings / Webex Teams
- Amazon Chime
- GoToMeeting
- Spruce Health Care Messenger
When we investigated the more recognizable names that were on this list, most noted that they were not HIPAA compliant out of the box, but that when proper measures were taken, they would be within compliance.
Now as we settle into the new normal, HHS states that you need to understand the technology that is being used and how it works. Next, you must determine which technology will be most suitable for your practice and whether it can meet HIPAA requirements. Additionally, it is also important to know who can access your technology and whether it has the capability to monitor which individuals are using it. And you should always consider how employees will be trained in using this technology. If you are using a communication platform that is not HIPAA compliant, your PHI may be at risk. Make sure to properly configure your communication platforms and understand the risks associated with using them before sending or exposing any PHI.
Be sure to understand your organization’s security risks when choosing a communication platform that can work within HIPAA compliance.
This article was originally published on HIPAA Secure Now! and is republished here with permission.