This guide is for healthcare IT managers and not healthcare software developers. There are no code examples here – just overall guidance on how to create a HIPAA secure communications platform for your practice.
Sooner or later, as your practice grows, you start taking HIPAA security more seriously. You know the drill 🙂 Your daily communications include
- Your providers where share various PHI information
- Your practice staff that share PHI between each other
- Your referring partners that you’re working with, that share PHI with you
- Your field sales reps or physician liaisons that need PHI information as they go from provider to provider, marketing your practice
- Your patients who prefer to text or WhatsApp instead of calling your practice and talking to you. They own their health information that you simply are the custodian of
On top of this, you have high levels of staff attrition and you need to constantly authorize and un-authorize access to PHI.
This is the reality of the world that we live in. Everyone wants instant communication and they expect communications to be as easy as sending an SMS or a WhatsApp. However for folks in healthcare, this is a nightmare as they are directly responsible for protecting patient PHI. The fines are pretty steep.
Of course, you have communication channels that include:
- Social media (facebook, twitter, instagram – however you market)
So, how do you really streamline these communications and make your staff’s lives easier?
Sure, you could use SMS or whatsapp or fax with your partners – but patients don’t have that easy access to fax machines.. What do you do?
Every single piece of communication is usually associated with patient data one way or another.. So, even if you do use some of the 200+ tools in the market.. your staff have to switch back-and-forth between your EMR or your EPM and the communication channel that they’re using..
This is where most of these messaging platforms fail – they give you YET ANOTHER TOOL to communicate via and have to manage..
This doesn’t work and will not work – trust me, we have been down this road before.
If you look around for the number of options available for HIPAA secure communication platforms – they are endless. In the last count I found about 200+ HIPAA secure chat apps available on the App Stores (most of which really don’t have good reviews, but that’s besides the point).
So how do you bring all these together?
You need a single platform wherein you have all communication channels tied together:
- Social media (facebook, twitter, instagram – however you market)
- Whatever else you do..
The most important part is this – this communication platform needs to be tightly integrated with your EPM/EMR so that you can actually do what’s most important – communicate/share PHI that is resident in your EMR/EPM.
If you want to have your own HIPAA secure communication platform or if you are launching a HIPAA secure communication platform to compete with the 200+ options that are already available out there, this is a guide for you.
Let’s break down what is really involved in creating a platform of this sort. You’re going to need:
- Bullet proof, HIPAA secure authentication and authorization mechanism – you are going to need to authenticate and authorize your staff
- An easy way to invite and on-board your practice staff, your doctors, your patients & your partners (3rd party stakeholders) to your platform
- A way for your third party stakeholders to communicate with you even if they do not use your platform, because let’s be honest, you’re never going to convert everybody to using your platform.
- A super fast chat mechanism that also follows HIPAA security guidelines. Why? Because Whatsapp and SMS have changed the expectations of users.. And just because you have to protect PHI, you cannot use this as an excuse for poor / slow messaging
- Have a secure way of sharing media files – patient images, patient records, PDFs, etc.
- Profile and account management, so that people can keep their own personal information private and up-to-date
- The ability for each person to manage their communications – just like we do with him email where we archive delete, file away all communications based on our needs.
- The ability to forward a message to the appropriate person so that they can respond to the incoming message. As you know, people communicate with people they know – but the recipient is not always the person that needs to take action on the incoming message.
- The ability to remind yourself or snooze an incoming message to be able to respond to or address later on (well, you are busy, aren’t you?)
- The ability to broadcast messages across your practice your patients and possibly to your third-party partners (seems to happen all the time – doesn’t it? Providers are humans too, after all 😛 )
Creating real time communication platforms is notoriously hard. Unless you’re working with the top messaging companies like WhatsApp, Facebook, Google, Tiger Text etc, I bet you my bottom dollar that you do not have an IT team or developers on your staff that can handle real time communications platforms.
So, what do you do?
Fear not, as there are many vendors who have already solved the really difficult aspects of real-time communications for you and there is absolutely no reason for you to reinvent the wheel.
