08 Jan How to maintain HIPAA compliant communication
HIPAA compliant communication is essential – for the sake of your patients and your practice.
Portions of the Health Insurance Portability and Accountability Act govern patients’ privacy. That includes the secure electronic transfer of health data. If protected health information makes it into the wrong hands it could result in legal scrutiny or worse. Electronic communication is risky without protection. Medical practices that violate sections of HIPAA covering health privacy can face large fines. In fact, a single violation could result in a fine as high as $50,000. Practices can receive fines for violations even if they operate with due diligence and without specific knowledge of the rule. Multiple infractions in the same year can cost a practice at least $1.5 million.
HIPAA fines add up to some scary numbers, but the penalties are avoidable if you take the right steps. Fortunately, safe communication channels exist. There are even a number of electronic communication platforms and tools built with HIPAA in mind. PHI transfer activities are particularly vulnerable. By taking the following steps medical practices can mitigate the risk:
Use encrypted email for PHI
Email encryption is a critical step to HIPAA compliance, according to Virtru. Encrypted communications are protected by elaborate algorithms that make information unreadable to anyone without the right credentials. If your emails aren’t secured by encryption you’re opening up patient PHI to hackers and other digital dangers.
It’s easy to send off an email without considering the security implications. However, doing so can be dangerous. Any emails containing PHI should have strong protections. Otherwise, that private information is vulnerable. There are a number of options for encrypting your practice’s emails. Portal solutions using Transport Layer Security can establish unique and protected channels to exchange information. Additionally, some newer solutions integrate with popular email platforms.
Protect patient appointment reminders
To protect your appointment reminders you should provide patients with as much information as possible on your policy while keeping the alerts themselves as generic as you can. Inform patients of the types of reminders you send (text message, voicemail, email, etc.) and the risk inherent in them, Stericycle Communication Solutions explained. Also be sure to offer patients an “opt-out” option in case they do not want to receive appointment reminders.
When you do send the notifications, make them as generic as possible. Providing too much information may expose your practice to risk. The safest appointment reminders are the ones that contain just the following:
- The provider’s name.
- The date and time of the appointment.
- The appointment location.
Secure your patient portal
Patient portals can offer great user experience. However, you could face a HIPAA violation if your self-service portals aren’t secure. Portals often store patients’ PHI and communicate updates to them. HIPAA protects the data typically stored within patient portals. That’s because much of this information often falls under the PHI umbrella. There should be no way to get into the portal – or for information to get out – without the proper credentials. Your patient portals should be like bank vaults. Make sure you have the staff to maintain security during and after the development of internal portal projects.
Keep in mind: while protecting PHI is essential, it’s important to keep in mind patient’s rights beyond securing health data. HIPAA provides patients with a “right of amendment” as well as a “right of access,” Healthcare IT News explained. If they ask you to change their records or to deliver of medical or billing documents, you have to honor the request. And the records should be sent through whichever channel the patient requests.
Choose secure messaging channels
Messaging is consumers’ preferred communication channel; whether it be live chat, text messaging or another text-based platform. However, messaging isn’t always secure. In fact, it often isn’t. You should avoid sending PHI via text message. And it’s important to be careful with live chat as well. If you’re interested in adding live chat to your website make sure you research the provider first. Some live chat providers build in protections to ensure their products are HIPAA compliant. Look for a live chat solution that states it is HIPAA compliant on its website before making a purchase.
Maintaining HIPAA compliant communication
Staying HIPAA compliant isn’t just about choosing the correct digital communication solutions. It also comes down to maintaining security. There are a number of practices you should stick to for HIPAA compliant communication:
- Run security audits on a regular basis.
- Train staff on maintaining HIPAA compliant security.
- Update communication solutions, databases and operating systems when new releases are made available.
- Keep log-in credentials secure.
HIPAA compliant communication is in your patients’ and your practice’s best interests. However your practice engages with patients and prospects, make sure it does so in a secure manner. By taking the time to keep PHI secure you can shift the focus to what really matters: Keeping your patients happy.