New HIPAA encryption requirements were introduced in the Final Omnibus Rule – which updated existing legislation in the Health Information Technology for Economic and Clinical Health Act 2009 (HITECH) and the Health Insurance Portability and Accountability Act 1996 (HIPAA) – in order to reduce the risk of sensitive patient health information from being compromised.
The new rules relating to HIPAA text message encryption and HIPAA email message encryption were enacted in September 2013, after a six-month period was allowed to enable third-party service providers – who previously did not have to comply with HIPAA data encryption regulations – to compile suitable policies for the security of patient health information when it is being sent, received or stored.
However any employer, health insurance provider or healthcare professional that provides an existing service covered by HIPAA also needs to be aware of how the revised rules relating to HIPAA data encryption may affect them, and how their business should be conducted to comply with the new HIPAA encryption requirements.
Due to technological advances and changes in work practices, sensitive patient health information is often communicated by portable mobile devices such as cell phones, Smartphones and tablets. The potential for data being compromised when using public Wi-Fi or open cell phone networks is vast – as it is when patient health information is stored on a mobile device and is then stolen or lost – and the revised HIPAA data encryption regulations intend to address these issues. Consequently:
(¹) When patient health information has been lost or stolen, but has been secured by encryption, it is not always necessary to notify the patient or Office of Civil Rights if the breached data
“unreadable, indecipherable, or unusable” and the encrypted data can be removed remotely.
Although encrypting an email provides a certain level of security for transmitting patient health information, during the transmission of an email the message is copied multiple times on email servers before it reaches its intended recipient. Even encrypted, there is no way to completely recall or delete the email and, should the mobile device from which it was sent – or the one on which it was received – be stolen or lost, the content of the email can easily be accessed.
The new regulations relating specifically to HIPAA text message encryption and HIPAA email message encryption “require appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic patient health information”, and this is something which cannot be completely achieved by email encryption (²). Because of the lack of security offered by email encryption, it is the best interest of organizations to consider a secure text messaging platform to remain compliant with the HIPAA encryption requirements.
(²) It should be noted that the failure to comply with the HIPAA encryption requirements could result in criminal charges being brought by the Office of Civil Rights or a civil action being filed by an individual whose patient health information has been compromised.
Unlike email messages, secure text messages are stored locally on a secure server and the message carrier does not retain a copy of the message. They can still be accessed at any time in any place by the intended recipients (which is not always the case with secure email systems), unless the messages have been programmed to expire automatically to protect the integrity of patient health information.
The mobile device user can still use their personal device to access regular emails, SMSs and social media communications, but sensitive information will be sent and received using the secure messaging system and stored in a virtual private network. Compliance with HIPAA through text messaging encryption is assured, as the facility exists to remove a user from the network, and delete any sensitive data they may have received, if a risk assessment identifies a threat to the security of patient health information.
TigerConnect’s secure messaging platform is a cloud-based application which is simple to use and does not require the download of any software to operate. Most employees or sub-contractors will notice very little difference between their current SMS practices and using TigerConnect to comply with the HIPAA text message encryption requirements, and there are specific benefits of using TigerConnect which will more than compensate for any cost of establishing the system:
To learn more about TigerConnect’s secure messaging platform – and how it complies with the HIPAA encryption requirements – you are invited to download our “Top 8 Secure Messaging Policy Best Practices Brief” and thereafter contact us with any questions you may have about HIPAA text message encryption or how TigerConnect’s secure messaging platform can help you to comply with the new legislation.
TigerConnect provides secure, real-time mobile messaging for the enterprise, empowering organizations to work more securely. TigerConnect’s encrypted messaging platform keeps communications safe, improves workflows, and complies with industry regulations.