By Morris W. Stemp, CPA, MBA, CPHIMS, June 02, 2014
Many practices rely on fax to send documents to patients, insurance companies, and referring doctors. Practices also use the messaging capabilities built in to many EHR systems. But in this fast-paced world, these communication modalities are limited. They don’t facilitate two-way communications and they require the recipient to be at a specific location to receive the message.
So health care providers directly communicate and save time by sending clinical information, both to other providers and to patients, using various messaging systems conveniently available on smartphones, laptops, and desktop computers. The options are numerous, but many providers do not realize, or ignore the fact, that many of the communication channels they use are not HIPAA compliant.
On the HHS.gov website, one of the answers to a frequently asked question about the HIPAA Privacy Rule of 2000 specifically addresses the issue of sharing protected health information (PHI) for treatment purposes via “phone, fax, e-mail or otherwise.” The answer describes that these communications are permitted as long as “reasonable safeguards” are in place to protect the information from inappropriate use or disclosure.
The HIPAA Security Rule of 2009, which became law nine years after the Privacy Rule, continues to allow communication of PHI via electronic means but added additional clarification to the interpretation of “reasonable safeguards.” The Security Rule specified that a practice is required to implement “administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of all ePHI that it creates, receives, maintains, or transmits.”
One of the specified technical safeguards is the requirement [according to 164.312 (a)(2)(iv)] to implement a mechanism to encrypt and decrypt ePHI. This requirement is considered “addressable” which means the requirement must be implemented unless the practice can implement an alternative measure or determines that encryption is not necessary to protect ePHI and specifically documents the reasons why.
Based on the Security Rule, it is clear that standard, open email and text messaging protocols do not meet the requirement for technical safeguards in general and specifically the addressable requirement for encryption. However, there are many effective, efficient, and affordable HIPAA-compliant options for sending electronic communications.
The problem with standard text messaging
Do U text? Sending a text message is fast and direct and facilitates conversational style interaction. However, sending SMS (Short Message Service) text messages is not HIPAA compliant for the following reasons:
- SMS messages are not encrypted.
- There is no PIN or password required to access SMS applications, which enables messages sent by text to be read by anyone, not just the intended recipient.
- It is possible for senders to erroneously send a text to a wrong recipient potentially breaching a patient’s privacy or exposing PHI.
- Messages may also be forwarded to anyone (without the sender knowing).
- The messages remain on the sender’s and receiver’s phones. It is possible to delete the message but it remains in the phone’s storage. It is not possible to wipe SMS messages from a device without wiping the entire device.
- Text messages should be tracked as to when each message is opened, when it is responded to, and what the response is, just like the audit trail in an EHR.
In addition to the lack of privacy, it is not possible to confirm that the message has been received and read, so sending urgent information is also risky in regard to patient care. Messages related to patient care should demand the recipient’s attention and be acknowledged, not be mixed in with messages from family and friends where they might be overlooked, or delayed due to the volume of competing messages.[pagebreak]
HIPAA-compliant text messaging alternatives
There are several third-party messaging systems which incorporate a number of security and workflow features to make the communications HIPAA compliant. They encrypt communications, authenticate the recipient of the message, and provide an audit trail. These systems may be used as an app on a smartphone or tablet, or accessed via the Internet on a computer. Unlike SMS text messaging, these systems require a cellular or Wi-Fi Internet connection. The systems allow the sending of encrypted text messages, reports (such as lab results), and photos, and let users know instantly who has read the message and when. Some also allow calls and video chat.
Some of these apps allow the user to set the message lifespan and offer message archiving, PIN-lock, and remote wipe. Some also allow exporting attached documents to your EHR.
Some apps are designed specifically for enterprise use to enable care teams to easily collaborate and make decisions about diagnoses and treatment. They boost efficiency and improve care transitions by allowing communication in real time. These enterprise apps include TigerText, Imprivata Cortext, Doc Halo, qliqSOFT, HipLink, and Amscom Software.
Some apps are designed for small physician practices to instantly share information with colleagues, such as Imprivata, HIPPOmsg, HipaaChat, and docBeat. There are also apps which enable secure texting with patients and caregivers in addition to messaging between providers. These include Pingmd and Diagnotes.
Why email is not HIPAA compliant
Email is one of the most non-secure methods of sending PHI. Sending appointment confirmations (with no information regarding the type of visit) is permissible by regular email due to the fact that there is no PHI. However, sending messages containing PHI by regular email has many of the same HIPAA compliance issues as sending text messages.
- Once a person is logged-in to use email, the email messages can be read by anyone and forwarded to anyone.
- Emails might be sent to the wrong email address.
- There is no way to authenticate that the intended recipient opened and read the email.
- If either the sender or the receiver has an email archiving service in place, the PHI contained in the email is stored in digital archive. This means that the email administrator can view the message without the sender or receiver knowing of the breach.
HIPAA-compliant email alternatives
There are five HIPAA requirements related to email.
- Access controls limit access to specific personnel.
