HIPAA Compliance: Paper vs. Practical -- Which Does Your Telecom Provider Deliver?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 introduced new standards for the handling of protected health information and, in response, providers of all manner of services to healthcare companies today tout their “HIPAA Compliance”. The intent of signalling their compliance is usually to assure prospective and current customers that they are protected from risks relating to health information disclosure.  But is this assurance real and should healthcare companies rely on it?  The answer lies in a clear understanding of the difference between paper HIPAA compliance and practical HIPAA compliance.

• Paper HIPAA Compliance is what the vast majority of service providers mean when using the phrase “HIPAA Compliant” on their website and in their marketing and sales materials and activities.  These businesses have signed a Business Associate Agreement or Contract (BAA) in order to handle Protected Health Information (PHI).  What the BAA does, in essence, is address legal liability.  It’s a piece of paper.  But there are implications of PHI disclosure that a piece of paper cannot fully address.
• Practical HIPAA Compliance is my term for measures that prudent healthcare companies should require, in addition to a signed BAA, from all their service providers.  Elements of practical compliance include business practices and rules conceived to assure compliance; systems and processes that are architected to secure PHI; and employees handling PHI that are properly trained on all the requirements.  Practical HIPAA compliance doesn’t rely on a piece of paper and the naive hope that words on a page alone can protect PHI and the damage from its unauthorized disclosure.

HIPAA Compliance is both a regulatory requirement and a customer and market expectation.  A piece of paper, like a BAA, can deliver a meaningful level of protection from regulatory requirements.  However, it can do very little to protect a healthcare business from the damage that can be done to customer confidence and market credibility resulting from a PHI disclosure.  For this reason healthcare businesses need to investigate their providers’ level of practical HIPAA compliance and put little credence in the paper kind when it comes to technology.

Voice calls and text messages are integral to most healthcare services.  Doctors, nurses, and other healthcare professionals need to communicate and collaborate.  Patients need to make and receive calls and texts regarding appointments, referrals, test results, bills, and payments.  Many telecommunications services providers claim HIPAA compliance but do they mean paper or practical?  Here are a few questions for a telecom provider that can be revealing:

1. When calls or text messages are sent and received by the employees at our healthcare company are the phone numbers masked on devices and in call records to prevent an easy reverse lookup with Google?
2. If a patient calls and leaves a voicemail is that message stored within the provider’s network?  How are voicemails secured?  Are they encrypted?
3. If calls are recorded, for customer service and other purposes, where and how are those recordings secured and are they encrypted?
4. How are the contents of text messages -- making and confirming appointments and for other purposes -- secured from disclosure?
5. For healthcare companies using telecom APIs from CPaaS providers like Twilio, Plivo, and Nexmo, or UCaaS providers like RingCentral, 8x8, and Mitel, are all the functions of their platforms including third-party plug-ins secured against unauthorized information disclosure?

The answers from a telecom service provider will be either paper -- referring to a BAA, tariff protection, or how many well-known healthcare clients they have -- or practical -- referring to the architecture of their network, the design of their application platform, and the procedures they have in place to assure ongoing best practices regarding securing PHI.  Providers that offer paper assurances typically lack practical ones.

The consequences of paper-only HIPAA compliance can be devastating.  Here are a few examples:

• A 12-physician pediatric and adult dermatology practice group paid $150,000 for HIPAA violations in 2016.
• Also in 2016 a five-physician cardiology group reached a $100,000 settlement as a result of a failure to comply with the HIPAA privacy and security requirements.
• An orthopedic clinic was forced to pay a $750,000 settlement as a result of a HIPAA violation involving a potential business partner.
• In 2014 Walgreens paid a $1.4 million award as a result of a HIPAA violation.
• Unsecured PHI cost a healthcare provider a $2.5 million settlement in 2017.
• A 2013 HIPAA violation cost a hospital $2.2 million.

Business communications are becoming more sophisticated and healthcare is no exception.  Voice calls and text messages increasingly interface with systems including patient databases and scheduling platforms that involve information covered by HIPAA.  Healthcare companies need to evaluate their telecom service providers and determine whether they are providing paper or practical protection from costly HIPAA violations.

The author leads business development for Fonative?, The Compliant Communications Company(TM), that helps businesses connect with customers through voice and text messaging -- providing a regulatory-complaint Communications Platform as a Service (CPaaS).  Learn more at Fonative.com.