Dedicated to providing the latest
HIPAA compliance news

Secure Healthcare Communications

Secure Healthcare Communications

Why Do Healthcare Communications need to be Secure?

The necessity for secure healthcare communications was introduced with amendments to the Health Insurance Portability and Accountability Act (HIPAA) enacted in 2013. There already existed a duty of care to prevent the unauthorized disclosure of Protected Health Information (PHI) but, with the introduction of administrative, physical and technical safeguards in the HIPAA Security Rule, certain conditions were established before healthcare communications could be considered secure.

The amendments to HIPAA reflected a growing trend towards BYOD policies. It has been estimated that as many as 80% of medical professionals use a personal mobile device to manage their workflows. Many of these medical professionals use SMS and email to communicate PHI – channels of communication over which the sender has no control once messages have left their mobile devices. Furthermore, a lack of security mechanisms on mobile devices can expose PHI to unauthorized access.

Further considerations were taken into account when the rules for secure healthcare communications were drafted. Considerations such as copies of messages indefinitely left on ISPs´ servers, and the volume of PHI breaches that were reported to the Department of Health and Human Services because a mobile device had been stolen. Consequently the rules for secure healthcare communications cover many different scenarios and potential vulnerabilities in a medical facility´s communications structure.

The Rules for Secure Healthcare Communications

The majority of the rules for secure healthcare communications appear in the previously mentioned safeguards in the HIPAA Security Rule. These require that risks assessments are conducted to determine vulnerabilities in a medical facility´s communications structure and then security measures implemented to prevent unauthorized access to PHI where necessary. To confuse matters, the rules for secure healthcare communications are divided between “Required” and “Addressable”:

  • Required safeguards mean that security measures have to be introduced. An example of a required safeguard is that any device used to send or receive PHI must have an automatic logoff facility to prevent unauthorized access to PHI when a desktop computer or mobile device is left unattended.
  • Addressable safeguards have to be implemented unless an alternate security measure offers the same level of protection for PHI or there is a justifiable reason for why the safeguard is unnecessary. An example of an addressable safeguard is that all PHI must be encrypted in transit.

Why might you not need to encrypt PHI in transit? Well, some medical facilities have internal servers protected by a firewall. Provided that all electronic communications remain within the firewall, encryption would be unnecessary. As soon as a medical professional sends an email or SMS to anybody beyond the firewall, the encryption of PHI in transit effectively becomes a required safeguard.

Secure Messaging Solutions for Healthcare

The simplest and most effective way in which to comply with the rules for secure healthcare communications is with a secure messaging solution. Secure messaging solutions work by creating a communications network exclusively for the use of authorized personnel within a healthcare facility. All PHI that travels through the network is encrypted, but secure messaging apps allow authorized personnel to send and receive messages just as they would with a commercial messaging app.

All activity on the network is monitored, and access reports produced to assist with ongoing risk assessments. Security measures are in place to prevent PHI being communicated outside of the network or saved to an external hard drive, while mechanisms exist to remotely retract and delete any communication sent to or from a mobile device that is subsequently stolen. Indeed, many healthcare organizations choose to activate a feature that assigns “message lifespans” to secure messages.

Secure messaging solutions comply with all the conditions necessary for healthcare communications to be considered secure and have been shown to accelerate the cycle of communications in a medical facility. This is because mechanisms to ensure message accountability have substantially reduced phone tag. This enables medical professionals to be more productive and deliver a higher standard of healthcare to patients.

Find Out More about Secure Healthcare Communications

For further information about secure healthcare communications, and the conditions necessary for healthcare communications to be consider secure, you are invited to download and read our “HIPAA Compliance Guide” – a free white paper that elaborates on the administrative, physical and technical safeguards of the HIPAA Security Rule.

Our guide also provides more details about how secure messaging solutions work, what security measures are in place to prevent unauthorized access to PHI and case studies from medical facilities that have implemented secure messaging solutions to ensure secure healthcare communications.