As technology continues to develop, there are becoming more ways to share patient data within your practice. iMessage is one example in particular that has been integrated into medical offices for internal communications between employees. While this is a faster way to facilitate conversation, the question becomes: is iMessage HIPAA compliant?
Under the Health Insurance Portability and Accountability Act (HIPAA), there are national standards that health care organizations must implement in order to safeguard the privacy and security of protected health information (PHI). PHI is any demographic information that can be used to identify a patient, this can be their name, address, date of birth, or social security number, to name a few.
When it comes to messaging services, such as texting and iMessage, the same HIPAA rules for privacy and security apply to sensitive PHI that is communicated on those media. However, Apple does not currently address these HIPAA privacy and security requirements in their iMessage service. There are a number of HIPAA compliant messaging and data storage apps that have been well-known among iPhone and Mac users, but Apple’s iMessage messaging system remains insecure and non-compliant.
The main takeaway from a HIPAA compliance perspective is that if you send patient data over iMessage, you are putting your practice at risk of a data breach and the potential for serious HIPAA fines.
Business Associate Agreements are the Law
In order to better understand why you cannot use iMessage in a HIPAA compliant manner, here is an outline of some of the HIPAA compliance requirements that govern how and when you can work with messaging platforms. If you are a healthcare provider or vendor, that means that you are a covered entity under the law.
Covered entities are any organizations that use PHI for the purpose of payment, treatment, or healthcare operations. Covered entities have specific requirements under HIPAA regulation that apply to their practice. However, you need to understand your HIPAA business associate requirements in order to keep your business safe.
A business associate is any individual or organization that necessarily encounters PHI over the course of the services that they have been hired to provide for another healthcare organization. Common examples of BAs include billing companies, secure messaging apps, cloud storage providers, and many others.
Before any PHI can be shared with a business associate, you must execute a business associate agreement (BAA). A business associate agreement is essential to protecting your practice from liability in the event of a data breach caused by your business associate. Health care providers are required to execute a BAA with their business associate prior to any PHI being shared, exchanged or transmitted.
Unfortunately if there is not a business associate agreement implemented, and you are sharing PHI with vendors, then you are not HIPAA compliant. There must be an understanding between covered entities and their business associates about the risks posed by a PHI breach and the role that each organization plays in protecting PHI.
Since iMessage can be used to share and store PHI, health care organizations would need to legally execute a BAA with Apple prior to using their iMessaging service.
Right now, Apple does not sign business associate agreements with any health care providers or HIPAA-beholden entities using iMessage. Unless iMessage becomes HIPAA compliant, you should not share patient information through this system.
iMessage and HIPAA Encryption
In addition to the HIPAA business associate standards that iMessage does not address, there are also data security issues at play.
When you send data over iMessage, that data is sent via Apple’s servers, where it gets temporarily stored on the way to its intended recipient. That means that if Apple experienced a data breach or decided to access those servers, then any PHI that was transferred via iMessage would be readily accessible.
HIPAA sets specific standards for the type of encryption that must be in place in order to keep data secure. Data being transferred electronically, is known as data-in-motion under HIPAA regulation–and that includes PHI that would potentially be sent via messaging apps like iMessage.
According to HIPAA, data-in-motion can only be sent over an encrypted channel. End-to-end encryption is a type of encryption that must be used to secure data-in-motion. It ensures that only the sender and intended recipient are able to view the data being transmitted. iMessage does not utilize end-to-end encryption, meaning that it can be viewed while it is in transit by any third party that gains access.
Business Associate Agreements Done Right!
At Compliancy Group, we simplify business associate management with our HIPAA compliance web-app, The Guard. The Guard gives users everything they need to manage their vendors with built in business associate agreements, vendor audit questionnaires, and annual tracking to stay HIPAA compliant.
Our expert Compliance Coaches will guide you through the entire process and are always available to answer any of your questions. And in the event of a breach, users can contact their Compliance Coach for assistance with documentation, tracking, investigating, and reporting.