They can then communicate with other authorized users within the covered entity´s private communications network. Each authorized user logs into their app using a centrally-issued username and password. These solutions for communicating ePHI at distance work via easy-to-operate apps that most healthcare professionals will be familiar with, as they have a similar interface to commercially available messaging apps. Secure messaging solutions offer the same speed and convenience as SMS, Skype or email, but comply with the Security Rule in respect of only allowing authorized users to have access to ePHI, implementing a secure channel of communication, and monitoring activity on the secure channel of communication. Many healthcare organizations have elected to use a secure messaging solution to comply with the HIPAA guidelines on telemedicine. Better Solutions for Communicating ePHI at Distance Furthermore, if patients have other applications running in the background, these may exhaust their bandwidth and make the service unusable. The cost of using the service (up to $35.00 per user per month) may deter some patients from wishing to use a HIPAA compliant telehealth service and, although cheaper options exist, they generally tend to be of insufficient quality for physicians to accurate diagnose patients´ complaints. However, in order to take advantage of this opportunity, each patient must also have an Office365 account linked to the cloud-based Skype for Business service. For example, Microsoft will offer physicians a Business Associate Agreement if they want to use the HIPAA-compliant Skype for Business video service. There are some options for physicians who want to provide a HIPAA compliant telehealth service for patients, but these tend to be both complicated and expensive. The covered entity would also likely fail any HIPAA audit for failing to conduct a suitable risk assessment – which might also affect the receipt of payments under the Meaningful Use incentive scheme. This BAA must include methods used by the third party to ensure the protection of the data and provisions for regular auditing of the data’s security.Īs copies of communications sent by SMS, Skype or email remain on service providers´ servers, and contain individually identifiable healthcare information, it would be necessary for the covered entity to have a BAA with (for example) Verizon, Skype or Google in order to be compliant with the HIPAA guidelines on telemedicine.Īs (for example) Verizon, Skype and Google will not enter into BAAs with covered entities for these services, the covered entity is liable for any fines or civil action should an unauthorized disclosure of ePHI occur due to the third party´s lack of HIPAA-compliant security measures.
#Hippa secure email solutions professional#
When ePHI created by a medical professional or a healthcare organization (covered entity) is stored by a third party, the covered entity is required to have a Business Associate Agreement (BAA) with the third party storing the data. Why You Should Not Use SMS, Skype or Email for Telemedicine The second and third bullet points also relate to ePHI that is stored – an issue we will address in the next section.
The system should also have automatic log-off capabilities if the system is not used for a period of time. However, the second bullet point means that unsecure channels of communication such as SMS, Skype, and email should not be used for communicating ePHI at distance.įinally, according to the HIPAA guidelines on telemedicine, any system of communicating ePHI at distance must have mechanisms in place so communications can be monitored and remotely deleted if necessary. The first bullet point is fine provided physicians use “reasonable and appropriate safeguards” to prevent ePHI being disclosed to any unauthorized parties.
A system of secure communication should be implemented to protect the integrity of ePHI.Only authorized users should have access to ePHI.This element of the HIPAA guidelines on telemedicine is contained within the HIPAA Security Rule and stipulates: However, the channel of communication used for communicating ePHI at distance also has to be HIPAA-compliant if medical professionals and healthcare organizations want to comply with the HIPAA guidelines on telemedicine. Many people mistakenly believe that communicating ePHI at distance is acceptable when the communication is directly between physician and patient – and this would be what the HIPAA Privacy Rule would imply. The HIPAA guidelines on telemedicine affect any medical professional or healthcare organization that provides a remote service to patients in their homes or in community centers. HIPAA Guidelines on Telemedicine Communicating ePHI at Distance