This blog is a revised version of an article first published in January 2020.
The widespread popularity of messaging apps is making significant inroads into healthcare with more and more healthcare professionals relying on chats apps to communicate with other doctors, their patients, and their care team. This trend comes as no surprise – using mobile devices for private messaging, phone calls, video chats, and to send documents, is an easy and convenient way for sharing information. Timely and direct patient communication improves health outcomes and enhances patient satisfaction. However, for all its many advantages, the use of messenger apps also comes with potential pitfalls if regulations regarding patient privacy and data protection are not observed.
While most business organizations are concerned about protecting the privacy of their customers, this concern is a legal requirement in the healthcare industry. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets national standards for the protection of patient data and enforces strong penalties for breaches. This law not only affects healthcare organizations–referred to as the covered entity–, but also their business associates who come into contact with patient data when providing services to healthcare professionals.
IT software companies who provide communication solutions to hospitals and clinics need to be aware of this legislation and need to be very transparent about their ability to provide a HIPAA compliant secure messaging platform.
HIPAA is primarily concerned with protecting all medical data that contains individually identifiable information about a patient (e.g. name, address, date of birth, social security number). This data is referred to as protected health information (PHI) , or when stored electronically ePHI. Unregulated disclosure enables 3rd parties to link an individual to their past, present, or future health status. There is an abundance of medical records including bills from doctors, emails, MRI scans, blood test results etc that fall under the rubric of PHI.
HIPAA covered entities and their IT business associates need to ensure patient privacy and HIPAA compliance. When it comes to communication channels, it is vital that PHI is stored, processed, and transmitted via compliant text messaging.
To build a secure text messaging app for healthcare, HIPAA-covered entities and their IT business associates need to be aware of four HIPAA rules:
The HIPAA Breach Notifications Rule requires HIPAA-covered entities and their business associates to notify the media in case of the data breach. Breach notifications are usually presented in the form of a press release and must be provided no later than 60 days following the discovery of a breach.
The HIPAA Enforcement Rule. The U.S. Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) handles enforcing the HIPAA Privacy and Security Rules. It deals with compliance, investigations, penalties for violations, and procedures for hearings. Failure to follow HIPAA compliance requirements can also result in civil and criminal penalties.
Clearly HIPAA regulations are extensive and there are many factors healthcare providers need to consider when developing a compliant healthcare messaging solution. Of most relevance to those involved in the design of healthcare apps are the technical safeguards covered under the security rule. For a chat app to be considered HIPAA compliant it will need to have addressed the following 5 key areas, incorporating as many of the technical safeguards listed under these five headings.
Access control – controlling who has access to ePHI. Enabling only authorized users to have access to PHI and access only to minimum necessary information needed.
Audit controls – ability to record and track user activity with an IT system holding PHI.
Integrity controls– Ensuring PHI is not corrupted or altered due to “improper alteration or destruction.”
Person or Entity Authentication – verifying the identity of user seeking access to PHI.
Transmission security – protecting PHI when it is in motion, as this is when it is usually most vulnerable.
The easiest way to satisfy compliance requirements is to partner with a HIPAA compliant communication solutions provider, like QuickBlox, who have a solid history providing enterprise solutions for healthcare. QuickBlox provides instant messaging and group chat, peer to peer and multiparty video calling, file sharing and other functions accessible through SDKs and APIs. Their software is designed with HIPAA compliance in mind. Furthermore, they are able to work with a HIPAA compliant cloud provider of your choosing to ensure your instance is configured correctly so that it meets HIPAA requirements.
Lets look more closely here at some of the specific ways QuickBlox messaging API enables you to build a compliant chat application.
With QuickBlox API you can build a system of access controls within your messaging app that allows only users with unique usernames and passwords access to the data, ensuring users can only access messages they sent or received.
QuickBlox supports your need for audit controls. By assigning each user a unique user identification, you can log and track when they access or attempt to access the system. All actions within a system including administrative password resets for users are logged. Therefore activity around ePHI data is identifiable and can be easily attributed to an individual user.
The goal of authentication is to verify if the user is authorized to interact with your system. QuickBlox HIPAA compliant message solutions provide secure authentication methods to ensure authorized access. Each user has a password and he can create a time-limited unique token session.
HIPAA requires automatic logoff – in case of session end due to inactivity. If the user forgot to close the page, the chances of data theft increase.
QuickBlox provides full support for anonymous sessions. Its automatic logoff procedures can prevent unauthorized users from accessing ePHI. It helps to end any session after a set period of inactivity. To continue, the user needs to re-enter their password or authenticate in some other way.
To ensure the integrity of your data QuickBlox uses encryption both at rest and in transit. All databases are stored in encrypted form. QuickBlox works closely with your preferred hosting provider such as Amazon Web services, Microsoft, Azure, Oracle, and others — to ensure your stored data is fully secure and encrypted. So for example, you can also store your sensitive data in Amazon’s S3 bucket that provides both server-side encryption.
HIPAA requires transmission security, which is supported by QuickBlox messaging solutions. QuickBlox servers use Transport Layer Security (TLS) and Secure Sockets Layer (SSL). All communications to and from the server use TLS/SSL encryption with both server-side and client-side authentication for devices.
To prevent database corruption or PHI damage as a result of a server crash, or ransomware and cyber attacks, HIPAA messaging compliance requires backup of sensitive data. Backup systems create, store, and manage copies to ensure their recovery in case of a failure.
QuickBlox offers options for data backup storage. Most commonly, customer can choose a cloud provider to backup data including files, user information, and chat history generated by the services or we can work with the customer to deliver a private cloud, on premise deployment, or offline backup solution according to their requirements:
High Availability is the ability of a system to switch over to a redundant system in case of component failure. Disaster Recovery stands for restoring the services to normal operations in the shortest possible time.
QuickBlox offers such a configuration when highly available cluster servers are used for an application in the production center.
The data is backed up in the recovery center and coupled with the High Availability design in the production center. QuickBlox works hard to ensure any hardware failure or even complete shutdown of a hardware host will not affect the availability of the application and the PHI data.
QuickBlox provides the necessary steps to create and implement the disposal policies outlined by HIPAA as part of secure messaging regulations. They can assist you to configure your system so that it destroys data and /or backups automatically or on request.
If building a HIPAA compliant messenger app, choose a communications API provider that can offer you a solution that’s designed with HIPAA compliance in mind. QuickBlox compliant text messaging, voice and video calling API offers compliant message solutions for your healthcare organization.
Want to find out more about how QuickBlox can support your needs around data encryption and other technical safeguards,to avoid breach notifications?