How to Dabble In Electronic Compliance — HIPAA Style!
Ideas on how to prune low hanging fruit of your electronic noncompliance.
There is no shortage of HIPAA seminars and websites abound giving healthcare workers advice on compliant practices, or revamping (and managing) traditional paper systems into something more compliant. There is however, shortage on direction when is comes to digital data and technology infrastructure. In the world of HIPAA, technology requirements and how to manage data can become very confusing and quite complex pursuit.
Many providers ask questions like: “Is my website secure?” To which they review their website and point out the security padlock on the browser and say: “Yup, we're a-ok.” Although that’s a very superficial assessment, it may be good enough for a small business not operating within the requirements of HIPAA. On the other hand, those in white coats are bound by HIPAA law, and superficiality is out of the question. So the question deserves far more than what’s typically given. Unless your consultant is very uncommon, they probably have the same depth of knowledge about web security as they related to you, and many don’t understand HIPAA compliance.
Like many things in life, problems and their solutions are like two ships which pass in the night. The internet is a cooperative anarchy with few governing rules. It is no wonder it’s totally fine to offer internet services much like a house with only a properly locked door front. We think the padlock implies there’s some sort of vetting process, but all it really means is the server is the proper server and that it can encrypt its' content. This article merely skims the surface to get practitioners to think about compliance solutions.
Let’s start small and just dabble with two very non-compliant electronic practices:
Using email to communicate with patients
Using a “Contact Us” form on your website
If your practice uses email to communicate with (or about) your patients, you should just stop – like right now!
Here are some reasons why:
There’s no patient correspondence which doesn’t require stringent encryption. In other words: the mere fact you’re emailing a patient (about something like the weather for instance), still requires compliant communication, because you’re exchanging protected information just to communicate. To elaborate: email address, first name, last name, all are protected and require encryption, and email cannot provide it.
Unfortunately, there’s a very large, and equally unintended false-storefront of security when using email. Part of this is a misunderstanding about how email works. Many believing messages are sent directly from one person to another, when in actuality people do not exchange email directly at all. Only service providers do, where they proxy the SMTP (server) service on your behalf. Which means your messages are (possibly) only encrypted while sending between your device and your service provider and vise-versa on the remote end by the recipient.
Sadly, this caveat / step in the life of an email is potentially the most secure, but before the payload is even sent, it is already a compliance liability, because messages are saved on the device in plain text, in some cases, forever...
Back when modems were in common and WiFi was unencrypted, a ground-swell of concern surrounding phone room espionage and sniffing of the radio spectrum needed a solution. That solution was to encrypt specific types of internet traffic end to end –and to clarify, end-to-end meant -- from desktop to remote server. Below you’ll understand why this becomes somewhat meaningless with email.
Once messages are received by the service provider it sits in a queue in plain text before it’s passed on. This is temporary, but it could also be hours or days if there is heavy congestion or failure. Once sent, the original message goes into the sent folder on the server, (you guessed it), in plain text.
We have no idea or control over who processes your email or by what means. Each step, queues the message in plain text before sending it on.
The final destination for email is delivered into a maildrop, which is a file or directory of files in plain text (naturally) where it sits indefinitely.
Of course patients sending email produce the same non-compliance issue, so having a helpful email address on your website isn't a good thing.
The underlying concept above is the phrase “in plain text”. The way to view this from a HIPAA law standpoint is simply this: Patient information may not be transported to, or saved on any device in plain text. There is a means to encrypt email end-to-end, (called S/MIME). It functions, with configuration and usage challenges: It does not encrypt the message subject nor the email address. This means the subject must be free of protected information, (enforced by the composer). The email address must be protected under the law, so S/MIME is possibly quasi compliant depending on how it’s used, but it certainly breaks the spirit of the law. Another show-stopper is S/MIME does not handle un-prepared inbound messages which new patients would send.
If all you do by reading this is to stop using email to relate healthcare information, it would be considered a huge win! To communicate compliantly, (in brief) you need:
To scrap email and use a private communication system
Use end to end encryption during transmission and storage
Use extremely secure modern tools and practices, built from the ground up for compliance
At Patient Protect we do it this way:
Your practice invites patients to communicate securely
They create an account
Authenticate and communicat
Using a website “Contact Us” form to land new patients.
Here’s why healthcare offices need to rethink this:
They virtually all use email to deliver the message to your office, with all the horrible non-compliant flaws described above.
There is no information of value you could request, which does not require encryption. The whole purpose is to get a name, number and email address. These things must all be encrypted.
Form to mail tasks often delay sending to prevent abuse. The queued messages are surely stored in plain text.
Then it’s sent via email, which if you missed the topic above, (you should read it), but you know it’s horribly non-compliant.
The damage of using this process is that when email is received it’s easy to forget it’s protected information, and most would be inclined to simply respond to the message via return email, which only multiplies the non-compliance.
So what’s worse than using email with patient data? The inadvertent advertising (in a world-wide searchable way) the fact the office is disregarding HIPAA law, essentially turning the helpful “Contact Us” page on the website into a liability. Doing a local search for “dentist” and “contact” returns say 20+ websites. Viewing each typically demonstrates15 practices using webforms which are set via email.
At Patient Protect we do it this way:
You design a form using our tool (or select one from our gallery)
Full documentation gives your web person instructions to make the minor changes to your page to allow the form
When visitors come, the form you designed is presented
We securely and compliantly process your data and deliver it into our online messenger
We notify you via a compliant email that you have a new message
Conventional email CANNOT be made HIPAA compliant!
Patient Protect was created from the ground up to be your solution for compliant communication.