The last time I went through this research I found many vendors that have real time messaging platforms. Here’s a partial, non-exhaustive list
- Telegram (it has open APIs)
- WhatsApp (it has opened up some APIs)
- Many, MANY more…
What do you really want to concentrate on, are the features that bring more value to your practice, rather than concentrating on the messaging infrastructure itself.
In fact, I would contend that you need to concentrate LEAST on the chat APIs.. that’s a problem you should outsource to a vendor that does this for a living… for a price.
What you do need to concentrate on
- HIPAA security of messaging and of PHI being shared
- HIPAA security of media being shared and stored
- Authentication and authorization of people using your platform
- Real time notifications (something that really belongs in the hands of Apple and Google Gods)
- Ability to integrate your EMR/EPM with the messaging platform
- Ability to communicate PHI information with folks that do NOT want to use your platform
- Ability to integrate SMS, Whatsapp, real time messaging, fax and possibly email
- Ability to do audio or video calling if you need it
- Chatbots to solve your social media and website communications
- Ability to add special features like booking appointments, scheduling a time on your calendar to discuss further, giving options to users, sharing images (or their screen) etc.
Always keep in mind who you have control over:
- You practice staff – you can dictate what they do and how they communicate
- People outside your practice – you cannot possibly dictate what they do, how they choose to communicate with you
You are going to use a 3rd party chat API / platform. Make sure that they are willing to sign a BAA with your firm. If they do not, it’s a non-starter. Yes, these 3rd party vendors are expensive but think about it this way – it’s a LOT more expensive to build the entire messaging infrastructure, maintain it, secure it and guarantee HIPAA security.
Trust me on this – you don’t want to be cheap here.
You are going to share PHI – let’s just agree on it. That’s the whole reason why you are going down this path anyway. Think about this – you are going to share patient records or images etc.. This is going via the chat apis… and will need to be stored somewhere.
You have choices – you can store this in the cloud vendors storage offering (e.g. Azure, AWS etc) that are dirt cheap.. Or you can have your messaging vendor store these files for you (of course, HIPAA secure, BAA signed).
Take the easier route – if you have 1 vendor that you can limit your exposure to.. Always choose that. It allows you to hold *someone* responsible..one throat to choke.. And not have to get a run around when things go wrong (and things will go wrong).
One thing you do need to keep in mind here is that if you have mobile apps (in all probability you are going to have that), make sure that the PHI media being shared via your apps does not go into the camera roll.. Rather, is stored in a special, locked and encrypted folder on your users’ phones.
Hopefully your staff uses google business apps or microsoft outlook or some kind of authentication mechanism. I have come across many healthcare practices where not all their staff actually use the company email.. Instead, many of them are not given individual emails.
However, the one thing that does remain is that everyone on your staff will have their mobile phones.
To make things easier, you have a couple of options:
- Authenticate people using their work emails. In this case, you are going to need a single sign on mechanism so that your users just need to use their Google/Microsoft emails to sign in once and then use your application
- Authenticate people using their mobile phones. In this case, you are not going to have the single sign on headache
- Authenticate people using a typical sign up / login / reset password kind of mechanism
Finally, you can always make your platform as an invite only one. This at least takes care of one headache for you – spammy and fake users!
Now that you have authenticated your users, let’s talk about authorization.
Of course, there are several staff in your practice that need access to ALL of your EMR data so they should be authorized to access your EMR data and tie it into their usage of the communications platform.
But how about the rest of the users? Sure, they are authenticated and can use your platform, but are they authorized to take all actions on the platform? Are they allowed to access all patient records? Are they allowed to add other users to your practice’s communications platform?
Think through authentication and authorization very well..
Does everyone in your practice need access to patient data? Even for doctors – do they need access to records of patients that are not theirs?
You already know that your patients need access to only their own patient records, so they should not be authorized to access anything but their own medical records.
How about your partners? You know very well that while they have shared access to common patients, they should not be authorized to access the rest of the data in your EMR.
