Imagine patients running around and collecting their medical records scattered all over town before coming in for their appointment.
Or them calling the doctor’s office to get more information about their own medical data, only to get a reticent gatekeeper. Or patients taking a couple of hours off work to go to the doctor’s office, only to sit in the waiting room for another hour before they even get to see the doctor.
Those were the old days of complicated logistics that made it slow and difficult for patients to get the care they need.
The healthcare industry, however, has been moving online where doctors and patients could communicate directly with each other using email, Zoom, and chat apps. Patients have been able to get care much faster. During the COVID-19 lockdowns, which accelerated underlying digitization trends throughout 2020, virtual telehealth has been a boon, particularly for mental health patients.
Growth in telehealth has resulted in massive time- and cost-savings, but a big question remains:
Are communication tools used for telemedicine HIPAA compliant?
What is HIPAA and why should you care?
HIPAA is the Health Insurance Portability and Accountability Act, a federal law passed in 1996 that protects patient health information from being shared with others or the public without permission from patients.
Such protected healthcare information (PHI) is information that can personally identify a patient.
PHI data must not be breached or made public under any circumstances. Therefore, any technology or infrastructure through which this information travels must comply with HIPAA. This most certainly applies to email, chat messaging, intra-hospital communications, etc.
Who must comply with HIPAA?
There are two types of organizations that must comply.
Covered entities include…
- Doctor offices
- Insurance companies that provide treatment, payment, and healthcare operations.
Business associates of covered entities providing technological services that receive, transmit, or store PHI data also must comply with HIPAA. These include…
- Cloud-based SaaS for health professionals
- Data analytics companies that process medical data
- Doctor-patient chat messaging apps
- Medical transcription services
What happens if you don’t comply with HIPAA?
Non-compliance with HIPAA can result in crushing fines that can potentially shutter clinics and bog hospitals down with liability, diverting their attention away from their core function: providing care to patients.
Common violations against HIPAA can result in penalties ranging between one-time $50,000 fines to over $1,700,000 per year, per violation. There can also be disciplinary actions taken against violators, including suspension or loss of medical license. The most serious and egregious violations can also result in criminal charges.
In larger facilities, these penalties can really add up quickly. It’s not hard to find examples of multi-million dollar penalties of non-compliance where Tenet Healthcare’s data breach cost them $32.5 million. Even worse, the Anthem hack cost them over $100 million in financial penalties.
What some benefits of HIPAA compliance?
1. Reduce liability
Doctors can provide care over virtual mediums without fear of breaking their patients’ confidentiality — or getting sued if their patient’s medical information wasn’t kept confidential.
2. Prevent healthcare fraud
HIPAA established a robust program to fight fraud. For example, HIPAA prohibits billing for services that weren’t actually performed, falsifying diagnoses to justify procedures that aren’t medically necessary, or using incorrect procedure codes to obtain payment for services not typically covered by insurance.
3. Build trust and reputation with patients
Complying with HIPAA enables you to take proactive steps to protect medical records and patients’ personal information using the latest data handling practices.
4. Shield from expensive penalties
Paying non-compliance penalties would use up funds that would otherwise go into growing your practice. On the other hand, being in compliance means your practice won’t be subject to punitive action if and when a breach occurs.
5. Enable one-stop shops for medical needs
Both doctors and patients can use an app or portal to directly communicate, dispense care, view and enter medical records, and update prescriptions all within a HIPAA-compliant framework. Compliant platforms make it much easier for healthcare professionals to coordinate care, billing, and data storage without fear of violating HIPAA.
How to achieve HIPAA compliance in 5 steps
1. Conduct a risk assessment
The first thing to do is to conduct a HIPAA risk assessment as part of your HIPAA compliance checklist. Using a checklist is quite useful because your organization may be compliant in some ways, but not in others, and it’s different for every organization. From here, filling in the gaps should be straightforward.
