HIPAA-compliant texting and messaging

What does ‘HIPAA-compliant messaging’ even mean?

Lots of messaging services claim that they’re ‘secure’ or ‘HIPAA compliant’. But, what does that really mean? How can you even begin to compare all these ‘secure’ messaging apps swarming the market? Here’s an important list of characteristics that set truly secure messaging services apart. These characteristics all add up to HIPAA-compliance and security best practices. Any ‘secure’ or HIPAA-compliant messaging vendor worth their salt, and your time, will be able to explain why, and how, their products meet these best practices, meet HIPAA requirements, and ease your medical communications headaches.

A truly secure and HIPAA-compliant messaging service will:

1. Segregate healthcare texting from personal texting
   
   This is a no-brainer: mixing professional and personal messages is dangerous at the best of times. In healthcare environments, it can be truly perilous. Anyone can pick up a nurse’s phone and read his personal text messages. So, healthcare-related text messages and communications have to be kept separate from personal messages. Because, when it comes to HIPAA compliance, there are no exceptions and no excuses.
2. Require special authorization and authentication for accessing messages
   
   There’s no use keeping healthcare and personal messages in different places unless the healthcare messages are secured with strong authentication requirements. Users should be enrolled in their organization’s secure text messaging service through a personal invitation process, and their access to messages should be password-protected. These measures ensure that messages are read by the people they are sent to: not their friends, kids, or colleagues. This is a key element of HIPAA’s ‘Security Rule’.
3. Encrypt message data in network and in transit
   
   Ordinary text messages are not secure in transit: they can be accessed by mobile carriers or by other third parties. To ensure HIPAA compliant texting, these third parties simply cannot gain access to PHI. So, secure messaging services will encrypt all transmissions using TLS/SSL (or similar) between all server-nodes
4. Encrypt data on mobile devices
   
   Truly secure communications platforms won’t just encrypt messages in transit – they’ll encrypt your messages, directory information, and other proprietary information on your phone, too, using AES-256 encryption, or similar. These encryption measures help to protect against data leakage in the case of phone theft or loss.
5. Remove PHI from screen notifications
   
   Having your texts pop up on your phone’s lock screen can be a recipe for disaster; even in they don’t contain PHI. But, when they do, the consequences can reach beyond embarrassment and can cost your institution a hefty amount in HIPAA compliance fines. Secure communication applications will eliminate potential leaks from lock screens by blocking text previews from message alerts. So, you’ll know who messaged you by looking at your lock screen. But, you’ll only be able to know what they messaged you when you unlock your phone (preferably through a pin or password mechanism).
6. Fully archive message histories
   
   Native text archiving can be erratic and uncertain. A truly HIPAA-compliant messaging service will provide an automatic, complete, and encrypted archiving service for messages sent within a specific organization’s network. The visibility and accountability such archiving processes provide are essential to demonstrating HIPAA compliance.
7. Fully integrate auditing capabilities
   
   HIPAA audits are the key to HIPAA-compliance. You’re only compliant when you can successfully pass an audit with flying colors. To do so, you need to be able to provide evidence of hardware, software, and procedural mechanisms that record and examine all your PHI-sharing activities. A HIPAA-compliant messaging solution will automatically audit and log all administrator activities related to managing users and polices, all authentication events, and all read receipts of messages.
8. Enable secure photo sharing
   
   Photo sharing is a key element of successful healthcare communications systems - often, urgent consultations involve visual examinations of wounds or other symptoms. If shared, such photos have to be encrypted and secured in order to maintain the privacy of the photographed patient. A HIPAA-compliant messaging service will ensure that photos taken within its system are not added to devices’ camera rolls, and that they are encrypted, secured, and auditable – just like written messages.
9. Prevent copying or leaking of PHI
   
   Many of the security measures outlined above can be undermined if information can be copied-and-pasted out of a ‘secure’ messaging app. A truly HIPAA-compliant secure texting solution will ensure that it is impossible to copy-and-paste messages, or photos, to a device’s clipboard.
10. Instantly lockout and erase data if devices are stolen
    
    The small, mobile natures of smartphones have contributed to their growing levels of usefulness and ubiquity. But, their small size also means that they can be easily lost and just as easily stolen. If a lost or stolen phone contains PHI, HIPAA-compliance can be put at serious risk.

A well-designed HIPAA-compliant messaging solution will factor in potential theft or loss into its application architecture. It will require PIN authentication, it will include configurable ‘time-out’ periods, and it will be able to automatically lock out users after a number of unsuccessful authentication attempts. Organization administers should also be able to remotely disable device-specific accounts, thus destroying the encryption keys to sensitive PHI information. All of these measures should be in-built into truly HIPAA-compliant messaging programs.

Are you ready to meet all of these HIPAA-compliance requirements?

Meeting all of these requirements is a difficult task – particularly when so many app companies have little experience in the healthcare industry, and minimal knowledge of the clinical workflows that healthcare-specific messaging solutions cater to. Fortunately, Imprivata has built a secure communications application to meet all of your HIPPA-compliant messaging requirements. Imprivata Cortext is a secure communication platform that enables healthcare organizations to replace pagers and improve care coordination, inside and outside the hospital. It meets every single one of the requirements outlined above.