- With the understanding that healthcare organizations absolutely need to implement some type of secure communications platform, the question becomes what should they be looking for in a product?
Tech-savvy healthcare organizations know that there are no HIPAA-compliant secure messaging services, only the means to help organizations use communications technology in a HIPAA-compliant manner. Any solution will need to have the right blend of security and usability for clinical employees, but there are some specific qualities that are essential to an organization staying within HIPAA’s boundaries. HealthITSecurity.com looks at the top five:
1. Integration capabilities with current and new infrastructure
Interoperability needs aren’t just limited to EHRs, as a secure communications platform needs to be able to fit in with your environment. If, for instance, the organization’s EHR software already has an automation function for internal communication, how would that align with a new platform that allows physicians to communicate on all devices? It’s important for organizations with a large number of employees, including independent physicians who aren’t on the payroll, to ensure that communications technologies interlock and there are no security loose ends.
2. Technical safeguards
This sounds obvious, but many organizations fail to adopt standard (and necessary) configuration and technical controls on mobile devices used to access their internal networks or systems.
Many organizations these days are enacting policies that prevent Electronic protected health information (ePHI) from being stored on the device, some of which use platforms that store the data in a third-party cloud as well. However, regardless of the organization’s approach, ePHI must be encrypted both in transit and at rest. For data in motion, using with RSA 2048-bit Secure Sockets Layer (SSL) and AES 256 bit encryption would be a good example of strong technical safeguards. Read here how 2048-bit has become the baseline for SSL certificates.
3. More than just SMS
There are quite a few secure short message service (SMS) applications out there, but many larger organizations are looking for a comprehensive product that can secure all forms of communicated PHI. Now physicians participate in accountable care organizations (ACOs) and these organizations have to (1) authenticate a variety of users onto their networks and (2) enable secure communication across different sizes and types of providers. In turn, some organizations will want a more comprehensive platform that secures all communication across all types of devices.
4. Having a BAA sign, sealed and delivered
More than ever, healthcare organizations are conscious of which vendors they deal with and a bare minimum requirement for using any secure messaging platform should be having a HIPAA business associate agreement (BAA). Considering patients’ ePHI may be either running through a vendor’s network or stored in a remote cloud server (depending on the product), having a BAA will assure the organization that the vendor is responsible in the event of a breach as well.
5. Message logging and audit capabilities
Having control of communications and audit trails is important for some providers and these are certainly endearing qualities of secure messaging platforms. From knowing who is reading messages containing ePHI to being able to look through audit logs in case there’s a clinical workflow issue, organizations want to have access to communications records. Also under this umbrella may be the ability to either remote wipe messages or put a protocol in place that deletes the messages after a determined amount of time.