The federal Health Insurance Portability and Accountability Act (HIPAA) sets the standards by which health personnel (covered entities) and business associates (parties who may have access) are to deal with patient health information (PHI) which is often times now discussed, transmitted, and even stored electronically, i.e., SMS text, Instant Messaging (IM), the hard drive on a copy machine, or a work use laptop.

The standards are in two parts, which in summary suggest:

  1. PHI is confidential and must be protected at all times. There are rules governing when it can be used, when permission must be obtained, and what are your patients’ rights to the information; this is considered the Privacy Rule.
  2. The Security Rule applies to electronic transmission of PHI (E-PHI) and specifies the type of security measures that are needed to protect the confidential data and comply with the rule.

The standards are enforceable by law with stiff penalties for any breach in privacy or security that you, your systems, your organization, or your business associates may commit. If you aren’t convinced yet, there’s a case where a $1.7 million settlement was awarded in an instance where a data drive was stolen from an employee of the Alaska Department of Health & Human Services that could have contained E-PHI. There are many other examples at the HHS government website.

With respect to any messaging application, including Cisco Jabber IM, you are absolutely not compliant with HIPAA standards when transmitting E-PHI and your organization will need to implement a Compliance Solution, such as a recording platform with Ethical Wall, while using Cisco Jabber IM, to maintain HIPAA compliance.

Although there is nothing in HIPAA that says you cannot transmit E-PHI using IM, the security rule gives an outline for behavior if you choose to engage in IM with E-PHI. The guiding principles here are technical measures that need considering before messaging E-PHI. Ask yourself if your platform is capable of:

With Ethical Wall, the aforementioned protocols are all readily established.

Essentially, IM usage and HIPAA compliance can be attained by implementing appropriate security measures, access policies, and protective measures to the devices and applications containing E-PHI. Also, conducting a risk analysis for your organization on a regular basis, to ensure controls in place are still relevant, will ensure the ongoing compliance your industry demands.