This blog is a revised version of an article first published in January 2020.
The widespread popularity of messaging apps is making significant inroads into healthcare with more and more healthcare professionals relying on chats apps to communicate with other doctors, their patients, and their care team. This trend comes as no surprise – using mobile devices for private messaging, phone calls, video chats, and to send documents, is an easy and convenient way for sharing information. Timely and direct patient communication improves health outcomes and enhances patient satisfaction. However, for all its many advantages, the use of messenger apps also comes with potential pitfalls if regulations regarding patient privacy and data protection are not observed.
While most business organizations are concerned about protecting the privacy of their customers, this concern is a legal requirement in the healthcare industry. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets national standards for the protection of patient data and enforces strong penalties for breaches. This law not only affects healthcare organizations–referred to as the covered entity–, but also their business associates who come into contact with patient data when providing services to healthcare professionals.
IT software companies who provide communication solutions to hospitals and clinics need to be aware of this legislation and need to be very transparent about their ability to provide a HIPAA compliant secure messaging platform.
What information is protected by HIPAA?
HIPAA is primarily concerned with protecting all medical data that contains individually identifiable information about a patient (e.g. name, address, date of birth, social security number). This data is referred to as protected health information (PHI) , or when stored electronically ePHI. Unregulated disclosure enables 3rd parties to link an individual to their past, present, or future health status. There is an abundance of medical records including bills from doctors, emails, MRI scans, blood test results etc that fall under the rubric of PHI.
HIPAA covered entities and their IT business associates need to ensure patient privacy and HIPAA compliance. When it comes to communication channels, it is vital that PHI is stored, processed, and transmitted via compliant text messaging.
What are HIPAA compliance requirements?
To build a secure text messaging app for healthcare, HIPAA-covered entities and their IT business associates need to be aware of four HIPAA rules:
- The HIPAA Privacy Rule regulates access to protected health information, covering the circumstances of when it can be used and to whom it can be disclosed to.
- The HIPAA Security Rule describes several measures, referred to as administrative safeguards, physical safeguards, and technical safeguards, to ensure a high standard of security is taken to protect the confidentiality and integrity of PHI.
- Administrative safeguards are administrative policies and procedures a company puts in place to regulate the conduct of employees that have access to PHI, ensuring that only the right people have access.
- Physical safeguards are the physical measures needed to protect PHI as it relates to the building and equipment where PHI is stored.
- Technical safeguards cover technical measures needed in IT systems where PHI is stored, processed, and transferred. These measures ensure data remains encrypted and untampered with and enables system administrators to authenticate the identity of users accessing the system and audit their activity. The content of this rule has particular relevance for those involved in building compliant text messaging services.
The HIPAA Breach Notifications Rule requires HIPAA-covered entities and their business associates to notify the media in case of the data breach. Breach notifications are usually presented in the form of a press release and must be provided no later than 60 days following the discovery of a breach.
The HIPAA Enforcement Rule. The U.S. Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) handles enforcing the HIPAA Privacy and Security Rules. It deals with compliance, investigations, penalties for violations, and procedures for hearings. Failure to follow HIPAA compliance requirements can also result in civil and criminal penalties.
What is HIPAA compliant messaging?
Clearly HIPAA regulations are extensive and there are many factors healthcare providers need to consider when developing a compliant healthcare messaging solution. Of most relevance to those involved in the design of healthcare apps are the technical safeguards covered under the security rule. For a chat app to be considered HIPAA compliant it will need to have addressed the following 5 key areas, incorporating as many of the technical safeguards listed under these five headings.
Access control – controlling who has access to ePHI. Enabling only authorized users to have access to PHI and access only to minimum necessary information needed.
Audit controls – ability to record and track user activity with an IT system holding PHI.
Integrity controls– Ensuring PHI is not corrupted or altered due to “improper alteration or destruction.”
Person or Entity Authentication – verifying the identity of user seeking access to PHI.
Transmission security – protecting PHI when it is in motion, as this is when it is usually most vulnerable.
The benefits of using QuickBlox API
The easiest way to satisfy compliance requirements is to partner with a HIPAA compliant communication solutions provider, like QuickBlox, who have a solid history providing enterprise solutions for healthcare. QuickBlox provides instant messaging and group chat, peer to peer and multiparty video calling, file sharing and other functions accessible through SDKs and APIs. Their software is designed with HIPAA compliance in mind. Furthermore, they are able to work with a HIPAA compliant cloud provider of your choosing to ensure your instance is configured correctly so that it meets HIPAA requirements.
