Enabling Providers to Use Truly HIPAA Compliant Messaging
Direct messaging is increasing in popularity, but how exactly does it tie into HIPAA compliant email and what should providers understand before implementing it?
As technology continues to evolve, healthcare organizations of all sizes are working to remain current in what they can offer to providers and patients while also keeping PHI secure. Covered entities now have various options of communication, and HIPAA compliant email is often a necessity.
However, healthcare organizations cannot assume that any form of email communication will in fact keep PHI secure and adhere to HIPAA regulations. Even third parties are not always exempt from HIPAA compliance as they communicate with healthcare organizations.
As Linda McReynolds, Esq. & Ronald Quirk, Esq. explained in a HealthITSecurity.com contribution, it is important to understand the difference between companies that offer a “mere conduit” service and an actual business associate.
“Entities that provide 'mere conduit' service are excluded from HIPAA liability,” McReynolds wrote. “The mere conduit exemption applies to telecom or information services that exclusively provide transmission or temporary storage of transmitted data incident to such transmission. This includes entities such as internet service providers (ISPs) and paging carriers.”
They key difference is the transient versus persistent nature of the opportunity to view the PHI.
“To qualify as a conduit, a service provider must ensure that PHI is only temporarily stored,” she explained. “It is irrelevant whether the service provider actually views the PHI.”
Healthcare organizations and business associates cannot assume that all forms of email are in fact HIPAA compliant email.
HIPAA compliant secure messaging
In terms of secure messaging usage, that has increased 30 percent from 2013 to 2014, according to an Office of the National Coordinator for Health Information Technology (ONC) data brief. Half of surveyed physicians – 52 percent – said they exchanged secure messages
Forty-two percent more physicians also said that they allowed patients the ability to view, download, or transmit access to their electronic health information.
More patients are able to take advantage of secure messaging options as well, with a separate ONC data brief showing that 51 percent of hospitals in 2014 allowed their patients to send and receive secure messages. Furthermore, 10 percent of hospitals provided secure messaging options in 2013, while 64 percent of hospitals provided it last year.
The HIMSS HIE and Direct Messaging Survey also found that many healthcare originations support Direct messaging as the method choice for exchanging data. However, there were still challenges cited about incorporating structured data into the EHR.
Secure email, helping with transitions of care, ADT notifications, patient communication, and handling consult requests between physicians were the top reported uses of Direct messaging, according to the survey.
“Use of Direct to enable HIE has been a bumpy ride and while variability exists in the market, the message should be that HIE is growing, the market is maturing and we are all learning how to better collaborate with our community partners,” HIMSS Director of Informatics Mari Greenberger and Sean Kennedy, Director, HIE, Mass eHealth Institute, wrote in a blog post at the time of the survey’s release. “The inter-organizational exchange of information in support of improved patient care is challenging, but from the feedback in this survey ‘the cost is worth the benefit.’”
Approximately half of the survey respondents also said that the cost of using Direct is worth the benefit of information exchange. Three-quarters of respondents – 76 percent – also reported access to a provider directory, 64 percent said they can access internal providers from that directory from within their EHR.
In terms of HIPAA compliant secure messaging, the HIPAA Security Rule does not require specific technical solutions. However, it does state that healthcare organizations must determine reasonable and appropriate safeguards.
“It is important, and therefore required by the Security Rule, for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications; a covered entity may use any security measures that allow it to reasonably and appropriately do so,” the HHS HIPAA Security Series states.
Source
No comments:
Post a Comment