In this blog, we will explore:
- Why It Is Harder To Deal With HIPAA Today
- What Makes a Phone System HIPAA Compliant
- What Is Required To Be Properly HIPAA Compliant
- What Types of Communication Are Considered Secure for HIPAA?
- What Is the Minimum Necessary Standard for HIPAA-Compliant Communication?
- HIPAA Compliant Do’s
- HIPAA Compliant Don’ts
- Easily Avoidable HIPAA Fines
- Why Is Vendor Risk a Major HIPAA Compliance Issue?
- HIPAA-Compliant Calling Platforms
- FAQs about HIPAA Compliant Communication
Why It Is Harder To Deal With HIPAA Today
HIPAA is a 20-year-old law. It was established in 1996, before much of this technology showed up, before ransomware and spam emails, and before privacy initiatives like GDPR in Europe or similar legislation in California. That means there is now a lot of technology involved in doing communications in a secure fashion, and also a lot of technology involved in stealing information.
Patients want access through all these forms of communication. Whether it is directly through an EHR or through other mediums, patients are happy when those options are offered. But even when the organization offers those mediums, it still needs permission from the patient through use and disclosure documentation explaining how they want to be communicated with.
At the same time, there is a tremendous amount of breaches and intentional fraudulent activity. A notable statistic is that 88% of ransomware is specifically against small and mid-sized healthcare practices. There are open investigations in eye care involving stolen access, encrypted patient information, or patient records being compromised. One of the biggest culprits is simple administrative mistakes.
If an organization has audited itself correctly and has the right policies and procedures in place, staff should know exactly what to do and what not to do. That makes their life easier, helps them serve patients better, and improves patient loyalty.
Explore more: Why TCPA Compliance Matters for AI Calling Systems
What Makes a Phone System HIPAA Compliant
When you evaluate a system as your phone system for your healthcare business, you should know exactly what are the top two or three questions.
Sign a Business Associate Agreement (BAA)
Make sure you sign a BAA. If they are HIPAA compliant but refusing to sign a BA, it’s a red flag. That means they are not truly HIPAA compliant.
Any vendor who provides a service, including electronic health records, messaging platforms, healthcare call centers, billing firms, IT companies, or other software providers, requires attention before being used.
A business associate agreement is a legal agreement stating that the vendor understands they have to be HIPAA compliant, what the organization is responsible for, and what the vendor is responsible for. In addition, there should also be technical due diligence, meaning proof that the vendor is capable of protecting the information being shared.
When it comes to business associate agreements, they do not need to be signed every year. What must be done each year is reviewing them and making sure the business relationship has not changed in a meaningful way.
Business associate agreements are one of the most important ways to lower liability. If a vendor will not sign a business associate agreement, the recommendation is to find another vendor. If a vendor asks a practice to sign language that indemnifies the vendor, meaning the vendor is not liable for the errors they make, that is not appropriate and is technically against HIPAA law.
A vendor’s own business associate agreement can be signed, provided it is reviewed carefully and legal counsel looks at it. The goal is proof that both organizations understand HIPAA is the law they work under, that both are responsible to be HIPAA compliant, and that each one is responsible for its own efforts.
Call Encryption
Make sure that all the calls are encrypted. HIPAA compliance is to protect your data in case of an incident. It is only possible if it is encrypted. If an incident occurs and your data in the system is encrypted, the data is fully encrypted and protected. Nobody can actually access the data.
Access Control for Call Recordings
You need to have access to all the call recordings and there needs to be access control.
Not everybody can access those call recordings. An admin or office manager may have the right to access it but maybe not the front desk, while the healthcare practice owner has the right to access it.
Audit Logs and Data Protection
For staying compliant, you need audit logs, complete encryption, and a BAA in place. You need to make sure that all of the information is completely deleted if you decide to stop working with the business. HIPAA compliance clearly suggests this.
EMR Integration (Not a Must-Have)
It is good if the phone system integrates with your existing system of record which is an EMR. That way they can send all of this information directly into the EMR and you have a record of it.
What Is Required To Be Properly HIPAA Compliant
When HIPAA is done correctly, there are six audits required every year. These include security risk assessments, administrative risk assessments, and privacy risk assessments.
