The ONC’s wall of shame documents that exposure due to “non-compliant e-mail” is up 1,500% between 2013 and 2017. And this data doesn’t include all of the hundreds of thousands of records exposed due to unauthorized access associated with transmitting unsecured data.
We rely on technology to transmit information in all areas of our lives including work, and the reality is that most information shared is not secure. Methods like texting were not designed to be secure; and others, like e-prescribing solutions, were designed with security in mind from their inception. For the methods that weren’t designed with security from the get-go, there’s a lot of catching up to do.
Reality check
Let’s take step back and look at all the ways doctors and staff communicate with each other, with patients, and with the outside world. Reviewing how we communicate allows us to recognize the methods we can safeguard and educate staff to avoid using those that we cannot.
E-mail is a way of life. There are basically two types of e-mail services when it comes to HIPAA—those that are compliant and those that aren’t. By compliant, HIPAA means secure and encrypted transmissions for ePHI.*
- E-mail sent within the practice via your own e-mail server within the confines of your practice’s firewall are typically secure.
- E-mail that contain ePHI and that are sent outside of your practice to an e-mail address located on another server or cloud are NOT secure. You need a HIPAA-compliant e-mail service that will require the recipient to log in to a secure e-mail portal to read your message.
- All e-mails sent using a hosted e-mail service (think AOL, Yahoo, Gmail, and Office 365) are NOT secure. Even if the device you are using to send the e-mail is encrypted, the transmission to and from these services typically is not.
- Unless you are buying an encrypted HIPAA-compliant e-mail solution, you can assume that the service is NOT compliant.
Patient Portals
We would be hard-pressed to find a company that designs and creates patient portals that didn’t develop them with all of the security necessary to meet the requirements of HIPAA, including password protection and Web interface encryption.
- Communication with patients through your portal is considered HIPAA compliant.
Remote network connections
Working from another location like home or the hospital requires you to have a secure Internet connection. Logging in to your practice’s secure network should be done via an encrypted connection or virtual private network (VPN). There are many services that offer these types of connections and your healthcare IT provider should be able to set up your remote access.
Business solutions like eFaxing, e-prescription services, and medical device interfaces
These tools communicate with the outside world and need to have a secured way to do it. Just like working remotely, they need to use encrypted connections to keep the information they contain private as they transmit.
Texting (or not to text)
Texting is a touchy subject because even if your phone is “secure,” using the text icon on your phone to send a message is NOT. It wasn’t developed to be secure and today’s cell providers are not offering secure texting options. We know it’s easier to text your nurse or office manager a brief message about your next appointment or patient follow-up, but it is not a secure method of communication.
The easy answer is to say that until there is a fail-safe, HIPAA-compliant texting solution, just don’t use text; but we know that’s not realistic. If your staff insists on texting:
- Set a “Secure Texting Policy” that prohibits communicating details about patients’ ePHI.
- Require that all texts be sent and received through a texting app that uses encrypted transmissions. The recipient will only be able to receive the text if they are logged in to the same app, but at least there will be a safeguard in place.
E-mail communication is a basic tool in running a practice, and using a HIPAA-compliant e-mail product will insure that your transmissions are both compliant and secure. Without it, the number of breaches due to e-mail use will continue to grow as a result of using e-mail options that are not secure. Protecting ePHI when you communicate IS possible when you use HIPAA-compliant e-mail, secure remote connections, and patient portals, all of which your IT service provider can help you with; and as for texting, proceed with caution.
* HIPAA defines PHI as the health information of an individual that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers such as name, address, birth date, Social security number, etc.
