HIPAA and Data Encryption
New HIPAA encryption requirements were introduced in the Final Omnibus Rule – which updated existing legislation in the Health Information Technology for Economic and Clinical Health Act 2009 (HITECH) and the Health Insurance Portability and Accountability Act 1996 (HIPAA) – in order to reduce the risk of sensitive patient health information from being compromised.
The new rules relating to HIPAA text message encryption and HIPAA email message encryption were enacted in September 2013, after a six-month period was allowed to enable third-party service providers – who previously did not have to comply with HIPAA data encryption regulations – to compile suitable policies for the security of patient health information when it is being sent, received or stored.
However any employer, health insurance provider or healthcare professional that provides an existing service covered by HIPAA also needs to be aware of how the revised rules relating to HIPAA data encryption may affect them, and how their business should be conducted to comply with the new HIPAA encryption requirements.
Breaches of Patient Health Information
Due to technological advances and changes in work practices, sensitive patient health information is often communicated by portable mobile devices such as cell phones, Smartphones and tablets. The potential for data being compromised when using public Wi-Fi or open cell phone networks is vast – as it is when patient health information is stored on a mobile device and is then stolen or lost – and the revised HIPAA data encryption regulations intend to address these issues. Consequently:
- Any organization which maintains patient health information has to conduct periodic risk assessments, and establish processes and procedures to protect electronically stored patient health information.
- The risk assessments should consider whether personal mobile devices are being used to exchange patient health information, and whether proper authentication, encryption and physical protections are in place to assure the integrity of the data.
- Employees and sub-contractors should be informed of the processes and procedures to use when using mobile devices to access or communicate patient health information, and educated on the consequences of data breaches and HIPAA data encryption violations.
- HIPAA compliance policies should cover the scenarios in which mobile devices are lost or stolen, or if the owner wishes to sell or dispose of it, so that patient health information can be removed from the device remotely (¹).
- Employees and sub-contractors with access to patient health information via a mobile device should be told not to maintain any patient-related data they receive on the local storage facility of their mobile devices.
(¹) When patient health information has been lost or stolen, but has been secured by encryption, it is not always necessary to notify the patient or Office of Civil Rights if the breached data
“unreadable, indecipherable, or unusable” and the encrypted data can be removed remotely.
Why HIPAA Email Message Encryption is Not the Solution
Although encrypting an email provides a certain level of security for transmitting patient health information, during the transmission of an email the message is copied multiple times on email servers before it reaches its intended recipient. Even encrypted, there is no way to completely recall or delete the email and, should the mobile device from which it was sent – or the one on which it was received – be stolen or lost, the content of the email can easily be accessed.
The new regulations relating specifically to HIPAA text message encryption and HIPAA email message encryption “require appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic patient health information”, and this is something which cannot be completely achieved by email encryption (²). Because of the lack of security offered by email encryption, it is the best interest of organizations to consider a secure text messaging platform to remain compliant with the HIPAA encryption requirements.
(²) It should be noted that the failure to comply with the HIPAA encryption requirements could result in criminal charges being brought by the Office of Civil Rights or a civil action being filed by an individual whose patient health information has been compromised.
Compliance with HIPAA through Text Message Encryption
Unlike email messages, secure text messages are stored locally on a secure server and the message carrier does not retain a copy of the message. They can still be accessed at any time in any place by the intended recipients (which is not always the case with secure email systems), unless the messages have been programmed to expire automatically to protect the integrity of patient health information.
The mobile device user can still use their personal device to access regular emails, SMSs and social media communications, but sensitive information will be sent and received using the secure messaging system and stored in a virtual private network. Compliance with HIPAA through text messaging encryption is assured, as the facility exists to remove a user from the network, and delete any sensitive data they may have received, if a risk assessment identifies a threat to the security of patient health information.
Why use TigerText to Comply with HIPAA Data Encryption Requirements?
TigerText´s secure messaging platform is a cloud-based application which is simple to use and does not require the download of any software to operate. Most employees or sub-contractors will notice very little difference between their current SMS practices and using TigerText to comply with the HIPAA text message encryption requirements, and there are specific benefits of using TigerText which will more than compensate for any cost of establishing the system:
- TigerText´s HIPAA text message encryption enables multiple users to collaborate so that a team of healthcare professions could all be involved in a single conversation despite being far apart.
- Staff efficiency is increased when TigerText is used on personal mobile devices as there is no waiting around for the recipient to access a workstation or log into an account.
- Message read receipts eliminate the need for follow up messages to see if they have been received and read – again saving time and increasing efficiency.
- User management and review is easy to access and report against with various admin controls in addition to basic reporting on messages and usage.
Contact Us to Learn More About TigerConnect
To learn more about TigerText´s secure messaging platform – and how it complies with the HIPAA encryption requirements – you are invited to download our “Top 8 Secure Messaging Policy Best Practices Brief” and thereafter contact us with any questions you may have about HIPAA text message encryption or how TigerText´s secure messaging platform can help you to comply with the new legislation.