You don’t actually have to create authentication and authorization mechanisms for this platform yourself as there are several options here as well (listed below). One thing to keep in mind here is that the more moving parts you include in your solution, the more headaches it does introduce.. But at the same time, these authentication and authorization platforms do a lot of the heavy lifting for you
E.g. These platforms take care of:
- Passwordless registration
- Scaling up to meet higher demand/traffic
- Consistency in users’ experience
- Social profile enhancement
- User analytics
- Centralized management
- Multiple device management
- Unusual sign in attempts
- Security and compliance
- Multi factor authentication
- Device based policy control
- Attribute based policy control
- Many, many more headaches
Weigh your options based on the developer strength you have at this moment and also the total cost of ownership of your solution moving forward. You don’t want to have to deal with headaches just for your users to be able to sign in, sign up etc
There are some great options for vendors that will handle this for you
- AWS Cognito
- Ping identity
- Many, many more
Real time notifications
You need to take this very seriously. In fact, we had launched a platform for your practice once where the real time notifications (that really depend on Apple and Google) were not perfect, were not consistent and not dependable.. And we pretty much lost the interest of all our staff.
Because staff need to be able to communicate in real time, while the patient is in front of them.. They need to be able to reach a doc or their manager or the billing department or insurance department.. Whatever have you.. They need their answers in REAL TIME.. not sometime later.
Take this very, very seriously,.
Plus keep in mind that to be compliant with HIPAA security guidelines – you CANNOT share any PHI in push notifications without users explicitly consenting to taking FULL ownership of their own PHI and sharing the same via push notifications.
Yes, it is that big a deal. We are all used to seeing a preview of our messages on the locked screen via a push notification, but that’s not going to fly in a HIPAA secure messaging platform. You need to be super careful about this.
You can deal with Apple (APNS) and Google (FCM) directly from your platform OR you can offload this headache to vendors that handle push notifications for you. There are several vendors that come to mind including but not limited to:
- Amazon SNS
- Urban Airship
- Many, many more..
If you do decide to use a 3rd party vendor, make sure that they sign a BAA OR better yet, do NOT share any PHI via push notifications.. That way your vendor does NOT have any PHI that it can compromise.
Ability to integrate your EMR/EPM with the messaging platform
The first time we launched a communications platform for our practice, we did not tie it into our EMR/EPM. And this ended up killing us.
Because our staff now had to manage yet another tool to communicate. They would get questions about a certain patient or a certain referral or a medication/prescription.. But then they would have to open up the EMR to go find the information, somehow download it on their phone, send that information to the person that was requesting the information.
Keep in mind that there are various kinds of staff we have (and so do you). You have
- Staff that are always seeing patients, moving from room to room.. And are always near the EMR
- Staff that are involved in practice management operations – not necessarily always in front of the EMR but are mobile within the practice
- Staff that are in marketing, out on the field and almost never near the EMR
- Staff that are dealing with practice management, not mobile, always having access to the EMR BUT are not on the EMR for their daily jobs (e.g. insurance verification, calling patients etc)
Staff that were on their mobile phones had the most demands – they could not open up EMRs from their phones and even if they did, they needed to be able to move information from one app to another.
Staff that were not mobile didn’t always have the EMR open nor did they have the communications platform always open – but they needed to be notified in real time for questions and needed to be able to respond with PHI information immediately.
Tie in your EPM/EMR to the messaging platform from day 1 – you will see a much higher adoption of your platform and will recoup your investment multi-fold.
You don’t have to necessarily build it all out yourself as there are some rock solid vendors that do this for you.
In the end, this really involves
- Building your EMR integration / interfaces (HL7 or otherwise)
- Standing up your EMR integration infrastructure in an HIPAA secure/compliant environment
A few include
- There are many, MANY more
However, do keep in mind that no matter what you do, you are going to have to ensure that your integration infrastructure is HIPAA secure..
So, if you are taking the route of your messaging vendor being in one place, your authentication vendor being in another, your integration being in yet another place.. Think this through well..
