Health data is extremely sensitive and heavily regulated for good reason - from physical ailments to mental health checkups, everyone deserves privacy when communicating with their healthcare provider! Anxieties about doctors wielding HIPAA-violating time bombs (aka "smartphones") in their pockets are absolutely justified, as these devices present countless opportunities for accidental compromises of protected health information (PHI). From unencrypted text messages to X-rays stored on a camera roll, a breach of a healthcare professional's phone has the potential to land everyone in hot water.
HIPAA-compliant file sharing
You may be wondering: is it safe to transfer files on HIPAA-compliant apps? The answer is complex. Many apps support HIPAA compliance, but unless your team is utilizing them correctly then HIPAA compliance may remain elusive. Sustainable HIPAA compliance is the result of properly trained, conscientious users backed up by effective technology.
The penalties for getting it wrongThe consequences when things go wrong can be severe. There is a tiered system applied to organizations for HIPAA violations, and fines can run anywhere from $50 to $50,000 per fine. Furthermore, individual employees can also face sanctions for not engaging in HIPAA compliance. As the HIPAA journal points out: ‘Employee sanctions for HIPAA Violations vary in gravity from further training to dismissal’.
So what do healthcare providers need to ensure?
There are many ways that organizations can ensure compliance. Here are a few quick tips that we recommend to our customers regardless of platform choice:
1. Get a Business Associate AgreementA business associate agreement (BAA) is a written agreement that sets out the responsibilities of each party involved in sharing PHI. For example, when you use Trillian, a BAA is tied directly into our standard customer agreement for qualifying paid customers. Other apps will similarly bake their BAA into their terms of service, but in some cases you may need to sign a separate BAA! Be warned: in many cases, free accounts are not eligible for a BAA, so check before sharing files that you have the right level of support.
2. Ensure you have an audit trailTrillian provides each of your users a unique username, allowing organization account administrators to set permissions and monitor activity accordingly. Admins can also disable user accounts when employees leave while still preserving user data until such a time as it can safely be deleted. File sharing services provided by Google Suite and Box do the same things, and you'll want to pick a service that gives you a clear audit trail of "who's sharing what and how".
3. Consider the bigger picture with larger cloud suites
Operator responsibility - that's you - is underscored in the HIPAA Journal, where they point out that ‘compliance is more about the user than the cloud service provider.’ For example, certain office productivity services offer file sharing, chat, and more, and not all of these services are covered by a BAA! It is therefore your responsibility to be aware of which services within a larger suite are HIPAA compliant and which are not.
The key point to remember is that technology itself does not provide organizations with HIPAA compliance! HIPAA compliance remains a shared responsibility between the people using technology and the providers who provide it.