HIPAA-compliance is a vital practice all businesses must adhere to when handling Protected Health Information (PHI) and Electronic Patient Health Information (ePHI). Ever since the final HIPAA omnibus ruling came into effect in March 2013, the Health and Human Services Office for Civil Rights began cracking down on non-compliant Covered Entities and Business Associates.
Even with these new changes in effect, many Covered Entities and Business Associates continue to conduct their daily communications in an insecure manner and, whether aware or not, in a method that is in clear violation of HIPAA’s standards.
Many are well aware of the consequences and have taken the necessary steps to become compliant. For those who have not, or are not sure if they are compliant, we have outlined the steps you can take to rectify this, as well as list the ramifications you may be subject to if found in non-compliance.
The intention of this post is not to scold or make an example of anyone, but to educate those who may still be in danger of being found in direct violation of HIPAA’s standards.
An important first step to take to becoming HIPAA-compliant is to have a Business Associate Agreement (BAA) in place. You must share the BAA with all vendors such as answering services, shredding companies and anyone else who might come into contact with PHI. Once these agreements are signed and all parties enter into the contract, it ensures that the Business Associates meet HIPAA standards by protecting PHI. If they do not, they are liable and subject to civil and criminal penalties for actions not authorized in your BAA.
In regards to having a BAA in place to further protect your PHI, it would also be beneficial to your business or practice to consult with an attorney who has had experience with medical and HIPAA regulations. When it comes to being compliant, it’s not necessarily a bad thing to be over prepared.
One of the fastest growing concerns with the protection of PHI/ePHI is the use of SMS, also known as “text messaging”. While convenient, it is commonly mistaken as a safe and secure method of sharing PHI/ePHI.
Contrary to what many believe, standard text messaging is NOT HIPAA-compliant and is in direct violation. Since text messages do not meet HIPAA’s encryption requirements, you may be faced with one or more of the following for a single infraction:
- Up to but not exceeding $1.5 million in fines ($50,000 per violation)
- Hire an External Contractor who will educate all physicians and office personnel in person
- Restructure your business practices and policies so they are HIPAA-compliant
- Designate a HIPAA-compliance officer for your practice or business
- Be forced to notify all residents and families involved where PHI/ePHI’s security may have been breached
A North Carolina residential facility was recently ordered to perform most of the above when they were found in violation. A physician was treating a nursing home patient and was found non-compliant when he texted a nurse for the patient’s lab results. Both the physician and nurse were the only authorized medical professionals to see the message, however, the Centers for Medicare and Medicaid Services found the residential facility to be in violation since they used text messaging instead of a secure method of communication.
There are solutions for fast, secure communications and those are the use of Encrypted E-mails and Secure Messaging Smartphone Applications. These methods give Covered Entities and Business Associates the option to exchange sensitive PHI/ePHI without the risk of a breach through malicious cyber attacks or, more commonly, from a lost or stolen phone.
Please keep in mind that regular text messaging is not the only method of communication which is found non-compliant. Others may include but are not limited to: Alpha/numeric pagers, traditional e-mail services, voice mail, smartphones, tablets and laptops.
If you need to bring your communication methods up to HIPAA’s standards, please contact Advantage TeleMessaging, Inc. today at (855) 372-5551 and we’ll ensure that your messaging solutions are compliant.
