Data security is a major challenge in healthcare, and with data breaches on the rise, it seems that digital healthcare data is increasingly seen by cybercriminals as low-hanging fruit. According to the 2021 HIMSS Cybersecurity Survey, 84% of hospital and healthcare IT professionals said that email introduced additional cybersecurity risk into their organization.
In today’s high-risk environment, it’s especially important for physicians to know how to transmit protected health information (PHI) to other parties in a safe and secure way. This involves moving away from email as a primary method of communication towards a more secure HIPAA-compliant communication technology.
What Types of Patient Information Are Covered Under HIPAA?
The term PHI can describe a wide range of patient data collected by HIPAA-covered entities. Broadly speaking, PHI is considered to be any piece of information that is disclosed during the course of delivering or receiving a healthcare service that can be used to identify a patient.
A safe rule of thumb is to assume that any part of a patient’s medical record or payment history can constitute PHI, since both contain highly sensitive financial and medical information that can easily identify a patient.
Is Email Considered a HIPAA-Compliant Method of Communication? No!
Although email isn’t specifically banned under HIPAA, there are stringent rules around sharing PHI that make HIPAA email compliance basically impossible to attain.
Below we outline some of the key reasons why sharing PHI through email is not secure and why it’s not considered a HIPAA-compliant practice:
Inadequate Security Features
For starters, HIPAA dictates that any digital message containing PHI must be encrypted. As one of the earliest forms of online communication, it’s highly unlikely that email will be encrypted or have other modern security features in place. In fact, email is by default unencrypted and can also be very difficult to encrypt. This puts most email communications containing ePHI clearly in breach of HIPAA.
Lack of Control of Patient Email Providers
Even if healthcare organizations feel confident in the security features of their own email provider, they have no control over the email provider that their patients use. If (as is often the case), the patient uses an email provider that does not have the proper security measures in place, there is a risk that ePHI may be intercepted or hacked whenever emails are exchanged between that patient and their healthcare provider.
Not Well-Targeted
Using email as a primary means of communication often means that valuable or sensitive information can end up in the wrong place. A common example of this is when a patient contacts a secretary or other member of the healthcare organization’s administrative team with PHI.
Phishing Attacks
A phishing attack is a type of cyber attack that uses an email disguised as coming from a trusted source (in this case, the patient’s healthcare provider) to trick the email recipient into giving out personal information. The risk of someone succumbing to a phishing attack significantly increases when an organization chooses to use email to share sensitive information. In one recent example, a healthcare employee’s email was compromised through a phishing attack that exposed roughly 12,000 patient files.
Email contains many security risks and should never be used when sharing PHI, even if the information is only being shared internally. Some healthcare organizations wrongly believe that the problem is solved if the patient signs a disclaimer or gives consent to have their health information shared through email. However, organizations that share PHI through email will still be in breach of HIPAA, whether there is a disclaimer or not. PHI should only be transmitted through safe mediums such as HIPAA-compliant messaging apps.
Best Practices for Sharing PHI
The best way to share PHI is within a HIPAA-compliant patient portal or a HIPAA-compliant messaging app. The security benefits of exchanging information in a HIPAA-compliant messaging portal are numerous. Here are the three most important benefits:
1. HIPAA-Compliant Messaging and Telehealth
The most trusted patient portals include HIPAA-compliant messaging with end-to-end encryption to ensure that everyday communications are secure and compliant. Not only are instant messaging features desirable for patients, they can also include the most up-to-date security protocols that keep their data safe.
With the surge in telehealth spurred by the pandemic, modifications to HIPAA have made it easier for providers to include video conferences with a healthcare professional as part of their services offered to patients. A trusted patient portal will include a HIPAA-compliant telehealth solution with encryption in order to remain compliant.
2. Centralized Control
One of the most important benefits of using a patient portal is that healthcare organizations have far more control over its security features, either themselves or through their provider. This allows them to make sure that the portal aligns with their security policies and is fully HIPAA-compliant at all times.
3. Careful Targeting
To prevent ePHI ending up in the wrong hands, trusted portals should give healthcare organizations the ability to assign users different access rights and permissions. They may, for instance, assign patients to a particular doctor and direct all messages that may potentially contain PHI exclusively to this staff member.
HIPAA Compliance Staff Training for PHI Management
Good compliance starts with knowledgeable and conscientious staff. While employees and administrative staff aren’t likely to intentionally share PHI, HIPAA recognizes that there is a risk of unintentionally sharing sensitive information. HIPAA compliance training ensures that every staff member, including doctors, nurses, residents in training, administrators, and anyone in your healthcare organization who handles PHI knows how to properly protect sensitive information.
To ensure that everyone in your healthcare organization is up-to-date with HIPAA compliance, consider giving staff ongoing HIPAA compliance training–every 4-6 months or two to three times a year. Training should include real-world examples of situations where both administrative staff and physicians may need to share ePHI, alerting them to the HIPAA rules in each case. For example, when referring a patient for additional care.
What Should Be Covered in HIPAA Compliance Staff Training?
Where Is PHI Stored?
PHI should only be stored on secure devices belonging to the healthcare organization–not on private devices such as personal cell phones, and should only be transmitted using HIPAA-compliant communication mediums.
What if You Stumble upon PHI That You Shouldn’t Have Access to?
All administrative and office staff should also know the correct procedures to follow if they stumble upon PHI that they shouldn’t have access to. This will usually involve reporting the breach to a senior member of staff, such as a compliance officer, who will then help to ensure that the issue is fixed and that the appropriate access controls are put in place to prevent future recurrences.
How To Keep Login Information Secure
In addition to security measures such as two-step or multi-factor authentication when logging into a communication app, staff should be aware of how to keep their login secure. For example, healthcare organizations can use password managers that can help to generate random and strong passwords for each account that they have, and that can be used to keep passwords securely encrypted in a digital vault.
Does the Healthcare Organization Have a Business Associate Agreement (BAA) with the Person You’re Communicating with?
When communicating with business partners, staff should be aware that a BAA (business associate agreement) is a requirement for information-sharing under HIPAA and have a good sense of which companies have a BAA in place with your organization. This can be communicated both in training sessions and through reference materials, so that staff have an easy way to verify compliant partners if they are ever unsure when it comes to transmitting PHI
Partner with a HIPAA-Compliant Patient Portal Provider
When sharing PHI through digital mediums with patients and other providers, the only secure way according to regulatory compliance standards is by using a HIPAA compliant messaging app or portal.
At Medical Web Experts, our team of senior developers and senior security and HIPAA compliance experts are dedicated to creating custom solutions that meet the needs of healthcare organizations and patients. Contact us today to learn more.
