Keeping Compliant with Internal Clinic Communications

Keeping Compliant with Internal Clinic Communications

Josiah Dykstra, Ph.D.

Audiologists are increasingly adopting digital solutions for secure, private, and HIPAA-compliant communications with patients. This is a positive trend. Less commonly discussed is the safety of internal staff communications, such as instant messages. At AuDacity in October, 2022, there were several comments and conversations where various tools were discussed as ways practices communicate and collaborate between staff members. This article highlights compliance considerations for selecting software that is both practical for the businesses and appropriately secure.

Whether a practice has two people or 200, communication is essential for the business to run smoothly. Internal electronic messages might include sharing substantial updates about new products, quick logistics about staff meetings, tasks for individuals, situational awareness about patients that day, and even social events and humor. By one estimate, people 35-44 years old send 50+ text messages per day!1

It is natural and common that internal clinic messages may include protected health information (PHI). The HIPAA laws list the 18 identifiers of health information that must be protected.2 Table 1 contains several examples of messages that contain PHI, and examples that do not. HIPAA does not explicitly allow or prohibit any individual product or service platform, including text messages and email. However, the law does require that certain conditions be met. For instance, a Business Associate Agreement (BAA) is required with any company that transmits PHI on a practice’s behalf. Further, Apple is a business associate if a practice sends PHI using iMessage. However, Apple does not currently offer to sign a BAA and therefore is not HIPAA-compliant.

Some companies will sign a BAA, including Microsoft and Google. Be careful: a BAA alone does not make a service compliant. The vendor must also comply with HIPAA requirements, such as data encryption and logging. There is no standard or accreditation process for HIPAA compliance, so when a vendor says they are HIPAA compliant you must do due diligence to validate their claim or blindly trust them. It is also your responsibility to use the service in a compliant manner. For example, if you upload a spreadsheet of patients to Microsoft OneDrive but make the document accessible to the world, that is a HIPAA violation even if OneDrive itself is HIPAA-compliant.

Table 2 shows some popular message service that clinics may be currently using to communicate between staff. WhatsApp, iMessage, and GroupMe are examples of services that are not HIPAA compliant and will not sign a BAA. This means that a practice could use them for non-PHI messages, but as evident from the comments at AuDaCITY many use them for PHI. Staff should be carefully trained and routinely reminded about using platforms in a compliant manner to avoid HIPAA violations.

Other services, including Microsoft Teams and Google Chat, advertise themselves as HIPAA-compliant and will sign a BAA with you. In a few cases, such as Slack, you must purchase a specific type of their service to be HIPAAcompliant. Other commercial services, less commonly observed in the profession audiology, are tailor-made for healthcare including Trillian and TigerConnect.

Even when a compliant solution exists, it takes deliberate education, effort, and engrained culture not to bypass official communication mechanisms. This is not unique to audiology. It is also not surprising: people already have and frequently use programs like WhatsApp in their personal lives where they can make their own security and privacy decisions. “Staff perceive WhatsApp as a quicker, more convenient method to quickly share information/photos, compared to using the official systems,” said one study of European health professionals.3 Audiology practices should reinforce the importance of secure and compliant communication and examine whether switching to another messaging service would lower the burden on users. In many cases, an integrated solution – such as using Microsoft Teams if a clinic already uses Microsoft email – can be more cost-effective and user-friendly than adopting an entirely new technology.

During the COVID-19 public health emergency, the Health and Human Services (HHS) Office for Civil Rights issued a Notification of Enforcement Discretion to enable temporary increased access to telehealth during the pandemic.4 This allowed providers to use additional non-public facing remote communication products, including WhatsApp and Apple FaceTime. The change was exclusively focused on the delivery of telehealth and did not address their use for general instant messaging.

HIPAA compliance is mandatory and it is important to remember that compliant systems are only half the battle.

Audiologists must also ensure staff is trained and prepared to appropriately use internal messaging systems. For example, audiologists must have adequate policies and procedures that comply with the HIPAA Security Rule’s administrative, physical, and technical safeguards. While technical considerations are certainly vital for such internal communications systems, revisiting and ensuring administrative and physical safeguards are appropriately updated and maintained is also important. In light of increased remote workforces, use of personal devices, use of external networks, and continuing transition to paperless records and communications, consider updating policies and training for your staff.

Audiologists should even consider additional security and privacy controls above and beyond the legal requirements. Digital messages are easy to spread and difficult to retract. Imagine a “joke” message meant only for staff that accidentally became public. “Did you see that hideous outfit that my patient was wearing this morning?” Such a message may be compliant but inappropriate. The appropriate use of technology should be covered in an employee handbook. Further, digital messages are nearly impossible to erase and may be subject to disclosure in a lawsuit. So, a private and compliant message could still cause problems, such as “Reminder that we have our security refresher today, but you don’t need to pay attention.”

Audiologists must protect PHI no matter where it exists, including internal business messages and communications. With increasingly connected staff members, dispersed staff, and multiple offices, effective and compliant messaging are becoming even more essential. Security and compliance are achievable with careful and informed decisions. ■

References

  1. Financial Accounting, Warren, Carl S. and Fess, Philip E., South-Western Publishing Co., Cincinnati, OH, 1994. JoAnna Ahn is the marketing director for Audigy.
  2. https://99firms.com/blog/texting-statistics/
  3. https://www.law.cornell.edu/cfr/text/45/164.514
  4. Coventry, L., Branley-Bell, D., Sillence, E., Magalini, S., Mari, P., Magkanaraki, A., & Anastasopoulou, K. (2020, July). Cyber-risk in healthcare: Exploring facilitators and barriers to secure behaviour. In International Conference on Human-Computer Interaction (pp. 105-122). Springer, Cham.
  5. HHS Office for Civil Rights, FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency, https://www. hhs.gov/sites/default/files/telehealth-faqs-508.pdf (accessed November 5, 2022).

Josiah Dykstra, Ph.D. is Founder and Cybersecurity Consultant at Designer Security which provides cyber services for audiologists. He has more than 18 years’ experience in cybersecurity research, practice, and education. Contact him at This email address is being protected from spambots. You need JavaScript enabled to view it..