It's not OK for your practice to use free cloud-based chat
The relaxation of enforcement policies that allowed healthcare businesses to function without fear of fines is coming to an end. Now that patients are allowed to visit providers again and we're no longer in an emergency situation, there's not an allowable excuse for a security breach or a privacy violation.
You may begin to defend the use of cloud-based messaging in your office by explaining that you never share protected health information (PHI) on the platform. Or you may feel assured that other security measures in place to protect you from malware are adequate. Maybe your justification is that the regulations only apply to large organizations and not small practices. However, with all of the cloud-based systems available for team collaboration, you can be sure that there is one rule that is hard and fast when it comes to using communication tools in healthcare:
Only Paid Versions are HIPAA compliant.
Why? Because free versions do not include something called a Business Associate Agreement (BAA). This signed BAA is what is required in order for cloud-based systems to be HIPAA compliant. Your hope is that you’ll ever need to exercise an audit, but if one becomes necessary, this is the safeguard in place to allow you to have the ability to prove that a program such as Slack, Skype, Google Chat, or Microsoft Teams was not the source of the privacy breach. Here’s the bottom line: even if you’ve never shared sensitive patient information on any platform, it doesn’t matter if you can’t prove it!
And that right there is the heart of the matter. While you may think this threat is merely a sales pitch, remember, data has value, and there are those out there who seek it out in order to further enrich themselves. We all have an obligation to follow the recommendations set for us professionally. After all, we're all patients, too. As a patient, we want to believe that the practices we visit are managing all of their privacy matters correctly. If policies aren't being followed with something simple like communications, it calls into question whether or not the organization has more serious management issues that could directly affect the care we receive.
While this is not a comprehensive list, these are the most common communication platforms that healthcare practices may consider when they are looking for a way to collaborate with their team members, along with the most current pricing that an organization should expect to pay in order to safely utilize the software anywhere in their business.
You can easily see that using one of these options starts to get expensive, very quickly. Since you're going to have to pay it may be best to spend less money, for programs that are optimized for healthcare. Many people realize that cost is only one concern: none of these platforms even do a good job of getting the right person’s attention at the right time, especially for clinicians on the move. Making do with the programs above means that you end up paying for things that most team members aren’t even using, like Microsoft Word, or screen sharing, or video conferencing.
In case there's any confusion, here’s a direct answer for each of the free versions of these platforms.
Is Slack HIPAA compliant? No.
Is Microsoft Teams HIPAA compliant? No.
Is WhatsApp HIPAA compliant? Never.
Is Skype HIPAA compliant? No.
Is Google Chat HIPAA compliant? No.
Is Zoom HIPAA compliant? No.
You can become HIPAA compliant in the use of five out of six of these applications, but only once you’ve paid a subscription fee per user, removed any non-compliant third party integrations (so many rules!) and received a signed business associate agreement.
Since you're going to have to pay any way it goes, your next step is to do a Google search for secure intraoffice messaging. Or sleuth around here a bit more and see if our fully HIPAA compliant software communicator is low-cost and useful enough to consider adding it to your practice.