HIPAA (Health Insurance Portability and Accountability Act of 1996), is a piece of legislation that was designed to protect the confidential and sensitive healthcare information. Put as simply as possible, the goal behind HIPAA is to limit who has access to an individual’s healthcare-related records—including medical history, the provision of healthcare, and the details regarding the payment of that care.
For health insurance companies and other organizations involved in the healthcare industry, HIPAA calls specifically for regulation and compliance of document management processes. In particular, HIPAA-compliant organizations must take proper steps to secure and limit access to individual healthcare records and to follow rigid document retention rules. You can click here if you wish to read more about HIPAA compliance.
The Overlooked Side of HIPAA Compliance
The brief description above reflects how most organizations think of and approach HIPAA regulations. However, one often overlooked factor of HIPAA compliance is how these rules for health insurance regulation and compliance affect certain types of “informal communication”—namely, text messaging.
In 2013, Jon Jansen—the CTO of Doc Halo—wrote an engaging guest post for TechTarget, shedding some light on how text messages can play a role in affecting a healthcare organization’s HIPAA compliance. In the article, Jansen described a theoretical scenario where physicians leave the office and go home for the night, “turning the phones over to the call center for the night.”
Here, at this moment, is where text messaging can serve to ruin a health office’s HIPAA compliance. It used to be that physicians would have their call centers page them in the case of a patient update or emergency. Now, with pagers more or less a thing of the past, call centers will instead get in touch with physicians via cell phone. And instead of calling, they’ll do the thing that is closest to the old paging method: They will send text messages.
The good news is that updates to HIPAA have confirmed that mobile communications can be compliant with the law. This news is a relief because more and more physicians, health insurance companies, and other healthcare organizations are either receiving private health information in text message form or are using their mobile devices to access email accounts or document storage databases where that information is stored.
The bad news, however, is that the increased use of mobile devices to access private health data has created more risks and opportunities for that information to be compromised. Text messages, for instance, are not normally a secure form of communication, as most individuals use open cell networks where texts could feasibly be intercepted and read by unintended recipients. Meanwhile, emails sent via mobile devices on public Wi-Fi networks—or, for that matter, any web activity committed on a public Wi-Fi network—can be easily intercepted.
As such, text messages are beholden to unique regulations in order to become HIPAA-compliant.
How to Make Sure Texting is HIPAA Compliant
If your organization is seeking HIPAA compliance and you are worried about mobile platforms, first ask yourself the following questions.
- Do you send or receive sensitive patient information or other private health data via text message?
- Do you access sensitive patient information or other private health data via email or database on a smartphone or tablet?
If you answered yes to either of these questions, then you need to make sure your texting habits and mobile usage are following HIPAA’s guidelines for health insurance regulation and compliance. This post details the steps that must be taken to reach HIPAA compliance with text messaging. While there is a lot of information to unpack in that article, though, the main takeaway is that any text messages containing private health information must be sent using a “secure texting” process.
The problem with the call center scenario described a few paragraphs up is that, in most cases, call centers are texting physicians using standard public cell phone networks. Most of us send texts via public cell networks every day, so it might be a bit difficult to understand the issue at hand. Essentially, though, when you send a text through a public cell network, the cell phone network keeps a copy of the message on their public servers. “Secure texting,” instead of using a public network, uses a secure virtual private network to send sensitive information. This method is preferable because
1) the information is completely encrypted, and
2) the message is scored locally on a private and secure server
—making it difficult for any outsiders to hack or access said information.
In addition, the administrator of a secure local network can control who has access to text message information, and can delete messages entirely if they are no longer relevant. In other words, secure texting essentially makes it possible for an organization to manage text messages, in the same way they would use a DMS to manage other types of files or data.
Healthcare clinics, hospitals, and contract nurses must all maintain HIPAA Compliance. Although many document management system vendors claim the ability to facilitate HIPAA Compliance, they have trouble pinpointing exactly how their systems reach this objective. Keep reading to discover how eFileCabinet facilitates HIPAA Compliance on a feature-by-feature basis.
The HIPAA Compliance Security Rule
Security alone does not equal compliance. Rather, the focus should be utilizing security to achieve compliance. Essentially, compliance is an outcome of security. So under full and proper use, eFileCabinet document management software ensures that all four technical safeguards under HIPAA’s Security Rule, as outlined below, are met by the following eFileCabinet features:
HIPAA Security Rule Technical Safeguard 1: Access Control
This safeguard establishes the following definition as achieving access controls: “…the ability or means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.”
eFileCabinet features that facilitate this: Role-based user permissions, file versioning
HIPAA Security Rule Technical Safeguard 2: Audit Controls
This safeguard establishes the following definition as achieving audit controls: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
eFileCabinet features that facilitate this: Audit trails, role-based user permissions, retention.
HIPAA Security Rule Technical Safeguard 3: Integrity Controls
This safeguard sets forth the following definition of achieved integrity controls: “The property that data or information have not been altered or destroyed in an unauthorized manner.”
eFileCabinet features that facilitate this: automated file retention, data backup, role-based user permissions
HIPAA Security Rule Technical Safeguard 4: Transmission Security
This safeguard sets forth the following definition of achieved transmission security: “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
eFileCabinet features that facilitate this: SecureDrawer
The HIPAA Compliance Privacy Rule
Under proper use, eFileCabinet document management software facilitates the technological requirements for confidentiality codes and practices in healthcare for the HIPAA compliance Privacy Rule.
HIPAA Privacy Rule 1: Protected Health Information (PHI)
HIPAA states that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.
Protected Health Information (PHI) entails information, including demographic data, that relates to patients’ past, present, or future health or condition; the provision of healthcare to the individual, or; the past, present, or future payment of the provision of healthcare to the individual.
eFileCabinet features that facilitate this: Role-based user permissions, SecureDrawer, Versioning