What Your Hospital Needs to Consider Before Using IM Platforms

Instant messaging (IM) platforms like Skype for Business are gaining popularity in hospitals, clinics, and healthcare organizations as a cost-effective means to increase communication across departments. 

Before adopting any instant messaging platforms for internal communications, your hospital should take into consideration the current HIPAA compliance regulations.

When Encryption Is Not Enough

Most instant messaging systems use an AES 265-bit encryption, which is used by the US Government to protect sensitive information. Hospitals and other healthcare organizations should understand security measures necessary to send Electronic Protected Health Information (ePHI) and other patient information so it remains confidential and secure during transmission.

Unfortunately, encryption doesn't cover what information (ePHI or not) is sent, cached, and/or recorded. For example, a simple conversation like Did you see Patient X had procedures A and B on the same day? Is the appropriate modifier on the claim?  followed by a quick exchange between healthcare professionals on an IM platform can leave your hospital at risk. In this scenario, best practice would be to pick up the phone and confirm the appropriate modifier. Although convenient, using PHI in Skype or another instant messaging platform is the same as putting it in an email – this must be avoided to ensure the patient's information is not compromised.

Generic BAA Agreement

Vendors who handle PHI are required by law to sign a Business Associate Agreement (BAA). Unfortunately, the typical umbrella BAA’s from the large IM providers don’t satisfy all the HIPAA regulations required to maintain compliance. Usage audits trails, archives of chats, and emergency access to chat histories are a few of the requirements missing from the BAA agreement.

Breach Notifications

When a breach occurs, hospitals are required to notify patients and applicable state/federal agencies BUT what if your instant messaging platform didn't alert you? This is compliance red flag. Certain instant messaging platforms are unwilling to notify users of a breach. 

Safeguard Considerations

Hospitals and providers apply reasonable measures to ensure the privacy of the information, according to HIPAA's safeguards principle. If there is no feasible way to send information securely via instant messaging platforms then hospitals and other healthcare organizations should choose not to use them, as long as they're taking all other reasonable measures to ensure privacy.

It's not a surprise healthcare organizations are considering better tools to optimize the communication processes but at this time, instant messaging platforms are more of risk than they're worth.

If you have additional questions about the compliance of IM platforms, we're happy to answer them. Send your questions here.