It has not been easy for technology to permeate the healthcare industry, primarily due to stringent regulations that protect patient privacy— specifically HIPAA and HITECH. These regulations are both good and necessary, pushing technology providers to become more secure and private in order to gain entry into a market that touches nearly everyone’s life in some capacity. The bar is high.
As such, it has taken some time for new technologies to take hold safely within healthcare. But we’ve reached a moment when secure electronic communications are finally becoming part of the fiber of doctor-patient relationships. The same fulfilling experience at the doctor’s office now can be experienced digitally, so patients can seek help when and where they need it. Or, a digital concierge could filter through the challenges consumers face when navigating health insurance policies and resources. In both cases, digital experiences can streamline health resources and democratize healthcare access for consumers.
The wave of possibilities this opens offers new channels for patients to get their questions answered, leading to higher patient satisfaction. A 2016 study underscores this point, finding that effective communication from providers is the strongest predictor of high patient satisfaction.
Concurrently, doctors understand that electronic communications are an invaluable tool for delivering better care. They see how, through mobile technologies, in particular, working on cases and collaborating with patients is easier, more convenient and highly effective.
Given this shift, it is worth looking at the three main types of electronic communications being leveraged by healthcare providers today— email, SMS and in-app chat— as well as where they fall from a HIPAA and HITECH compliance perspective.
Email: Tried and True?
Email has been around for decades. It’s a routine part of life, but when it comes to applications for healthcare, there are a couple of issues. First, email will always prioritize deliverability over encryption. Even when a sender’s email client supports encryption, it doesn’t mean that the email will be encrypted. Why? It depends on the recipient’s email. If it doesn’t support encryption in return, the email is not encrypted. This is a huge problem because it puts Protected Health Information (PHI) at risk. A study published by the Journal of the American Medical Association attributes 34.5% of PHI breaches during communication to email.
On top of this, there is no guarantee the recipient will actually open an email— whether or not it has been encrypted. Studies show that 25% of email remains unopened after 48 hours. If an email remains unopened by the intended recipient, electronic communication has not accomplished the goal of delivering information expeditiously.
Despite potential encryption issues and the chance that an important email might be missed, it is still widely used for communication. As such, organizations have to guarantee that their systems remain in compliance, which can be tricky as practices can vary by email provider.
Healthcare organizations need a solution that meets three requirements:
1. Encrypts email 100% of the time from sender to recipient regardless of deliverability.
2. Support automatic log-off to protect health information if an unauthorized user gains access to the device on which it is held.
3. Retains messages for up to six years to monitor and log any PHI communication appropriately.
SMS: The Mobile Standard
Today, with a mobile phone found in nearly every consumer’s pocket, SMS has tremendous value. Studies estimate that approximately 90% of texts are read. Additionally, SMS provides an immediacy email lacks. But, the technology comes with a slew of HIPAA challenges.
For example, text messages generally don’t require authentication. As such, users with access to the phone have access to their text messages (and PHI) without a password. Additionally, messages can stay on a mobile device indefinitely, which can expose a user’s data to unauthorized users if a phone is lost, stolen or recycled. On top of this, encryption over telephony networks is not as easy as encrypting information communicated over-the-top, which uses TLS/SSL and AE256.
Other issues include the fact that texts are not usually logged continuously. With neither these logs nor the ability to retain messages, businesses cannot audit their records according to HIPAA rules. It is also difficult for individuals to access or amend their PHI, as allowed by the HIPAA Privacy Rule.
All of these challenges can be overcome, however, with the right third-party solution. To successfully leverage SMS, organizations need to identify solutions that:
– Ensure that every authorized user has a unique ID and password for the SMS solution in order to monitor and log communications.
– Enable automatic log-off so that unauthorized users cannot access PHI if they gain access to a phone.
– Encrypt communications in transit so that they cannot be intercepted at any time—no PHI can be readable or usable.
In-app Chat: The Future of Doctor/Patient Communications
The third option for electronic communications in healthcare is in-app chat. It is perhaps the most secure way to communicate in a compliant manner based on the fact that user authentication is required at log-in and each user has a unique ID. Additionally, data is encrypted in transit TLS/SSL and at rest using AES256, and most companies maintain continuous logs, which make audits possible.
There are a number of other benefits, including:
– Chat enables both synchronous and asynchronous communications for the ideal user experience.
– Solutions provide secure photos, videos, and other file-sharing capabilities.
– Chat messages and other data can be retained according to organizational policy, and an administrator can set how long a message persists.
– Read receipts acknowledge that recipients have viewed the information.
– An extra layer of authentication is provided, and an administrator can remotely delete any information if a device is lost or stolen.
As with any electronic communication channel dealing with PHI, there are risks that accompany chat, but they can be mitigated relatively easily. First, PHI cannot be disclosed in push notifications that link back to in-app chat. Instead, users should be notified that they have a new secure message and provided a link that requires authentication.
Also, while some technology providers claim to be HIPAA compliant, they resist signing a business associate agreement (BAA) because they don’t want to assume liability if an issue arises. This should be non-negotiable. Do not sign with a provider without a BAA. Period. It ensures the protection of the healthcare organization, and more importantly, the patient. It also demonstrates that the vendor truly understands and prioritizes compliance with HIPAA and HITECH.
In reality, organizations will leverage all three communications channels highlighted above in order to adequately address the needs of patients. They must meet patients (and providers) where they are to have an impact. Moving into the future, the organizations that lean heavily on in-app chat not only win points on security and compliance, but they will win on patient experience as well, earning patient loyalty as they facilitate the delivery of quality care in the most convenient channel for consumers. These digital interactions will help expand secure, private, and satisfying healthcare experiences beyond the doctor’s office and deliver it wherever consumers have their smartphone.
About John Kim
John S. Kim is the Cofounder and CEO of SendBird (Y Combinator W16), a B2B startup providing a messaging solution for enterprises. The platform currently serves tens of millions of monthly active users and many of the best-known logos around the world, like Yahoo! Sports, GO-JEK, Hinge and one of the most active websites in the world. John is a serial entrepreneur and an expert in the messaging space.