December 19, 2024 

 

Question:

Dear Jennifer,

One of my employees raised concerns regarding our practices for encryption of PHI with the internal messaging system we use (Microsoft Teams).  Can you explain what’s required of me?

Thanks,
Dr. D.
 
Answer:


Great question! To streamline the answer, we'll make the assumption you are somewhat familiar with encryption....  HIPAA’s Security Rule requires encryption for PHI (protected health information) "in transit".   The easiest way to ensure compliance is to use a modality self-certifying as HIPAA compliant.    

The following service providers represent themselves as "HIPAA compliant" platforms:

  • Zoom for Healthcare
  • Microsoft Teams
  • Google Mee
  • Cisco Webex
  • Doxy.me
  • Microsoft 365 with Advanced Email Encryption
  • Google Workspace for Healthcare
  • ProtonMail for Business
  • Hushmail for Healthcare
  • Virtru
Note that encryption is only one part of the necessary protections required when emailing ePHI. The other important part is integrity controls, which prevent unauthorized alteration or deletion of messages. This is why messaging apps such as WhatsApp are not HIPAA compliant, even though they are encrypted. Encrypting all ePHI not only protects you against breaches, but provides evidence of your attempts to comply with the standard for ePHI protection in the event you do experience a breach. It is imperative to have a Business Associate Agreement in place with any outside vendor or company you use to hold or transmit PHI.
 
Using a HIPAA-encrypted operating system is a good start, but it doesn’t guarantee compliance with federal requirements. The HIPAA Security Rule requires a comprehensive approach to safeguarding PHI through administrative, technical and physical safeguards - which, if properly administered is a blend of protections comprising of HIPAA policies, hardware protections, trainings and enforcement at the practice level.   Compliance requires HIPAA as part of the daily conversation with all team members.   Incorporation regular controls will protect the practice.    

Noncompliance as related to PHI may have costly consequences, with OCR imposing significant penalties for violations. Recent OCR actions highlight the steep price of noncompliance. Organizations have faced fines ranging from hundreds of thousands to millions of dollars for failing to meet HIPAA standards. (See https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html.) OCR resolved over 31,191 cases by requiring HIPAA-covered entities and their business associates to implement corrective actions or improve privacy practices. OCR also enforced HIPAA compliance through corrective measures in all cases of noncompliance, settling or imposing civil money penalties in 152 cases, totaling $144,878,972. Id.

If the above is news to you, and you have not been incorporating HIPAA into your daily thoughts, its time we get on the phone to discuss your 2025 plan for compliance, and to review your current HIPAA protections in place.   As always, for newsletter participants, there is no charge for a consult.   Let Taryn know if you would like to touch base with Jennifer or Clorissa to discuss.