HIPAA Compliant Messaging Avoids a HIPAA Fine

HIPAA Compliant Messaging

Protect Yourself from HIPAA Violations When you Use HIPAA Compliant Messaging

Holidays or no holidays, HIPAA fines are always a possibility. That’s why OnPage took the opportunity at the beginning of December to co-produce a webinar with HIPAA scholar and lawyer Matt Fisher. Matt is a partner at the law firm of Mirick & O’Connell and has advised numerous hospital clients on how to maintain HIPAA compliance.

The webinar, entitled How to Avoid a HIPAA Fine, is instructive in separating HIPAA fact from HIPAA fiction. It let viewers know what they can do to accommodate HIPAA requirements and what practices must be avoided in order to dodge the pain of hundreds of thousands of dollars in HIPAA-related fines.

Who is required to follow HIPAA?

HIPAA law is not nearly as restrictive as may be initially believed. However, at times it can seem complicated. Part of the complication stems from knowing who exactly is required to comply with HIPAA law and who is not. Essentially, there are three groups that must comply with HIPAA:

  • Covered Entities– Covered entities are the top level of entities which must comply. These refer to entities such as health plans, healthcare providers or healthcare clearing houses.
  • Business Associates – Business associates are the second level of entities which are required to follow HIPAA. Business associates are those who handle healthcare information on behalf of a covered entity. OnPage, is an example of a business associate.
  • Subcontractors – Subcontractors are the groups hired by business associates to assist them in their HIPAA-compliant work.

What does HIPAA require?

The question then becomes one of what does HIPAA require? At its core, HIPAA law focuses on privacy and consent to ensure patient confidentiality of their PHI.  This means that patient information must be stored in a secure manner and have a patient’s consent to be shared. There are, of course, exceptions.

For example, patient treatment and payment do not require patient notifications or consent. Furthermore, collaboration between two physicians on a patient’s diagnosis or treatment does not require patient consent. However, if patient information is exchanged between physicians in a digital manner, HIPAA states that the information must be encrypted.

The encryption of patient information provides another wrinkle to HIPAA requirements. HIPAA requires that all patient information and records must be secured and encrypted. This means actual patient charts and records as well as exchanges regarding patient needs must be encrypted. Additionally, all digital exchanges that specifically reference a patient’s status or condition must also comply with HIPAA standards.

The potential impact of not following these rules is that the information can be breached. For example, if a physician sends a request for a consult through Gmail and the email mentions the patient name and condition, that could be considered a breach. There is no expectation that the Gmail account is secured.

According to the legislation laid out by the HITECH act and codified by Omnibus Rule of 2013, if the information in the Gmail is accidentally sent to the wrong account the clinic is required need to notify person affected, the government and potentially the media if more than 500 individuals are breached

Requirements for HIPAA Compliant Messaging

So given HIPAA’s importance and the impact on a clinic of a violation, practitioners need to ensure that any exchange of PHI is secure. As PHI is often exchanged through digital messaging, you have to know how to exchange HIPAA secure messaging.

OnPage’s Bill Van Loon picked up this part of the webinar and laid out the requirements for HIPAA compliant messaging.  Bill laid out the following requirements:

  • Segregate healthcare texting from personal texting: Personal messages must be separated from healthcare messages. A practitioner cannot use a personal messaging app to exchange healthcare content.
  • Authorization and authentication for accessing messages: Practitioners need to provide a user name and password to access the healthcare messaging content.
  • Encrypt message data in network and in transit: Message information on the app must be encrypted from end to end.
  • Encrypt data on mobile devices: PHI on the mobile device also needs to be encrypted
  • Remove PHI from screen notifications: Push notifications cannot display messages or PHI
  • Archive message histories: Messaging must be kept on servers for 6 years
  • Fully integrate auditing capabilities: Applications need to provide visibility into when the message was sent along with a date and time stamp. The message needs to also indicate who received it, when it was read. The whole see message lifecycle needs to be available.
  • Prevent copying or leaking of PHI: Cannot copy text found in a message to another application
  • Lockout and erase data if devices are stolen: If device is stolen or employee leaves, can remotely wipe content


Avoiding a HIPAA fine is not impossible but it requires practitioners and administrators to be thoughtful  and err on the side of caution. Part of this thoughtfulness is achieved by building secure messaging into HIPAA infrastructure.

In a world where physicians are focused on improving patients’ lives, it rests with administrators, managers and the C-suite to drive change. These cohorts need to ask the questions that will affect change.

Watch the full video to learn how your practice can avoid a HIPAA fine!