Folks like Datica, Aptible give you a slam dunk easy way to manage your healthcare applications in a HIPAA secure environment. You could argue that AWS, Azure does this as well (more on this later) but these cloud vendors only give you a HIPAA eligible environment. Compliance is actually YOUR headache.. Not theirs – because they espouse the shared responsibility model..
The beautiful thing about Datica and RedoxEngine is that they both run their integrations on the well tested MIRTH engine.. But they handle the integration infrastructure for you as well – in addition to managing the interfaces for you.
And if you have to pass compliance audits.. Well, guess what 🙂 That painful process is better outsourced to Aptible, Datica etc, rather than to be taken on by your staff .. you don’t want to hire full time compliance staff do you?
Ability to communicate PHI information with folks that do NOT want to use your platform
This really killed us when we first launched a HIPAA secure communications platform for one of the practices we work with.
We could force our staff to use the platform – that wasn’t the problem.. But partners outside our practice were not having it !
They didn’t want to have to open up yet another application each time they wanted to communicate with us..
Very soon, it became painfully obvious to us that we need to fit our way of working into their workflows.. Not the other way around.
You need to do this as well.
Ability to integrate SMS, Whatsapp, real time messaging, fax and possibly email
Your patients SMS or whatsapp. Your providers and staff SMS or whatsapp. And each one complains about having too many channels of communications.
Patients seem to have no problems using SMS or WhatsApp. But most healthcare staff and providers do NOT want to share their direct contact information. Neither do providers.
Staff and providers even resist calling patients using their cell phones. They either wait until they can dial from their desk phones at work (that shows the company caller ID) or dial using *67 to mask their caller ID/number.
It’s not that they don’t intend to help patients or partners – it’s just that the callees then mistake it to be an opportunity to call back or SMS back using that cell phone number at all times of the day.
Regardless of what you do, your users are going to have to integrate their personal lives with their work lives.. They are going to continue using SMS, WhatsApp .. but at the same time they are going to have to use your platform.. So, instead of having multiple lines of communication, it is always best to allow them to integrate their lives by being able to send / receive SMS from your platform, send/receive WhatsApp from your platform.
When it comes to faxing – that’s a whole different ball game altogether. The healthcare industry is NEVER going to get rid of faxing and you would be a fool to try to make that happen. Instead, roll with it.. Think of it as a necessary evil and a ubiquitous channel to communicate with partners (not patients necessarily).
You are going to need to integrate your fax server and fax APIs into your communication platform. Without this, you are still going to have loose ends that your users (staff, providers etc) are going to have to manage.
All you really need to do is to think of the fax communication channel almost like an email channel – faxes need to be responded to, need to be archived/filed away, need to be forwarded to someone to take action on, need to be managed .. just like you manage your email, chats, SMS etc..
If you have that mindset, you are going to be just fine.
For each one of these channels, there are several vendors that do a splendid job of managing the headaches for you.
E.g. for SMS you have options ( as long as you are not sending PHI)
- Many, many more
If you want to share PHI via SMS, you really need to have a simple trick up your sleeve.
Before you send any PHI, consider these
- If the patient initiates communication over email or text, according to the FAQs of HHS, you are good to go
- If the patient gives formal consent before any text or email exchange takes place.. Even then you are good to go (as long as you have it well documented/scanned/added to the patient record)
- If you don’t have any of the situations above and you want to initiate the SMS communication with the patient, first, send a consent request e.g. “Do you give us the permission to share your health information with you over SMS? As you probably know, SMS is not a very secure channel”. If the patient gives you consent – you are still OK to send/receive PHI via SMS
For WhatsApp, you can easily use their business APIs (they have opened up their business API platform). The challenge is that you are going to have to manage the infrastructure yourself, so, as usual, we recommend leaning on 3rd party vendors who do this for you. There’s a long list of such (50 as of writing) Facebook partners that would do this for you. The list includes but is not limited to:
- Many more..
