HIPAA Communications in Healthcare

One of the longest-lasting impacts of the pandemic may be the creation and adoption of alternative communications methods in the healthcare arena. An HHS study released in December 2021 showed 2020 telehealth usage for Medicare patients increased 63-fold over 2019 (840,000 to 52.7 million).

Regardless of the method used, communications such as cloud-based VoIP, telehealth, texting, and email in healthcare must comply fully with HIPAA rules and regulations. 

HIPAA Requirements for Communications in Healthcare: Covered Entities vs. Business Associates

The HIPAA regulations divide businesses into two groups based on how they handle protected health information (PHI):

Covered Entities (CE): Healthcare providers, health insurers, and healthcare data clearinghouses fall into this category. These companies use PHI for treatment, billing, and data analysis to support those activities. Covered entities like doctors and insurance companies will create PHI in the course of their normal activities. 

Business Associates (BA): If a company takes possession of PHI to provide support services to CEs or other BAs, they are considered a business associate. Electronic health record services, third-party billers, and print/mailing firms that send statements to patients are some common examples of BAs. 

BAs must follow the provisions of HIPAA’s Privacy Rule, Security Rule, and the HITECH Omnibus Rule, including breach notification and the protection of PHI in physical or electronic (ePHI) formats.

Business Associate Agreements (BAAs) must be signed before exchanging PHI between organizations. The goal is to create an unbroken chain of HIPAA compliance in any place where PHI may be stored or used. 

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

HIPAA Requirements for Communications in Healthcare: Following All the Rules

Whether you’re a CE or a BA, the HIPAA standards are the same. Every company must address four key areas if they touch ePHI. The BAs that support your communications needs must share the same commitment to compliance.

  • Administrative – BAs providing communication services must implement security management processes and procedures to prevent, detect, contain and correct security violations of ePHI data. They must have an identified security officer and ePHI access management procedures. BAs must also have ongoing security awareness training, incident and contingency plans, and periodic security evaluations.
  • Physical – Communication service BAs must implement physical access control to all locations housing ePHI data as well as any endpoint devices (workstations, mobile devices, IP phones) that access any ePHI data.
  • Technical – BAs in the communication services industry must implement access control mechanisms to control access to ePHI data. User authentication, access logging, and auditing of ePHI data access are also required. Finally, transmission security for any ePHI data transmitted to and from the cloud must be provided.
  • Organizational – Communication service BAs must implement any additional policies and procedures to ensure compliance with all HIPAA security rules. All security documentation should be in written/electronic form.

HIPAA Requirements for Communications in Healthcare: The Must-Haves

As mentioned earlier, the goal when entering into BAAs with any organization that supports your company is to create an unbroken chain of HIPAA compliance that provides the most effective privacy and security protection for patient