Email platforms such as Microsoft Office 365 remain an important mode of communicating with and sharing information about patients. But is email HIPAA-compliant?
The Health Insurance Portability and Accountability Act of 1996 Privacy Rule governs how healthcare organizations use, disclose and protect patients’ personal health information. It also covers business associates, including cloud services and email providers, that handle protected health information on their behalf.
As long as a HIPAA-covered entity secures a business associate agreement with an email provider such as Microsoft, email can comply with HIPAA rules.
That said, a BAA alone doesn’t guarantee HIPAA compliance.
Healthcare organizations must ensure access controls are configured correctly, administrator access tracking is turned on, Microsoft Dynamics CRM Online for supported devices is turned off, access control reports are obtained and checked regularly, and all users are trained on how to use Office 365 in a manner compliant with HIPAA rules, such as not including protected health information in subject lines, according to Microsoft’s guidance on the issue.
Email Encryption Offers Additional HIPAA-Compliance Safeguards
In an industry slow to adapt to new technologies — many healthcare organizations still use pagers and fax machines — email remains a popular mode of communication. It’s useful for marketing and fundraising, appointment reminders, and alerts to new messages, test results or other information available on a secure patient portal, for example. Internally, clinicians and staff frequently use email for nonurgent communications with peers, such as when seeking a second opinion.
But organizations can shore up security by taking a multipronged approach, adding encryption software to email platforms and using secure messaging platforms to share urgent patient information quickly.
“There’s no training required. It’s very simple,” says Marvin Onyemaechi, director of information technology operations at George Washington University Hospital. Typing the word “private” in the subject line automatically triggers encryption. “That’s all you need to do,” he says.
HIPAA-Compliant Messaging for Clinical Communications
Although the District of Columbia’s 371-bed, Level I trauma hospital, which is affiliated with George Washington University’s medical school, uses email for nonurgent communications, they also use TigerConnect’s HIPAA-compliant clinical communication and collaboration platform for time-sensitive alerts that could affect patient safety, such as to activate a trauma team or cardiac catheterization laboratory team.
The platform, which operates on both Android and iOS, has allowed the organization to switch from hospital-issued pagers to a BYOD program: Users access the secure messaging system on their personal smartphones and tablets.
“Smartphones are so much more functional,” says Chief Medical Information Officer Brian Choi. “They allow for voice calls, text messages, photos and videos, all on one device.”
And TigerConnect messaging is based on web 2.0 technology, similar to Facebook and Instagram. “It’s so simple that anyone can just pick it up and use it,” Onyemaechi says.
In fact, staffers and affiliated physicians, especially millennials, were already transitioning away from pagers, Choi says, leaving them in desk drawers and taking phone calls or texts on their personal devices instead. That mosaic of approved and unapproved communication channels was worrisome, especially since the hospital’s own read on the HIPAA regulations is that SMS texts are not compliant.
“We have about 2,000 active [TigerConnect] users sending 400,000 messages per month,” Choi says. “That tells me there probably was a ton of noncompliant SMS messaging being used before. That risk of PHI loss was what drove us to messaging.”
HIPAA-Compliant Communication Supports the Triple Aim
The hospital has completely decommissioned its pagers since adopting TigerConnect. It added charging stations throughout the campus to ease fears that the BYOD program would drain users’ batteries, and has a small cache of loaner Apple iPods, preloaded with TigerConnect and other apps.
The BYOD approach saves money through the simple fact that organizations aren’t buying the devices, but there are efficiency and patient-safety gains to HIPAA-secure messaging, as well.
Auto-forwarding to a nonsterile nurse in the operating room, for example, allows a scrubbed-in surgeon to respond to urgent requests without giving away his or her password or device. Blast messaging can reach an entire team at once, improving response times and improving key quality measures, such as door-to-balloon times.
"Some people might say the pagers are not going to go anywhere,” Onyemaechi says. “I think that it’s a disservice to our patient community. Everyone knows now: What the world was is not what it is today.”
In fact, any one technology can help an organization keep PHI secure. But an array of HIPAA-compliant communications solutions — such as encrypted email to communicate with patients and secure messaging systems to facilitate time-sensitive internal communications — might be the better bet.