If you are not a healthcare organization like a hospital or doctor’s office and you’re worried about complying with HIPAA rules, take a breath.

Although you hear “HIPAA won’t allow this” or “I can’t do that because of HIPAA rules,” the Health Insurance Portability and Accountability Act (HIPAA) does not apply in many of the cases where it is cited. For example, HIPAA only applies to “covered entities.” That means healthcare providers like hospitals, doctors, pharmacies, health insurers, and healthcare clearinghouses. It also applies to the business associates of those entities, such as companies that handle medical records as a vendor. These entities are required to keep your protected or personal health information (PHI) secure and private.

If you aren’t a “covered entity,” i.e., a healthcare provider, you aren’t affected by HIPAA rules. Instead, your disclosure of PHI may be governed by sensitivity to your customers, or other applicable state or federal privacy laws.

HIPPA stands for portability

Sara Morrison wrote a useful guide to HIPAA – what it covers, what it doesn’t – for Vox. In it, she makes it clear that the single “P” in HIPAA does not stand for privacy. It stands for portability.

Morrison points out that the law was created in 1996 to address the massive digitization of health data that was coming, and it didn’t go into effect until 2002. HIPAA, she writes, contains “provisions to prevent healthcare fraud, simplify and standardize medical records, rules for pre-tax employee medical savings accounts, and to ensure continuous health insurance coverage for employees who lost or changed their jobs.” Privacy is addressed in the “administrative simplification” section.

Privacy concerns are the reason that healthcare providers and insurance companies might insist that you use HIPAA-compliant channels or patient portals to communicate with them.

SMS-Magic is considered a “business associate” of healthcare organizations and insurers and must take extra measures to ensure HIPAA’s protections. We also agree to sign a Business Associate Agreement and to implement controls to maintain reasonable appropriate measures for protecting ePHI. We are also considered a “Conduit from Source to Destination,” which doesn’t require a signed agreement. Our core objective is to ensure the confidentiality, integrity, and availability of all ePHI.

We do that in three areas: technical safeguards, physical safeguards, and administrative safeguards.

Technical safeguards

Technical Safeguards

Our technical safeguards include use of access controls, integrity controls, audit controls, identity authentication, and transmission security to avoid unauthorized PHI access.

  • Access Control: Security measures have been implemented by SMS-Magic to prevent unauthorized access to PHI. Access Control policies have been defined and are periodically revisited for further updates.
  • Audit Controls: SMS-Magic systems have been designed to ensure compliance with HIPAA regulations for text messages. Systems are able to produce audit logs so administrators can monitor usage.
  • Integrated: SMS-Magic Platform systems are integrated to delete text messages from the SMS-Magic Platform once they have been processed and sent.
  • Transmission Security: SMS-Magic uses the industry standard transmission security for PHI. SMS-Magic systems are designed to use rsa 20148 in encryption in transit.

Physical Safeguards

We take extra precautions to ensure the physical security of our servers and systems in the following ways:

  • Security Procedures: We initiated security procedures to ensure that ePHI cannot be improperly altered, or saved to an external hard drive, desktop computer or mobile device.
  • Authorized Users: SMS-Magic systems take care of all PHI encryption and have access on a secure network, with authorized users.
  • Risk Assessments: SMS-Magic performs regular risk assessment of unauthorized physical access to the servers.

Administrative Safeguards

Screen Magic administrative measures include administrative actions, as well as policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI. 

  • Security Management Process: We perform a risk analysis, information system activity review and practice risk management.
  • Information Access Management: Access authorization.
  • Security Awareness and Training: We conduct periodic training and awareness sessions, send security reminders and notifications, protect systems from malicious software, manage passwords, and monitor log-ins.
  • Security Incident Procedures: We have a data backup plan, a disaster recovery plan, an emergency mode operation plan and ongoing response and reporting requirements.

Conduit from Source to Destination

Because of the nature of our service, SMS-Magic is considered a “Conduit from Source to Destination.” That means we designed our software to transmit ePHI without retaining or accessing the information except on a random or infrequent basis. We are a conduit for your information, not a warehouse.

Conduit from Source to Destination

HIPAA regulations are in place to prevent sensitive information from falling into the wrong hands. Abiding by these rules and regulations helps protect data privacy and keeps everyone clear of fines and litigation. Although HIPAA compliance appears to be a challenge to using communication technologies in the healthcare industry, we offer a well organized, experience and compliant business as your partner.

Contact us today to help your business engage customers, capture leads, build a pipeline, and increase revenue.

Related Post