The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to create national standards for guarding patients’ sensitive protected health information (PHI). The government takes HIPAA very seriously, and violations can result in large fines, reputational losses, and even jail time.
HIPAA regulations tend to be rather vague, leaving it up to individual practices and associated businesses to determine what specific steps they need to take to ensure compliance. Hospitals, clinics, and other healthcare practices must find ways to protect sensitive data without disrupting their organizations’ efficiency, which usually requires relying on various forms of communications technologies. Read on to find out what it takes to keep a medical practice’s communications HIPAA-compliant.
HIPAA-Compliant Faxing
Most healthcare facilities send and receive multiple faxes every day, but old-fashioned faxing is notorious for creating unintentional HIPAA violations. The best solution for sending a HIPAA fax is to turn to a more secure channel, such as a cloud faxing service. Just make sure to choose a cloud faxing service that focuses on providing fax-to-email options for the healthcare industry and ask about what steps the company takes to protect PHI.
Technically, conventional faxing does not always violate HIPAA. If providers only include the most basic information, put safeguards in place to avoid unauthorized access, conduct regular risk assessments, and dispose of any faxes that contain PHI when they’re no longer needed, they may be able to send and receive conventional faxes. However, cloud faxing is a much safer alternative.
HIPAA-Compliant Emailing
Some patients prefer to receive emails about their care, which can make things difficult for clinical practices. Emails are not explicitly banned by HIPPA’s Security Rule, but their use is extremely restricted. In order to be HIPAA compliant when sending emails, facilities must:
- Implement access controls
- Perform internal audits
- Implement integrity controls
- Use ID authentication
- Ensure proper transmission security
Some entities have argued that encryption is enough to ensure HIPAA compliance. However, encryption alone doesn’t address the ID authentication or audit control requirements. Organizations that want to use email to communicate with patients must take all proper precautions to avoid HIPAA violations.
Communications HIPAA Compliant
HIPAA-Compliant Text Messaging
HIPAA expressly forbids sending PHI in text messages, but there are a few exceptions to the rule. If a practice has obtained a properly signed consent form and is sending information directly to the patient, it may be acceptable to send text messages containing certain types of PHI. However, the person sending the text must document context, consideration, and consent to avoid potentially exorbitant fines of up to $50,000 per text message sent.
The more compliant alternative to sending regular texts is to send encrypted text messages. The best approach to implementing this alternative solution is to download a HIPAA-compliant secure texting app and require patients to do the same. Messages can then be transmitted via cellular data or Wi-Fi.
HIPAA-Compliant Appointment Reminders
If not sent properly, even patient appointment reminders can be considered PHI. To maintain HIPAA compliance, providers should avoid disclosing any more information than necessary. Most leave only their names, callback numbers, and whatever information is necessary to confirm the appointment.
These days, most practices send automated appointment reminders to reduce employee busy work. It’s just fine to send automated appointment reminders, but make sure there’s no PHI being divulged in the notices, regardless of how they’re sent. To avoid trouble, keep things general and include only the appointment date and time, the provider’s name, and the appointment’s location, and make sure the patient opts into the appointment reminders.
Patient Portals and HIPAA Compliance
Most practices use patient portals to meet HIPAA’s Meaningful Use requirements. These portals are still subject to all relevant rules and regulations, though. Because they inherently contain a lot of PHI, patient portals often comprise the largest security risk to any practice’s communications plan.
The good news is that medical practices are only responsible for mitigating risks on their end. They must use sufficient security measures to guard the portal against unauthorized use and restrict access to the records systems, but they aren’t responsible for protecting patients’ account login information after it has already been provided to them. If patients lose their own data as a result of poor password security, for example, the organization that created the patient portal will not be held in violation of HIPAA regulations.
Communicating With Other Practices
Healthcare providers need to be able to communicate with a patient’s other care providers even if they work for different practices. Unfortunately, HIPAA regulations make it challenging to share medical records and other relevant information with additional providers without risking violations. Although the Privacy Rule does allow providers to share PHI for treatment purposes, even without patient authorization, they must take safeguards while doing so.
Doctors can communicate PHI to other providers in writing, orally, via email, fax, or by phone, but they must apply reasonable safeguards. Appropriate safeguards vary by communication method but may include avoiding the in-person discussion of PHI in public places, using HIPAA-compliant third-party providers for fax and email services, or confirming numbers first to ensure that information is going to the right recipients.
PHI Communication and Data Breaches
In addition to requiring healthcare facilities to take appropriate steps to safeguard PHI, HIPAA also has requirements regarding how covered entities handle breaches. The Breach Notification Rule requires hospitals, clinics, and other medical providers to notify their patients and the US Department of Health and Human Services (HHS) if PHI is disclosed without a patient’s express consent. If the breach affects more than 500 people, the healthcare provider must also notify the media.
In an ideal world, no healthcare provider would ever have to deal with data breaches. Unfortunately, even the best security plan can be compromised, so it’s still wise to have a plan in place for handling breach reporting.
HIPAA Compliance Protects Patients and Providers
Ensuring HIPAA compliance in all communications protects both patients and healthcare providers. Patients can rest easier knowing that the people responsible for providing their care are taking their privacy seriously. Providers can avoid costly fines and damage to their reputations. When hospitals, clinics, and other medical facilities take patient privacy and HIPAA regulations seriously, everyone wins.