- Audit controls record activity in systems that contain PHI and require user identification, an emergency access procedure, an automatic logoff process, and an encryption/decryption process.
- Integrity protects ePHI from alteration or destruction.
- Person or entity authentication verifies that the person accessing ePHI is the one claimed.
- Transmission security requires guarding against unauthorized access to ePHI being transmitted electronically.
It is possible to send ePHI securely via email by using an encrypted email service. When an encrypted email is sent, the encryption system holds the message in an encrypted state while it sends an unencrypted email to notify the recipient of the message. In order to download the message, the recipient needs to click on the link in the email and login to a secure Web page. HIPAA-compliant encrypted email services have several security settings for sending ePHI, such as requiring secure logins with strong passwords, only permitting forwarding over the secure platform, and requiring a session timeout after activity.
It is necessary to take appropriate safeguards even when sending encrypted email. It is still possible that a breach might occur if the encrypted email is sent to the wrong email address. The recipient might not know that the email was not intended for him and might login to view it.
Some of the companies that provide encrypted email services that allow you to send and receive secure email, even directly from Microsoft Outlook, include ZixCorp and Neocertified.[pagebreak]
Discussing patients or patient-identifiable information on social media sites, such as Facebook, LinkedIn, and Twitter, is definitely a breach of privacy and thus not HIPAA compliant. However, there are now secure social networking tools designed exclusively for physicians and health care professionals.
Doximity is a free, doctor-driven, private, online medical network that enables you to look up any physician or medical student in the U.S. so you can connect with colleagues, old classmates, and referrers. Its physician network doubled in size last year to 250,000 members, more members than even the American Medical Association. It enables physician-to-physician messaging, secure case collaboration, and HIPAA-compliant faxes.
Compliance issues related to standard faxing
Many medical practices still send patient information via fax. The fax machine was invented in 1843 and became a common method of transmitting images in American businesses in the late 1980s. While this method of sharing information is permitted under the HIPAA Privacy Rule, it is not a secure method of communication for the following reasons:
- Regular fax transmissions take place over phone lines which are not secure.
- Faxes are often left on the fax machine after they arrive, enabling sensitive information to be viewed by anyone walking by the machine.
- Fax machines may store copies of received faxes, which make it possible for anyone to print out additional copies of the faxed information.
- The printed messages, like paper charts, do not have an audit trail.
- Received faxes or documents being sent by fax may be placed in an unsecure location that can be accessed by anyone.
- If the phone number is not dialed correctly, the fax communication will not be received by the intended recipient and the patient information may be disclosed to someone else.
A more secure fax
It is best to avoid using faxes if the information can be sent by a more secure method. However, it is possible to mitigate the risk of fax communications by using reasonable safeguards including:
- Place the fax machine in a location only accessible to office staff.
- Configure the fax machine not to save copies of sent or received faxes.
- Always use a cover sheet to conceal the first page of a sent fax to prevent passers-by from viewing the message.
- Use saved speed-dial numbers to send messages to frequent recipients to prevent mis-dialing the number.
- For new recipients, verify the number by sending a test fax before sending the message containing PHI.
- Have company policies for how to deliver, store, and dispose of received faxes, as well as regarding the actions to take if a fax containing PHI is sent to the wrong number.
- Be sure to include the use of fax, and how you are mitigating the risk, in your risk analysis.
There are companies that offer HIPAA-compliant “Secure Fax” services. In reality, these services actually provide a secure portal to upload a document (file), then notify the intended recipient (via email) of the document to allow the recipient to download the file. These systems also provide an audit trail of all activity. While called a “fax” there is no fax transmission in any phase of the document delivery process. Some of the companies that offer this type of service are eFax Corporate, Sfax, InterFAX, and Innoport, as well the doctors’ social network Doximity. There are also enterprise fax solutions such as OpenText.[pagebreak]
EHR communication options
A secure and modern method by which health care providers can send information to both patients and other providers is by using the messaging features within the EHR system. Providers can communicate with patients through the patient portal, they can send orders to other providers via computerized physician order entry (CPOE), and they can send prescriptions to the pharmacy through their EHR. In addition, providers can share information with other medical providers by participating in a Health Information Exchange.
An added benefit to communicating with patients via the patient portal is that patient engagement via the portal is required under meaningful use stage 2.
There are several options for sending secure messages using your mobile device via instant messaging services and encrypted email. There are also options for sending secure messages using your computer via encrypted email, Web-based fax, and EHR communications. To be HIPAA compliant, the companies that provide these services should sign a Business Associate Agreement (BAA) with your practice. In addition, there may be ways to mitigate the risks if you choose to use other methods of communication.
Not using secure communications can result in a HIPAA violation. Each unsecured communication is considered a single violation of HIPAA and can result in a fine of up to $50,000. Repeat violations can add up to the maximum penalty of $1.5 million in fines for identical violations each year. In addition to the risk of exposure of your patients’ most sensitive information, sending unsecured communications can damage your medical practice’s reputation. There are so many options available to communicate using a HIPAA-compliant platform. Why put your patients’ privacy and your practice at risk?