Breaking down HIPAA compliance: how to choose a HIPAA compliant chat platform

Thanks to big data and the acceleration caused by the pandemic, communication in healthcare now demands extra attention. In order to stay relevant and improve the quality of patient care, more and more companies are following HIPAA guidelines. Ensuring that practitioners and patients are having their data protected is the first step to a brighter (and safer) future.

As pointed out by McAfee's Health Warning Report, hackers are spending more time and resources on monetizing health care data in dark web forums. One of the biggest data breaches in the US happened at American Medical Collection Agency (AMCA), a third-party vendor responsible for billing services. It has exposed over 20 million Americans, including their Social Security numbers.

Besides that, the current health crisis brings to light the urgency of ensuring safe communication in healthcare. Nowadays, 46% of US consumers use telehealth and this context is accelerating virtual care development and the need for a safe space for both patients and professionals. It’s about time we have modernized systems and ensure everyone’s data is being kept safe in a HIPAA compliant video conferencing platform.

But what exactly is the HIPAA privacy rule? And how to choose the right HIPAA compliant chat platform for quality-care to patients? These questions will be answered throughout this blog post and here you will also understand better how HIPAA works and its violations.

What does HIPAA stand for?

Data protection is an issue that concerns companies of all segments, but recently the healthcare industry has become an easy target of cyberattacks. Unlike financial data, medical data is not perishable, making hacking attractive and profitable for hackers.

And as data is this generation’s currency, you should worry about where you are keeping it and this is why the HIPAA law is so important right now.

Also known as Public Law 104-191, the HIPAA law stands for Health Insurance Portability and Accountability Act of 1996. It’s a United States federal legislation that sets data protection standards for patients and safeguards medical information.

HIPAA privacy rule is meant to standardize the electronic transmission of data between different healthcare organizations, so it reduces costs and also provides continuous health insurance coverage for people that quit or change jobs.

The HIPAA law also protects a patient's names, address, Social Security number, as well as provided treatments and an individual’s past and current health conditions. It prevents any identifiable health information from being shared, whether this data is held in a digital system, physical paper or even orally transmitted.

In case you’re wondering if your business should follow HIPAA guidelines, they only apply to:

• Health plans - health insurance companies, company health plans, Health Maintenance Organizations (HMOs) and government healthcare programs (for example, Medicare, Medicaid and military healthcare programs);
• Healthcare providers - doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies;
• Healthcare clearinghouse - organizations that process nonstandard health data received from other institutions into a standard format.

HIPAA violation and penalties

The law contains five titles, but the second one is what most refer to when it comes to HIPAA compliance. It requires healthcare organizations to implement safe electronic access to medical data and demands compliance with privacy regulations set by the U.S. Department of Health and Human Services (HHS).

The HHS issued the Enforcement Rule in 2006, setting quite severe penalties for organizations that fail to meet HIPAA compliance. Until then, there were few prosecutions for HIPAA violations and the Hospice of North Idaho (HONI) is considered the first and one of the most significant HIPAA violation examples. The investigation started when an unencrypted laptop containing medical records was stolen from an employee vehicle.

Read also: Is WhatsApp safe for companies? A quick guide for secure messaging

The HHS Office for Civil Rights (OCR) is responsible for enforcing HIPAA, performing audits and issuing penalties in the case of not following HIPAA compliance. According to the HIPAA Journal, in 2019 the average penalty was over US$1.2 million.

The penalties for HIPAA violation may vary depending on the infraction, but they fall into four categories:

1. In case the organization is not aware they violated HIPAA: $100 per violation, with an annual maximum of $25,000 for repeat violations;
2. In case of reasonable cause for violating HIPAA: $1,000 per violation, with an annual maximum of $100,000 for repeat violations;
3. In case of willful neglect of HIPAA, but correcting violation within the given time period: $10,000 per violation, with an annual maximum of $250,000 for repeat violations;
4. At last, in case of willful neglect of HIPAA and not correcting the violation - $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.

How to choose a HIPAA compliant chat platform

Communication in healthcare needs to be proactive when it comes to data protection. Even though the healthcare industry is pretty unprepared for dealing with security breaches, the FDA has created guidelines for secure medical devices. According to the organization, developers should focus on better communication channels to make sure data breaches are identified and fixed quickly.

We’ve come up with a quick checklist that will help you out when choosing a HIPAA compliant app.

1 - Be aware of where your data is being stored

Medical data needs to be comprehensible for everyone: patients, doctors, clinicians, health insurance offices and so on. Make sure you choose a platform that offers various integrations in order to make data interoperable across different systems.

With the exponential growth of telehealth, double check if your communication platform offers secure video calls. For HIPAA compliant video conferencing, avoid platforms that use third-party apps.

Choosing a HIPAA compliant cloud is a good start, but it’s way safer if your communication platform allows you to self-host it. This way you can rely on your infrastructure and solve problems faster, regardless of other company’s server and IT team.

Read also: Secure messaging: what makes Rocket.Chat a safe team collaboration platform?

2 - Open-source is the way, always

Even though end-to-end encryption is a great security indicator, it doesn’t mean your code is entirely safe. The best way to ensure medical data is secured is to have a HIPAA compliant chat platform that is open-source.

Open-source means having a whole community of developers checking on your code and improving its safety. Unlike closed-source platforms, open-source allows you to solve security breaches faster, so you don’t have to wait on the vendor’s developer team. Open-source platforms are more reliable as the code is available for everyone to see, improve and review.

3 - Make sure you address data to the right people

When choosing a platform that follows HIPAA compliance, you should keep in mind that designing a personnel screening process is part of the process.

Also, your platform should allow you to determine who has access to which data, so a customizable platform is the answer. You must set user roles and be able to modify permissions for your team whenever you need. This is a safe method for keeping medical data flowing in the right devices and teams.

The future is HIPAA compliant

The technology and healthcare industries are allies to unlock the full potential of health in the very near future. When we think of data liquidity we see it not only as a real solution but also a smart move that will permanently change the way we see health.

More and more companies are realizing how transparency and following HIPAA compliance are key elements for potential growth. At Rocket.Chat we believe everyone must own their data and that’s why we are open-source and globally compliant.

In case you have any doubts or want to get to know our platform, consultation is on us! Just shoot us an email and we’ll happily get in touch with you!