One very common question among healthcare providers is about “HIPAA compliant” technology. For example:
- What email services are HIPAA compliant?
- Is text messaging HIPAA compliant?
- What cloud storage services are HIPAA compliant?
- Is a cell phone HIPAA compliant?
Kudos to the providers who ask these questions! They rightly recognize that some technology offers more security than others, and that HIPAA has security and privacy requirements.
“HIPAA Compliant” is more of a buzzword than a guarantee.
Neither the government nor any private entity certifies or approves technology as “HIPAA compliant.” Deciding whether or not a practice should use technology for storing or handling protected health information (PHI) depends on the processes and policies in the business.
The HIPAA rules do not endorse or require specific technologies that providers must use or that they may never use. Instead, covered entities must apply reasonable safeguards that protect against use and disclosure of PHI not permitted by HIPAA.
HIPAA does not prohibit the transmission of PHI by email. However, patient names and email addresses are among the 18 identifiers specified as PHI in the HIPAA Privacy Rule which must be adequately protected. While HIPAA requirements are somewhat vague, it would be difficult to argue that PHI sent via unencrypted email had reasonable safeguards in the event of an audit or investigation. Unless otherwise configured, all email including Gmail and Office 365 is unencrypted.
If sending PHI by any unencrypted email, three best practices include:
- Obtain written consent from the patient. Ask patients (or personal representative) for consent to send unencrypted email appointment reminders and/or other PHI. The consent form should make the signatory is aware of the risks of unencrypted email.
- Double-check the correct recipient address. Emails containing PHI should only be sent to individuals for whom the patient has given written authorization to receive that information.
- Encryption or equivalent safeguards must be used. A risk assessment will help the practice decide if encryption should be used. If the practice decides not to use encryption, an alternative and equivalent security measure must be used in its place, such as secure web portal. Vendors who advertise “HIPAA Compliant Email” also commonly use a web portal, so the patient receives a benign email to login to the web portal to read the message. As a reminder, be sure you have a signed Business Associate Agreement (BAA) with any email vendor.
Backup and Cloud Storage Guidelines
Cloud-based backup and storage — including Google Drive, Microsoft OneDrive, Carbonite, and online OMS/EHR systems — are widespread and commonly used to store PHI. Cloud services offer offsite storage physically distant from the practice and may offer user-friendly automatic backup.
If storing PHI in cloud storage, two best practices include:
- Only use vendors that sign a BAA. Google, Microsoft, and Carbonite are all vendors who will sign a HIPAA Business Associate Agreement (BAA). Not every service from a vendor may be covered by their BAA, so only use services covered by the signed BAA.
- Be careful about access controls and configurations. Even if a cloud vendor has strong security practices to protect PHI, providers still need to carefully configure and monitor who in the practice has access to the data. For example, not every staff member needs access to all PHI. When employees leave the company, their access to cloud storage should be terminated immediately.
Phone and Texting Guidelines
Like email, HIPAA does not specifically prohibit communicating PHI by smartphone or text messages; but, safeguards must be in place to ensure confidentiality. Control over texting — especially with smartphones — is more difficult than email because the business cannot limit, audit, or encrypt text messages from personal smartphones.
If sending any PHI by text messages, two best practices include:
- Obtain written consent from the patient. Ask patients (or personal representative) for consent to send text message appointment reminders and/or other PHI. The consent form should make the signatory is aware of the risks of text messages.
- Consider digital alternatives. Services such as Google Voice and Skype offer voice and text capabilities. These services can be used from a standard computer, provide access and audit controls, and the providers will sign a BAA.
Finally, if an individual uses a smartphone to access PHI, ensure appropriate physical, administrative, and technical safeguards are in place. These safeguards help protect the confidentiality, integrity, and availability of PHI. A full-executed BAA must be in place with any third party service providers. Check out Designer Security’s 7 steps to safer smartphones with step-by-step videos.