After those audits, the organization has to identify all gaps in writing and remediate all those gaps.
Only about 20 to 25 percent of gaps tend to be security related, meaning physical things such as locks on doors, email encryption, and firewalls. The majority of fines are for administrative failures, specifically failure to have policies, procedures, and training.
Organizations must have not just a high-level code of conduct, but specific policies, procedures, and training that relate to each part of the business. Those materials must be customized. Off-the-shelf binders, templates from associations, or auto-generated policies can create serious risk if they do not accurately reflect the business.
Policies, procedures, training, and audits are required every year. Employees must legally attest every year that they understood and are going to follow the policies and procedures. A staff meeting and verbal discussion are good reinforcement, but there must be proof, such as signed documentation.
Vendor management requires both the business associate agreement and technical due diligence. Incident management is also required by law. Every incident must be investigated, documented, corrected, and reported. The documentation must state who was affected, what went wrong, how it was fixed, and whether it must be reported to the U.S. government. Meaningful breaches affecting more than 500 people must be reported within 60 days. Non-meaningful breaches must be reported at the end of the year.
What Types of Communication Are Considered Secure for HIPAA?
Certain types of communication are inherently secure, while others are not. A regular Gmail account is not secure, not encrypted, and not backed up correctly for HIPAA purposes.
A regular fax line plugged into a telephone line is considered secure because a fax machine is a point-to-point exchange of information. It is not being transmitted in a form that someone can easily open and steal along the way. As long as the correct fax number is entered, it is going to the right place.
Encryption is the concept that information is being locked in a way that if someone stole it along the way, they would not be able to understand what was in it. It is a form of technology that takes information and puts a lock and key on it. Whether it is texting, email, or chatting, encryption is what helps make sure the information cannot be intercepted and used inappropriately by someone else.
The easiest way to think about all of this technology is whether it protects the information during transit. If someone stole it along the way, could they use it? If the answer is no because it was encrypted, then the information is protected. If it was not encrypted, then it can be intercepted and used.
Organizations should make sure they encrypt all their information. Many systems already include built-in encryption tools. Apple systems and Windows 10, for example, both have built-in applications designed to encrypt information on the computer and protect exchanged information.
Ransomware is when someone captures a computer and its information and demands money to return access. If the information was encrypted and backed up correctly, then even if someone stole it, they could not use it. Without encryption, if a text or communication is intercepted, the PHI can be used.
There are also communication tools that can help. WhatsApp, while not itself marketed as HIPAA compliant, is a secure point-to-point communication mechanism with encryption. Because it is secure and encrypted from one side to another, it can serve as a secure method of communication. There are also tools that can make email encrypted properly, allowing traditional email platforms such as Gmail, Hotmail, or Yahoo to be used more securely.
What Is the Minimum Necessary Standard for HIPAA-Compliant Communication?
Minimum necessary standards must be followed. This means that only the minimum amount of information necessary to address the situation should be disclosed.
For example, if a police officer walks into a hospital and asks whether a patient is there, the answer can be yes, room 401. What cannot be said is yes, room 401, they were clearly drunk when they came in and just had an accident. That extra information is not minimum necessary.
This standard also applies when responding to patients on social media.
Privacy documentation at the front desk should include asking the patient how the organization may communicate with them. Is email okay? Is voicemail okay? Can they be texted? All the mediums the organization plans to use should be listed, and the patient should be asked whether that is okay. If the patient says yes, that is fine. If the patient says no, the organization must have processes in place to avoid violating that request.
HIPAA Compliant Do’s
When discussing PHI, it should be kept to the core of what is needed for treatment, payment, and operations. PHI should not be discussed socially.
Requests for PHI should be handled in writing. Those requests should be maintained for 30 days, and responses should follow the minimum necessary standard. If someone asks to confirm an appointment that happened on Tuesday the 23rd, the response should only discuss the appointment on Tuesday the 23rd, not the appointment on Wednesday the 24th.
HIPAA Compliant Don’ts
PHI should not be discussed in a public setting. The nature of all protected health information is that it should be shared in a supervised and secure environment.