Go for simplicity – you don’t have to take on this headache. Outsource this to a vendor, but keep in mind that you are introducing yet another vendor to manage.
Try to consolidate vendors if possible. E.g. You could use Twilio for SMS and WhatsApp.
In general faxing is considered to be HIPAA secure and that’s why it is ubiquitous, however, the minute you outsource your “physical” faxing headaches to a vendor (cloud solution), you are going to have to worry about HIPAA compliance again.. Because the faxes you send/receive will be stored in your vendor’s cloud. For HIPAA secure faxing you have many, many options as well.
- Many, many more
In general, if you can truly integrate SMS, WhatsApp and Fax into one vendor, that’s ideal for you.. Less moving parts to manage and less headaches.. (lesser of the evils)
Aculab, for example, allows you to send SMS, Fax, do voice calls all in one platform – try to leverage a vendor like that.
Ability to do audio/VOIP or video calling if you need it
You are going to need this as soon as your stakeholders start using your platform. We saw the same in our own experience as well.
We didn’t think this was really needed at the beginning, but we noticed that typing only takes you so far. People tend to want to pick up the phone between their colleagues / partners and resolve an issue or address a concern. They don’t want to have to ask the person for their contact info, then open up the phone app and dial out. They want to be able to call a person without having to share their personal contact info.
Only in certain cases we found video calling to be important – that was specifically for telemedicine purposes and also for relationship building with our practice’s remote teams.
Keep in mind that this is yet another headache that you SHOULD outsource to a vendor. Maintaining video and audio gateways is yet another nightmare, dealing with WebRTC, websockets is not for the light of heart either..
There are several vendors offering audio and video solutions. Just make sure that you choose a HIPAA compliant one.
For video solutions, typically a vendor uses STUN/TURN server and sometimes uses a store and forward mechanism as well. Make sure that if the vendor is using any store and forward, it also agrees to signing a BAA.
If the vendor does not store anything, then you are OK because this complies with HHS’ conduit definition… and conduits do NOT have to sign BAAs.
For VOIP solutions, there are many vendors as well. Typically, the ones that support SMS texting (above) also support / provide VOIP solutions.
Do keep in mind that bandwidth.com is typically the underlying carrier of VOIP for most other providers – boasting clients like Skype, AWS Connect, Google Hangouts etc.
For Video solutions, look to providers like the following (again, not an exhaustive list)
- MANY more
What you have to keep in mind with the video platforms is that some of them force the user to download a separate app of their own. Try to avoid that as it is not a seamless user experience and typically folks abandon it soon enough
We knew that sooner or later, we were going to have to consider chat bots. The problem is that these days everyone is always ON and always connected. Our clients’ practices get pinged via Facebook and their websites for questions, appointment scheduling/rescheduling/cancellations at all times of the day (yes, even at late nights).
You are never going to have the wherewithal to afford a 24×7 staff. Even if you do, you are not going to be able to solve all problems 24×7. That’s where you are going to need to employ chat bots.
In fact, chatbots help you reduce the phone calls to a great extent as well. They are the first line of interaction that our partners and patients face that help them either answer their own queries or be directed to the right person in our clients’ practices.
As you already know (and have probably used many chatbots yourself already) chatbots are almost like text based chatting/messaging with the same HIPAA regulations as well. You cannot share any PHI over a chatbot unless the patient consents to it.
There are many vendors that provide chatbot apis, so you don’t necessarily have to build anything from scratch.. Take these for example:
- Rasa NLU
- MANY more..
As you start with Chatbots (and if you are really good at mastering this channel to reduce the number of support calls your staff have to handle) you will probably start trying to make your chatbot a bit smarter.. Ones that predict where the conversation is going.. That’s where some of these prominent AI Services companies come into play.. I doubt you are going that far.. But if you do get your chatbots to reduce your customer support calls, you probably want to consider the best like
- IBM Watson
Regardless of what you do, do keep in mind that all these need to be tied into your EMR to really provide value. Without that, it’s a bust.
Hopefully this has been of some help to you. Reach out if you need anything.