Does HIPAA Allow Organizations to Use IM for Patient Information? The Answer is Complex
August 05, 2015
By Tracey E. Schelmetic
TMCnet Contributor
While the security of patient data has always been (or should have always been) an issue for medical professionals, legislation such as the Health Insurance Portability and Accountability Act (HIPAA) set regulations regarding the responsibilities of care providers and anyone with third-party access to the information (i.e., insurance companies) when it comes to keeping private data secure. Now that more and more organizations are moving to electronic health records (EHR) or electronic patient health information (E-PHI), keeping this information secure becomes an even bigger challenge. While electronic patient information is groundbreaking in that it can be the foundation of better standards of patient care – information isn’t missed when a patient seeks care from a new source – it’s also becoming something of an administrative and security headache.
One of the biggest security challenges comes in the form of multichannel communications media. Healthcare workers aren’t simply speaking by telephone, they’re sending e-mails, they’re PDFing reports and images, they’re communicating via mobile devices, and they’re using chat and instant messaging to share information. Has your organization ensured that every communications channel in your organization meets HIPAA standards? Plugging these leaks could be the difference between security and big government fines. Many popular enterprise communications apps simply don’t cut it, according to a recent blog post by Darlene Jackson of ISI (News - Alert) Telemanagment Solutions, Inc.
“With respect to any messaging application, including Cisco Jabber IM, you are absolutely not compliant with HIPAA standards when transmitting E-PHI and your organization will need to implement a compliance solution, such as a recording platform with ethical wall, while using Cisco (News - Alert) Jabber IM, to maintain HIPAA compliance,” she wrote.
“Ethical wall” refers to the idea that in healthcare and some other industries, companies must record, save, verify, audit, control, secure, and maintain the integrity of the voice, IM and video recordings captured while doing business in a way that ensures that the recordings are intact and haven’t been tampered with, or that they are accessible only to those individuals in a company who are permitted to use them.
“Although there is nothing in HIPAA that says you cannot transmit E-PHI using IM, the security rule gives an outline for behavior if you choose to engage in IM with E-PHI,” wrote Jackson. “The guiding principles here are technical measures that need considering before messaging E-PHI.”
Companies that transmit confidential information via IM should consider looking for a solution that offers unique user identification so IMs can be traced to individuals, automatic logoff so unauthorized personnel cannot pull information from an idle computer, encryption and decryption, auditing, integrity management, authentication and transmission security. Most popular IM apps do not offer this level of security that HIPAA compliance demands.
“Essentially, IM usage and HIPAA compliance can be attained by implementing appropriate security measures, access policies, and protective measures to the devices and applications containing E-PHI,” wrote Jackson. “Also, conducting a risk analysis for your organization on a regular basis, to ensure controls in place are still relevant, will ensure the ongoing compliance your industry demands.”
Edited by Stefania Viscusi