Hippa

[Pennie 26]

:-o Does instant messaging compromise HIPAA security?

 

 

Published March 2004

 

 

Some of our employees would like to use instant messaging (IM) to communicate at work and from home with team members or other managers. Is that an acceptable practice under

 

HIPAA?

The HIPAA regulations do not and are not likely to ever specify technologies that are permissible and prohibited. IM may be easy to use and it will let others know when you're "online," which is sometimes a business convenience. However, permitting use of IM, especially for transmitting confidential information, when an organization is still struggling to control e-mail use is not prudent. Many e-mail concerns also apply to IM.

For example, is the transmission encrypted if off the local network? Is the authentication of sender and receiver adequate? Where are copies of messages stored at the source, the destination, and "along the way"? And how are those stored copies purged? How is message integrity ensured? If messages are relevant to a given patient, how is the message linked to the patient's electronic record, if at all?

IM is also subject to its own set of technical vulnerabilities and attacks, so its use presents the security team with the additional burdens of technically securing IM and training the work force on protective measures. Hence, it appears that today most healthcare organizations prohibit or severely limit IM use, and with good reason.

 

Editor's note: Kate Borten, CISSP, formed The Marblehead Group, Inc., a national security and privacy consulting firm focused on the healthcare industry. If you have a question for her, write to Briefings on HIPAA, P.O. Box 1168, Marblehead, MA 01945, or e-mail Briefings on HIPAA Managing Editor John Leonard at jleonard@hcpro.com. This is not legal advice. Be sure to consult with your facility's legal counsel for legal matters

[Miguel 4]

I have noticed that e-mail sent from my facility have a little box at the bottom that explains if there is any information in the e mail being sent regarding a resident or is not supposed to be sent with the e mail to please contact a number they have and a report is filed, I think in any case e mail/Instant messaging need not be used when dealing with resident confidentiality, and if you are going to use it BE VERY CAUTIOUS AND KNOW WHERE YOU ARE SENDING THE INFORMATION!!!