Instant messaging (IM) platforms like Skype for Business are gaining popularity in hospitals, clinics, and healthcare organizations as a cost-effective means to increase communication across departments.
Before adopting any instant messaging platforms for internal communications, your hospital should take into consideration the current HIPAA compliance regulations.All covered entities (healthcare providers, clearinghouse, etc.) under HIPAA must protect the privacy and security of health information and provide individuals with certain rights with respect to their health information. It's important for business offices to regularly conduct thorough risk assessments and audit internal policies of instant messaging platforms to ensure HIPAA compliance.
When Encryption Is Not Enough
Most instant messaging systems use an AES 265-bit encryption, which is used by the US Government to protect sensitive information. Hospitals and other healthcare organizations should understand security measures necessary to send Electronic Protected Health Information (ePHI) and other patient information so it remains confidential and secure during transmission.
Unfortunately, encryption doesn't cover what information (ePHI or not) is sent, cached, and/or recorded. For example, a simple conversation like Did you see Patient X had procedures A and B on the same day? Is the appropriate modifier on the claim? followed by a quick exchange between healthcare professionals on an IM platform can leave your hospital at risk. In this scenario, best practice would be to pick up the phone and confirm the appropriate modifier. Although convenient, using PHI in Skype or another instant messaging platform is the same as putting it in an email – this must be avoided to ensure the patient's information is not compromised.
Generic BAA Agreement
Vendors who handle PHI are required by law to sign a Business Associate Agreement (BAA). Unfortunately, the typical umbrella BAA’s from the large IM providers don’t satisfy all the HIPAA regulations required to maintain compliance. Usage audits trails, archives of chats, and emergency access to chat histories are a few of the requirements missing from the BAA agreement.
When a breach occurs, hospitals are required to notify patients and applicable state/federal agencies BUT what if your instant messaging platform didn't alert you? This is compliance red flag. Certain instant messaging platforms are unwilling to notify users of a breach.
Hospitals and providers apply reasonable measures to ensure the privacy of the information, according to HIPAA's safeguards principle. If there is no feasible way to send information securely via instant messaging platforms then hospitals and other healthcare organizations should choose not to use them, as long as they're taking all other reasonable measures to ensure privacy.
It's not a surprise healthcare organizations are considering better tools to optimize the communication processes but at this time, instant messaging platforms are more of risk than they're worth.
If you have additional questions about the compliance of IM platforms, we're happy to answer them. Send your questions here.