By Jonathan Bryant on Feb 12, 2020 6:45:00 AM
The Health Insurance Portability and Accountability Act of 1996 is a far-reaching law meant to “improve the efficiency and effectiveness of the health care system.” When it was passed, online technology was in its infancy, and as a result, the law has evolved to cover electronic health care transactions for health plans, health care clearinghouses and health care providers.
Today, online communication has become a way of life, especially in health care. Specifically, live chat is becoming the channel of choice for millions around the world who want to communicate quickly and safely. But is it possible to provide live chat that is HIPAA compliant? The answer is a resounding YES — if your live chat provider is as dedicated to HIPAA compliance as you are. Here’s a look at the primary regulatory requirements to help you make a wise choice.
The Big Three
Protection of electronically protected health information or ePHI is primarily defined in the HIPAA Security Rule of 2003 under three main sections:
Administrative Safeguards — These are the policies and procedures governing “the selection, development, implementation, and maintenance of security measures to protect electronically protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information.” Regarding a live chat host (aka “business associate” under regulations), this broadly includes their policies and procedures as well.
This section includes the security management process requiring risk analysis, risk management, sanction policy, and information system activity review; assigned security responsibility; workforce security including access authorization/supervision, and workforce clearance and termination procedures; information access management including implementing policies and procedures for granting access; access establishment and modification policies and procedures that establish, document, review and modify rights of access; security awareness and training; security incident procedures, response and reporting; contingency planning; and periodic evaluation.
Physical Safeguards — These are the actual “physical measures, policies, and procedures to protect a covered entity's or business associate's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
Addressed under this section are policies and procedures for facility access, security and validation; maintenance records; workstation use and security; the receipt, use, re-use, removal, and disposal of hardware and electronic media containing PHI and associated accountability; and data backup.
Technical Safeguards — These are “the technology and the policy and procedures for its use that protect electronically protected health information and control access to it.”
In this section are access control including unique user identification, emergency access procedures, automatic logoff, and encryption/decryption; audit controls; system integrity to verify PHI has not been altered or destroyed; access authentication; and transmission security including integrity controls and encryption.
Live chat HIPAA compliance is not simple, but it’s also not optional. In short, your live chat provider is held to much the same regulatory oversight as your practice and should be able to assure compliance. In less regulatory terms, here are a few of the requirements that when met, indicate a live chat provider takes HIPAA compliance seriously:
- Use of a secure file transfer protocol server (or sFTP server) that is HIPAA compliant. Although the use of an sFTP server alone does not guarantee compliance, the use of an FTP server for ePHI violates the HIPAA Security Rule. The HIPAA Guide blog, “HIPAA-COMPLIANT SFTP SERVER REQUIREMENTS,” takes a more in-depth look at server requirements.
- Use of encryption/decryption if a risk assessment determines “that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity, and availability of e-PHI.”
- Use of intrusion detection systems based on a risk analysis that identifies threats and vulnerabilities to ePHI. This should also include training for system users about how to detect and report malicious software. The DHHS factsheet, “Ransomware and HIPAA” looks at ransomware as one of the security threats to protect against.
- A business associate contract containing all the elements of 45 CFR 164.504(e) that expressly defines what ePHI use is permitted; states that the business associate will not exceed that use or disclose ePHI other than as permitted by the contract or the law; and that the business associate will use “appropriate safeguards” to protect the ePHI. The U.S. Department of Health and Human Services offers a sample business associate contract with the primary recommended language and provisions.
- Signed confidentiality agreements from all live chat hosts and anyone else with access to ePHI. While there are templates and forms available online, it is best to have an attorney provide one that is up to date with HIPAA.