2. Limit access
The second thing to do is to restrict access to sensitive information only to employees or patients on a need-to-know basis. For example, a patient’s medical history does not need to be shared with anyone else unless a specialist needs to see it in order to confirm a specific diagnosis. To do that, a good place to start would be to review patient consent procedures and all the roles at your own organization.
3. Use end-to-end encryption
Next, you’ll need to set up safeguards to ensure that PHI data is always protected with end-to-end encryption. Communication technologies such as email, messaging apps, and portals need to be encrypted following HIPAA’s encryption requirements.
Additionally, SaaS companies use these technological safeguards to ensure their products are HIPAA-compliant:
- Access control
- Audit controls
- Integrity controls
- Transmission security
4. Train your employees and build a culture of accountability
Once you have the risk assessment done and the technological framework in place, you’ll need to provide training to users, employees, and doctors on privacy and data security.
In terms of compliance, your technologies are only as effective as how your organization uses them. The HIPAA Journal lists the most up-to-date training requirements along with a downloadable and self-paced learning course.
5. Choose technologies that are already HIPAA compliant
Choosing a compliant app or technology is the easiest and fastest path to HIPAA compliance. However, these decisions must be carefully deliberated — and the products thoroughly vetted — before integrating them into your organization and workflow.
HIPAA changes in 2021: what you need to know
Although it’s been 25 years since HIPAA was first passed into law, there have been many changes to it over the years.
In fact, they loosened compliance requirements during the COVID-19 pandemic throughout 2020. However, this will soon change and the full force of the law will return into effect sometime in 2021, as well as some new rules:
- New HIPAA privacy rule: New rules surrounding HIPAA privacy will greatly restrict ways PHI can be used or shared. Your technologies and internal procedures will likely need to be refreshed to stay in compliance.
- Right to access initiative: In our healthcare system, it has always been difficult and expensive for patients to get access to their own medical data and records — until this year. The Right to Access Initiative promises to make it easier and cheaper for patients to get copies of their medical records.
- National patient identifier: To reduce medical errors or misidentification of patients, a single identification number will be assigned to each patient and will be used by all doctors and hospitals across the entire healthcare system.
- End of COVID grace period: Currently no fines are being levied for telehealth during the pandemic, but healthcare organizations and business associates/vendors must put in a good faith effort to comply in case the temporary COVID-19 “grace period” ends in 2021 and HIPAA goes back into full enforcement.
- Location flexibility: If there’s one thing 2021 rule changes make things less stringent, it is regarding the location of care rendered to patients. The more doctors and patients go online, the less it makes sense to confine care to specific geographical locations of both doctors and patients.
CometChat: Our HIPAA compliant chat messaging platform
Rather than trying to build your own HIPAA compliant chat messaging system or hiring a team of developers to make it HIPAA compliant, you can just use an existing technology that’s already compliant without having to reinvent the wheel.
CometChat is cloud-based HIPAA compliant chat system with end-to-end encryption. Since it can be run on any platform without extra coding, installation and setup are easy enough that your organization would not miss a beat while providing care to patients.
Want a demo? Get in touch with us today.
- HIPAA Journal: What happens if you violate HIPAA
- HIPAA Journal: The Most Common HIPAA Violations You Should Be Aware Of
- HIPAA Journal: The Cost of HIPAA Non-Compliance
- HIPAA Security Suite: New HIPAA Privacy Rules: Everything You Need to Know Going into 2021
- CometChat: Doctor-Patient Communication: How We Make Healthcare Chat App Easy & Secure
- CometChat: Keeping PHI Secure: A Guide to Choosing a HIPAA Compliant Chat API
About the author
Nabeel Keblawi, a deaf entrepreneur, runs a Content Marketing and SEO agency that helps B2B SaaS companies grow organically in their industries around the world. His previous work experience involved software development, renewable energy, and cloud computing. In his personal life, Nabeel loves to go hiking with his family, and dust off his skis to hit the slopes given the chance. He is also an avid reader of fictional history.