Regardless of the method used, communications such as cloud-based VoIP, telehealth, texting, and email in healthcare must comply fully with HIPAA rules and regulations.
HIPAA Requirements for Communications in Healthcare: Covered Entities vs. Business Associates
The HIPAA regulations divide businesses into two groups based on how they handle protected health information (PHI):
Covered Entities (CE): Healthcare providers, health insurers, and healthcare data clearinghouses fall into this category. These companies use PHI for treatment, billing, and data analysis to support those activities. Covered entities like doctors and insurance companies will create PHI in the course of their normal activities.
Business Associates (BA): If a company takes possession of PHI to provide support services to CEs or other BAs, they are considered a business associate. Electronic health record services, third-party billers, and print/mailing firms that send statements to patients are some common examples of BAs.
BAs must follow the provisions of HIPAA’s Privacy Rule, Security Rule, and the HITECH Omnibus Rule, including breach notification and the protection of PHI in physical or electronic (ePHI) formats.
Business Associate Agreements (BAAs) must be signed before exchanging PHI between organizations. The goal is to create an unbroken chain of HIPAA compliance in any place where PHI may be stored or used.
HIPAA Requirements for Communications in Healthcare: Following All the Rules
Whether you’re a CE or a BA, the HIPAA standards are the same. Every company must address four key areas if they touch ePHI. The BAs that support your communications needs must share the same commitment to compliance.
- Administrative – BAs providing communication services must implement security management processes and procedures to prevent, detect, contain and correct security violations of ePHI data. They must have an identified security officer and ePHI access management procedures. BAs must also have ongoing security awareness training, incident and contingency plans, and periodic security evaluations.
- Physical – Communication service BAs must implement physical access control to all locations housing ePHI data as well as any endpoint devices (workstations, mobile devices, IP phones) that access any ePHI data.
- Technical – BAs in the communication services industry must implement access control mechanisms to control access to ePHI data. User authentication, access logging, and auditing of ePHI data access are also required. Finally, transmission security for any ePHI data transmitted to and from the cloud must be provided.
- Organizational – Communication service BAs must implement any additional policies and procedures to ensure compliance with all HIPAA security rules. All security documentation should be in written/electronic form.
HIPAA Requirements for Communications in Healthcare: The Must-Haves
As mentioned earlier, the goal when entering into BAAs with any organization that supports your company is to create an unbroken chain of HIPAA compliance that provides the most effective privacy and security protection for patient PHI and ePHI.
What does that look like when evaluating healthcare communications vendors, or any vendor providing data services and support? While each situation may require specific-use solutions, there are some general things you should look for:
Multi-Factor Authentication (MFA) on ALL devices – MFA should be present on any desktops, laptops, smartphones, or other devices that can access, transmit, or store ePHI.
Full encryption in transit and at rest – All content and communications transmitted must be fully encrypted both in transit (default RC4-128 encryption) and at rest (256-bit AES encryption) within the data centers.
Downstream BAA compliance – All vendors should be fully HIPAA compliant and have obtained BAAs with downstream subcontractors and third-party vendors.
End-to-End HIPAA Compliance – All three components, the communications service provider (and any associated data center), the connectivity circuit, and the endpoint devices (where ePHI is accessed) must be HIPAA/HITECH compliant in order for the data transmitted to be fully compliant and secure
Proactive Security and Recovery Solutions – The communication service provider should employ the latest HIPAA compliant physical and cyber security technology. They should also update software and systems as needed, monitor for new threats like viruses and malware, conduct penetration testing on their systems to identify possible entry points for cyberattacks, and have robust recovery plans to get your services restored as quickly and securely as possible.