HIPAA Communication News

Repurposing a Text Alert System for Business as a HIPAA Compliance Helpline

Due to a text alert system for business lacking the mechanisms for HIPAA compliance, the concept of using a system as a HIPAA compliance helpline may seem a little out of the box. However, there are good reasons for suggesting this secondary use of a text alert system, which can also have benefits in training personnel to become more HIPAA compliant.

In a medical environment, a text alert system for business is one of the most effective ways of alerting large numbers of personnel simultaneously to an emergency event. During the emergency event, the text alert system can also be used to coordinate emergency response and check on the wellbeing of personnel, and used for business continuity when other channels of communication are inoperative.

A text alert system for business is typically fast and reliable, and – because text messages sent through the system are recorded for review – the messages are accountable. This makes the system an ideal tool for internal communications during non-emergency events; and one potential non-emergency use of a text alert system for healthcare organizations is as a HIPAA compliance helpline.

The Purpose of a HIPAA Compliance Helpline

The purpose of a HIPAA compliance helpline is to be a source of information for personnel struggling with the complexities of the HIPAA Privacy Rule. Although most personnel will have undergone HIPAA compliance training, there may be times when situations arise that have not yet been covered by the training or – due to the complexity of HIPAA – the person is confused by the context of the situation.

In these circumstances, it can be useful to have a designated authority (i.e. a compliance officer) at the other end of a communications channel in order to provide answers to HIPAA-related questions. Because of the speed of text messaging, the person in need of guidance only need to text their question to the compliance officer and receive an appropriate answer almost immediately.

By using a text alert system for business in this way, the scenario is avoided in which a person is not sure about whether or not to disclose PHI to a third party, they ask a colleague who is equally unsure, and between them they arrive at an incorrect conclusion. In this respect, repurposing a text alert system for business as a HIPAA compliance helpline can avoid unintentional breaches of HIPAA.

The Secondary Benefit of Repurposing a Text Alert System for Business

Because a text alert system for business is not HIPAA compliant, the system cannot be used to communicate PHI. Therefore, requests for assistance about HIPAA-compliant uses, disclosures, and procedures should not reveal any personally identifiable information. However, the way in which the system is used by personnel will reveal a lot to compliance officers about who does – or does not – understand the HIPAA Privacy Rule.

In addition, there may be situations that arise that are unique to a location or medical service, and not covered by the general HIPAA guidelines. These situations can be incorporated into future HIPAA compliance training in order to address any potential confusion about them in advance. By using the conversations recorded by the text alert system for business, compliance officers can deliver more relevant training based on real-life examples in order to train personnel to be more HIPAA compliant.

In conclusion, a text alert system for business may not be HIPAA compliant, but it is the most effective way to communicate an emergency in compliance with the CMS´ Emergency Preparedness Rule. Healthcare organizations investing in a text alert system may only use it for training and for when an emergency occurs; but there are many other use cases in which organizations can extract additional value from the system. Using it as a HIPAA compliance helpline is just one of them.

The post Repurposing a Text Alert System for Business as a HIPAA Compliance Helpline appeared first on HIPAA Journal.

Preparing Emergency Text Notification for Business in a HIPAA Compliant Age

Businesses subject to HIPAA regulations have to take care when using emergency text notification systems to ensure Protected Health Information (PHI) is not disclosed without authorization. HIPAA compliance policies can be difficult to enforce during an emergency, but a little preparation can help mitigate the risk of a HIPAA breach.

Emergency text notification systems for business are an effective way to alert personnel to an emergency incident in healthcare environments (such as fires, active shooter events, and severe weather), especially when they are integrated with other alert systems such as sirens, visual alarms, and digital signage. However, in a healthcare environment, medical personnel are subject to HIPAA regulations which prohibit the unauthorized disclosure of Protected Health Information (PHI).

Under normal circumstances, it is difficult to think of many scenarios in which an emergency text notification for business would contain PHI. However, in a stressful emergency situation, the risk exists medical personnel might inadvertently disclose PHI while sending an emergency text notification, or that the notification might be received by individuals outside the healthcare environment who don´t appreciate the significance of the PHI and forward the notification to other individuals.

Emergency Text Notification Systems are Not HIPAA Compliant

Emergency text notification systems that send alerts via multiple communication channels are not HIPAA-compliant because the devices on which notifications are received do not have mechanisms to comply with the technical specifications of the HIPAA Security Rule – for example encryption, access controls, and automatic log-off. Furthermore, copies of SMS text messages, emails, and social media postings remain on service providers´ servers permanently with no means of retracting them.

Nonetheless, emergency text notification systems – especially those which integrate with other alarm systems – are the most effective way to comply with the Communication Plan requirements of the CMS´ Emergency Preparedness Rule. Depending on how the system is utilized, it can also be the most effective way of coordinating emergency response and ensuring business continuity during a long-term emergency. Therefore HIPAA covered entities need to take steps to mitigate the risk of a HIPAA breach.

How to Mitigate the Risk of a HIPAA Breach in an Emergency Text Notification

The best way to avoid accidental disclosures of PHI in an emergency text notification is to have notification templates prepared in advance. The CMS´ Emergency Preparedness Rule stipulates healthcare environments should plan responses to events such as pandemics, nuclear explosions, and natural incidents. It is a good idea not only to prepare notification templates for these types of events, but also for fires, active shooters, and the likely types of severe weather for the area.

In order to prevent individuals receiving emergency text notifications not intended for them, the personnel database should be segmented by role, location or other attribute in order to ensure the right people receive the right messages at the right time. In the event of an active shooter, for example, you only want the individuals in the immediate vicinity to initiate a lockdown. Alerting everyone else to the event may cause unnecessary panic that could hinder emergency response efforts.

The post Preparing Emergency Text Notification for Business in a HIPAA Compliant Age appeared first on HIPAA Journal.