HIPAA provisions emphasize the risk management process, rather than the technologies used to manage risk – so for hospitals and health systems, the pathway to safeguarding electronic communication of PHI lies in the creation of an overall risk management strategy. Ideally, leaders of the covered entity (CE) will form an information security committee to develop and execute the strategy, which includes representatives from IT, operations, the medical staff and nursing, as well as legal counsel. Leaders should also consider including an external security firm in the group. Once the committee is formed, the organization should take the four essential steps for protecting the security of ePHI.
Step 1: Conduct a formal risk analysis – Whether conducted internally or outsourced to an external consultant, this step is critical, and must include inquiry about the types of technology used for electronic communication, as well as the transmission routes for all ePHI.
To ensure HIPAA compliance, ePHI transmitted across all channels must be “minimally necessary” – which means it includes only the PHI needed for that clinical communication. This layer of complexity, which is common in clinical communication processes, underscores the need for a comprehensive security assessment and strategy appropriate for the organization, coupled with the resources necessary to implement that strategy. The assessment should also evaluate the strength of the administrative, physical and technical safeguards currently in place.
Step 2: Develop an appropriate risk management strategy – Once the analysis is complete, the committee should develop a risk management strategy that’s specific to the needs and vulnerabilities of the organization and is designed to manage the risk of an information breach to a reasonable level. HIPAA does not specifically define “reasonable” – but in general, the risk management strategy should include policies and procedures that ensure the security of message data during transmission, routing and storage. The strategy should also include specific administrative, physical and technical safeguards for ePHI.
Decisions about safeguards will require the committee to consider the limits the organization will impose on electronic communication of PHI. The committee should develop detailed written policies regarding permitted staff behavior when communicating ePHI, including required actions in the case of a suspected breach (e.g., contacting oversight agencies, patients, and media; consequences for employment status). It’s also critical for the group to determine processes for creating an audit trail of messages that includes the sender, receiver, date and time to provide the information necessary for accounting and reporting in case of a breach.
Step 3: Implement policies and procedures and train staff – Implementing new policies and procedures is the biggest challenge for organizational leaders – especially as a substantial proportion of reported security breaches are due in part to insufficient training of staff. As a result, appropriate individuals should be assigned specific implementation tasks for which they are held accountable, while leaders and committee members must carefully monitor the success of implementation. All staff with access to PHI must be educated about the specific policies and procedures, and training should be included during new hire orientation and on a regular basis (e.g., annually) for other employees.
Step 4: Monitor risk on an ongoing basis – To ensure continued compliance with security standards, organizations must conduct ongoing monitoring of their information security risk. Leaders should receive regular trend reports from the information security committee based on their ongoing assessment of ePHI security at the organization. Leaders should ensure the ongoing assessment of security needs as technology and health care delivery change – for example, in response to the greater care coordination required with accountable care.
HIPAA provisions do not include detailed regulations around specific electronic communications like text messaging – making a “HIPAA-compliant texting application” a misnomer. Instead, HIPAA requires that CEs complete a risk assessment and implement policies and procedures to manage the risk of an information breach to a reasonable level. In today’s increasingly complex healthcare environment, analyzing and implementing a broader policy around security across all forms of electronic communications – rather than focusing on any one mode of communication in isolation – and following the steps above will be critical to any health system’s ability to avoid and mitigate the adverse consequences of a breach.