By Jonathan Bryant on Jul 16, 2020 10:38:10 AM
Real-time mobile and live-chat communications are becoming the norm in health care and other businesses. Patients and clients appreciate the ease-of-use, and practices can save precious time while maintaining relationships. But with these modern conveniences comes the need to be in compliance with the Health Insurance Portability and Accountability Act of 1996.
Like everything HIPAA related, it’s complicated. That’s why it’s essential to know the rules and how to comply with them. The following are four key factors of the HIPPA regulation contained in 45 CFR § 164.312 - Technical safeguards, that apply to live chat and mobile digital communications.
Defined in 45 CFR § 164.312(b) Standard: Audit controls, this rule states that covered entities must “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
What this means is those covered entities and business associates who manage electronic personal health information (or ePHI) are required to create and track audit trails of ePHI through the use of audit logs that must be monitored and reviewed regularly and maintained within a record system.
This audit information is essential to know who is accessing ePHI and when, and to determine if a system has been breached from outside or from within by someone not authorized to have access. It also can help recover from a system breach and prevent new ones.
The Department of Health & Human Services cyber newsletter, “Understanding the Importance of Audit Controls,” spells out the fine points of audit controls, answers common questions and provides additional resources.
Please note that audit controls are not the same as HIPAA audits, which are inspections by HHS of facilities for enforcement of HIPPA rules and regulations.
Defined in 45 CFR § 164.312(a)(iv) Standard: Implementation specifications (addressable) and 45 CFR § 164.312(e)(2)(ii) Standard: Implementation specifications: Encryption (addressable), states that encryption should be used “whenever deemed appropriate.”
Encryption is the conversion of normal test into encoded text so that only someone or some entity with the key to the code can access the text. Although encryption is a great way to protect ePHI, under the HIPPA regulation it is not mandatory. Rather, it is “addressable,” which means it “must, therefore, be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI.”
The onus is on the covered entity to make the determination whether or not encryption is “reasonable and appropriate” and if not, the decision must be documented and “an equivalent alternative measure, presuming that the alternative is reasonable and appropriate, “ must be implemented, unless the standard can be met without it. In every case, documentation of the determination is required.
The HIPPA Journal article, “HIPAA Encryption Requirements,” provides a concise and thorough overview of HIPPA encryption and compliance.
Secure Data Centers
Defined in 45 CFR § 164.312(a)(1) Standard: Access Control, data centers include the information systems and people used to send, receive, access, manage, and store ePHI. According to the HIPPA regulation, “Information system means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.” Thus, anything and anyone associated with ePHI is covered under HIPAA, whether onsite, off site or on the cloud, must adhere to the strict regulations for privacy and security.
For many practices, it is most cost effective to maintain data offsite but to do so lawfully requires that the service provider also is in compliance. When choosing an offsite or cloud data center service provider, the HIPPA rules generally require a covered entity to “enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law.”
These contracts or BAAs, (business associate agreements), also make the business associate liable for unauthorized “uses and disclosures of protected health information” not explicitly defined in the agreement and for failing to protect ePHI in accordance with HIPAA.
The HHS article, “Business Associate Contracts” spells out BAAs and includes definitions, sample provisions for agreements and other important aspects to include.
Defined in 45 CFR § 164.312(d) Standard: Person or entity authentication, it requires the implementation of procedures “to verify that a person or entity seeking access to electronically protected health information is the one claimed.”
Generally, there are two main forms of authentication:
Single-factor authentication, which is a password to log in and access the information or system, and
Multi-factor authentication, which is the use of two or more factors to validate access to a system or information. This is what is used when accessing a bank account via an ATM, by first swiping a card and then entering a password, pin or code.
The HHS cyber newsletter, “What Type of Authentication is Right for you?” defines authentication techniques, and the HIPPA Journal offers a look at multi-factor authentication and what’s next, in the article, “57% Rely on Multi-Factor Authentication to Improve Security but MFA is Not Infallible.”
Maintaining HIPAA compliance while using mobile communications and live chat may seem daunting, but it’s much less so when working with a reputable and qualified partner to achieve set goals. Always err on the side of caution by choosing a service provider that has the technical and human infrastructure in place to meet or exceed standards as high as those used in your practice.
Learn more about how Site Staff can help and take a Free 30-day Trial to experience the level of service you deserve.