Lets look more closely here at some of the specific ways QuickBlox messaging API enables you to build a compliant chat application.
Building a HIPAA compliant messenger
1. User verification
With QuickBlox API you can build a system of access controls within your messaging app that allows only users with unique usernames and passwords access to the data, ensuring users can only access messages they sent or received.
2. Audit controls
QuickBlox supports your need for audit controls. By assigning each user a unique user identification, you can log and track when they access or attempt to access the system. All actions within a system including administrative password resets for users are logged. Therefore activity around ePHI data is identifiable and can be easily attributed to an individual user.
3. Person or entity authentication
The goal of authentication is to verify if the user is authorized to interact with your system. QuickBlox HIPAA compliant message solutions provide secure authentication methods to ensure authorized access. Each user has a password and he can create a time-limited unique token session.
4. Automatic Logoff
HIPAA requires automatic logoff – in case of session end due to inactivity. If the user forgot to close the page, the chances of data theft increase.
QuickBlox provides full support for anonymous sessions. Its automatic logoff procedures can prevent unauthorized users from accessing ePHI. It helps to end any session after a set period of inactivity. To continue, the user needs to re-enter their password or authenticate in some other way.
5. Data encryption in rest & transit
To ensure the integrity of your data QuickBlox uses encryption both at rest and in transit. All databases are stored in encrypted form. QuickBlox works closely with your preferred hosting provider such as Amazon Web services, Microsoft, Azure, Oracle, and others — to ensure your stored data is fully secure and encrypted. So for example, you can also store your sensitive data in Amazon’s S3 bucket that provides both server-side encryption.
HIPAA requires transmission security, which is supported by QuickBlox messaging solutions. QuickBlox servers use Transport Layer Security (TLS) and Secure Sockets Layer (SSL). All communications to and from the server use TLS/SSL encryption with both server-side and client-side authentication for devices.
6. Backup
To prevent database corruption or PHI damage as a result of a server crash, or ransomware and cyber attacks, HIPAA messaging compliance requires backup of sensitive data. Backup systems create, store, and manage copies to ensure their recovery in case of a failure.
QuickBlox offers options for data backup storage. Most commonly, customer can choose a cloud provider to backup data including files, user information, and chat history generated by the services or we can work with the customer to deliver a private cloud, on premise deployment, or offline backup solution according to their requirements:
- Data Backup to cloud storage. QuickBlox allows you to subscribe to a certain storage capacity in the cloud vendor’s or service provider’s data center. The cloud vendors provide a variety of secure data storage. You need an internet connection to send backups to the cloud. We provide essential solutions to alleviate problems with uploading large amounts of data.
- Data Backup to hardware appliances. QuickBlox can work with your team to ensure HIPAA compliant communication solutions installed on your systems perform the backups and handle the backup process appropriately. Data backups are designed for the recovery of individual files or systems in the event of software failure.
- Data Backup to Network in a centralized NAS (Network Attached Storage), SAN (Storage Area Network), or a simple network share. QuickBlox works with your infrastructure team to ensure our databases, chat, and content storage integrates with your internal systems.
7. High availability / Disaster recovery support
High Availability is the ability of a system to switch over to a redundant system in case of component failure. Disaster Recovery stands for restoring the services to normal operations in the shortest possible time.
QuickBlox offers such a configuration when highly available cluster servers are used for an application in the production center.
The data is backed up in the recovery center and coupled with the High Availability design in the production center. QuickBlox works hard to ensure any hardware failure or even complete shutdown of a hardware host will not affect the availability of the application and the PHI data.
8. Data Disposal
QuickBlox provides the necessary steps to create and implement the disposal policies outlined by HIPAA as part of secure messaging regulations. They can assist you to configure your system so that it destroys data and /or backups automatically or on request.
Conclusion
If building a HIPAA compliant messenger app, choose a communications API provider that can offer you a solution that’s designed with HIPAA compliance in mind. QuickBlox compliant text messaging, voice and video calling API offers compliant message solutions for your healthcare organization.
Want to find out more about how QuickBlox can support your needs around data encryption and other technical safeguards,to avoid breach notifications?
Contact us now.
