3 Things a HIPAA Compliant Answering Service Shouldn't Do
If you work within the health care industry, you already know the importance of protecting patient health information (PHI).
A question we are regularly asked is, "How can I tell if I have a HIPAA compliant answering service?"
We'll dive into 3 quick ways to determine if you're at risk of a HIPAA violation with your medical answering service.
1. Sending PHI to via Alpha Pager
Alpha or text paging is not secure for a couple of main reasons. First being that the data that is being transmitted to a standard pager is not encrypted. It is little more than a short radio broadcast with the information that a specific pager is 'tuned' to listen for.
Secondly, a standard alpha pager itself is not protected by a password to protect prying eyes from reading about Mrs. Smith's condition.
If the pager become lost, stolen or simply left on a desk anyone can gain access to PHI. There is also no remote data wiping software for pagers. If a pager is left out on a table with no password protection, anyone can access the patient's private information.
If your health care organization is still tied to using pagers, the news isn't all bad for you. Most of the major paging service providers now offer HIPAA compliant pagers. The bad news is that paging carriers are removing towers at an accelerating pace which affects your paging coverage area.
2. Send Unencrypted Text Messages
We're always surprised by the number of answering services that send PHI by way of the standard text messaging to the on-call physician. Text messaging is a no fly zone for as a method for sending patient health information.
Standard text messaging is not encrypted, hence anyone who wants to monitor the transmission can gain access to the PHI contained within the text message. There's no shortage of reports of fake cell phone towers being used to monitor mobile devices. They have been set up for the express purpose of intercepting information.
In addition, even though cell phones can have passwords protecting the access to the phone, text message notifications can still appear on the lock screen.
In order to be HIPAA compliant with respect receiving text messages, it is necessary to download a secure text messaging app in order to comply with HIPAA's HITECH regulations.
These apps not only allow HIPAA compliant text messaging from the answering service to the device but also between phones.
3. Emailing Messages with Encryption
If you are receiving email with PHI from your answering service, it is critical that you can confirm it is encrypted. Standard email that is sent from one user’s computer to another is vulnerable at any point along that transfer without email encryption. Using unencrypted emails not only puts the content of the emails at risk but also the senders’ and receivers’ identities.
Encryption methods can include using TLS encryption. This means that as long as your mail servers are configured to properly support TLS, it will be impossible for a passive adversary along the route to intercept and/or modify the message.
Not sure if your mail server has TLS enabled? Use this online tool to test your email address to see if your servers support TLS encryption. Be sure to test your answering service's email address with this tool as well.
Another option is using S/MIME secure email which includes signing up for a public/private certificate from any certificate authority (CA), i.e. VeriSign, Comodo, etc. Typically a digital signature (ID) will be valid for one year, after which time a new digital ID will be required.
You will need to configure your email client to use the certificate and send the digital signature certificate file (it will have a file extension of .cer) to your answering service. Tip: It is important to ‘zip’ the file before emailing as most email systems will remove a file attachment with a ‘.cer’ file extension.
HIPAA violations are bad. Really bad. A PHI breach can result in fines up to $1.5 million so it goes without saying that it is absolutely necessary that you, your business associates, and your staff are HIPAA compliant.
If you're feeling uneasy about your current answering service provider, be sure to check out these tips when looking for a new partner.