October 6, 2022
Have you ever accidentally sent a text to the wrong person? Most of us have and it likely made your heart skip a beat! Now, imagine sending a text and thousands of patients’ health information gets leaked. Talk about a gut-wrenching moment! Speaking of leaks, did you know that over 1.14 million people have been impacted by a protected health information (PHI) breach just last month alone? The leaked data includes names, social security numbers, phone numbers, email addresses, and more. That’s 7% higher than last September!
Internal communications are an efficient means of sharing and exchanging information within the practice. Employees communicate internally through channels like SMS, email, phone calls, and other means through the use of a third-party platform like Slack, Microsoft Teams, Zoom, and Cisco Webex. And while oftentimes we like the thought of quick and easy, it’s crucial to take that extra minute or two and double check that you are using a secure provider for all internal communication.
First things first, if you haven’t already done so, take this as your sign to reach out to your communications provider and ask if they are HIPAA compliant. Many times, companies will have this information available on their website as well. Keep in mind that some providers, like Google and Microsoft, offer HIPAA compliant services in an upgraded package. If you are not using a secure platform, or you are unsure, then you should not be discussing ANY patient information through that method of communication (yes, that includes names!). If you are using a secure, HIPAA compliant provider or application for internal communication, great! The next very important step is to double check that you have a signed Business Associate Agreement.
You may also be wondering about SMS/ text messaging within your organization. Staff members should not be texting each other with information related to patients, even if it is related to scheduling. Keep all work-related communication through your secure provider or application.
Quick reminder! Just because you are communicating internally through a secure provider does not in fact mean you are compliant. You’ll also need to implement security policies and procedures in order to follow best practices. These policies and procedures should include:
- Training all employees on internal communication
- Routinely keeping your asset log up-to-date to ensure you know which devices hold data on them
- When sending ePHI via message, only the minimum necessary information will be included
- Communicating workstation and device access in the office and setting employee facility access and controls.
It is highly recommended that you consult with your IT professional for best practices on securing all applications in your practice.
Lastly, It’s important to remember that HIPAA is not a barrier law and, in fact, is intended to help you share protected health information securely and efficiently. Being efficient within your practice can help the overall health of your patients and your organization. Having these best practices in place will help you and your team avoid the anxiety of sharing something that shouldn’t be shared.