Question:
Dear Jennifer,
One of my employees raised concerns regarding our practices for encryption of PHI with the internal messaging system we use (Microsoft Teams). Can you explain what’s required of me?
Thanks,
Dr. D.
Answer:
Great question! To streamline the answer, we'll make the assumption you are somewhat familiar with encryption.... HIPAA’s Security Rule requires encryption for PHI (protected health information) "in transit". The easiest way to ensure compliance is to use a modality self-certifying as HIPAA compliant.
The following service providers represent themselves as "HIPAA compliant" platforms:
- Zoom for Healthcare
- Microsoft Teams
- Google Mee
- Cisco Webex
- Doxy.me
- Microsoft 365 with Advanced Email Encryption
- Google Workspace for Healthcare
- ProtonMail for Business
- Hushmail for Healthcare
- Virtru
Noncompliance as related to PHI may have costly consequences, with OCR imposing significant penalties for violations. Recent OCR actions highlight the steep price of noncompliance. Organizations have faced fines ranging from hundreds of thousands to millions of dollars for failing to meet HIPAA standards. (See https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html.) OCR resolved over 31,191 cases by requiring HIPAA-covered entities and their business associates to implement corrective actions or improve privacy practices. OCR also enforced HIPAA compliance through corrective measures in all cases of noncompliance, settling or imposing civil money penalties in 152 cases, totaling $144,878,972. Id.
If the above is news to you, and you have not been incorporating HIPAA into your daily thoughts, its time we get on the phone to discuss your 2025 plan for compliance, and to review your current HIPAA protections in place. As always, for newsletter participants, there is no charge for a consult. Let Taryn know if you would like to touch base with Jennifer or Clorissa to discuss.