Materials containing PHI should not be left unsecured. At the end of the day, those materials should be put into locked file cabinets or behind a locked door. It is acceptable to have things on a desk if the office door has a lock on it. These are common-sense protections, and one of the required audits under the law is a physical audit that helps the organization identify and address those types of open vulnerabilities.
Easily Avoidable HIPAA Fines
Being HIPAA compliant has real advantages. It can make an organization more profitable, more valuable, and more attractive from a private equity perspective if the practice is looking to sell. It can also improve employee satisfaction and patient loyalty.
The downside is that not doing it has teeth.
One example involved a physical therapist. A patient sent a written recommendation letter saying how much they enjoyed working with the organization. The organization then posted that testimonial on its website. The patient had not given permission for that use through the use and disclosure documents. The letter had been presumed to be for private appreciation, not for public display. That led to a $25,000 fine.
The key point is that the fines are almost never for the incident itself. They are almost always for failing to assess risks properly.
HIPAA does not allow “HIPAA light.” An organization cannot do only pieces of the law. If it did not complete all the audits and did not have all the right documentation around its gaps, it would not have all the right customized policies and procedures, and that is when trouble begins.
Another example involved a hospital in Texas. A patient had committed fraud, and the hospital put out a press release because it was proud of having caught the person. Unfortunately, the press release included the perpetrator’s name and the procedure that had been done. That was PHI, and the complaint led to a $2.4 million fine.
Another common issue involves taking pictures or filming in a display room or office. If a patient is in the room being served, permission must be obtained before including that person in a video or image. It should never be assumed that it is okay.
Why Is Vendor Risk a Major HIPAA Compliance Issue?
Many practices use third-party technologies to help manage communications, including email, patient portals, and texting. The bad news is that 30% of the time, a breach is caused by a vendor.
That is why business associate agreements are so important. If there is a business associate agreement in place and technical due diligence has been done, the organization can defend itself and show that it had documentation proving the vendor said it was HIPAA compliant and responsible for HIPAA-related issues on its side.
Without that, the government often does not know whose fault it is and ends up fining everybody
HIPAA-Compliant Calling Platforms
There are several players in the market for HIPAA compliant calling.
Emitter: Emitter works best for offices that have multiple providers or multilocation offices. It offers texting, fax, calling, AI automation, EMR integration, and scales as the provider scales. It does not charge based on the number of providers.
iPlum: iPlum works well for a solo provider. It is a very basic self-served platform where you set up everything yourself. It is similar to Google Voice but a HIPAA compliant version. It works well if you want a low-cost way to get started.
Ring RX: Ring RX works if you are a little more established. It offers fax, basic texting, and basic calling but no EMR integration and no AI.
Spruce Health: Spruce offers more than calling, texting, and fax and has additional capabilities, but it charges based on the number of providers. For example, five providers may cost about $150 per provider. Spruce is like iPlum and Ring RX with better UI and UX but is more expensive.
FAQs about HIPAA Compliant Communication
1. What are HIPAA-Compliant calling platforms
Platforms that comply with all the HIPAA rules and regulations while dealing with PHI are HIPAA compliant calling platforms. There are several HIPAA compliant calling platforms like Emitter, Ring RX, iPlum, Spruce Health, Weave (Viv) and etc.
2. What is the minimum necessary standard?
Minimum necessary standard means that only the minimum amount of information necessary to address the situation should be disclosed.
3. How Should Organizations Handle Data Migration During EHR Vendor Changes?
During migration, organizations should reassess their security controls by reviewing
- Minimum necessary access
- Multifactor authentication
- Strong password policies
- Logging and audit logging
- Data retention controls
Organizations should consider migration as an opportunity to reassess their security protocols and it’s very important for healthcare platforms to verify everything personally even if the vendor says it is fully compliant.
4. What Are HIPAA Security Rule Expectations for AI?
There are no specific instructions or requirements regarding AI but AI systems should be treated like all the other apps within an organization and should follow all the necessary security practices and protocol like data encryption, access limitations, and secure data sharing practices. All controls applied to AI systems should be documented the same way they are for any other application environment.
