HIPAA-Compliant Sharing Solutions for Physical Therapists

With the right tools, you can use text messages, emails, and cloud-based file-sharing services to help you share and manage patient information—without violating privacy regulations.

By Asaf Cidon

Physical therapists today have more ways than ever to communicate with colleagues, other health care providers, and patients.

Consider a hypothetical case that happens all the time: A patient’s regular physical therapist cannot make an appointment, so the therapist text messages her colleague some details about the patient’s case, including a list of his medications. This colleague makes progress notes on her iPad during the session, and the document is automatically backed up to a file-sharing service the physical therapists use to store patient files and other information. When she returns to work, the regular therapist reviews the notes on her laptop, and then emails them to the patient’s primary care provider.

The possibility of a data breach is particularly troubling for smaller practices that all too often ignore security—thinking that their practice is unlikely to be audited. But they do so at their own peril. Any medical professional who stores or transmits patient information online must comply with HIPAA security rules or face steep fines. Even a single lost client record can expose providers to liability.

Here are a few tips to keep in mind for each way you might share Protected Health Information (PHI).

Secure Text Messaging

Secure text messaging will not help you store and manage large numbers of patient files, but it is a must-have if you use texting to communicate about patient care.

• User experience. Do not skimp on the user experience. The best secure text messaging apps replicate the texting experience.
• Message storage. In order to mitigate the risk of a breach, ensure that your provider stores messages on its servers—not your phone. Look for solutions that encrypt data at rest and in transit to minimize risks associated with hacking. Because the PHI-laden messages are not stored on the therapists’ phones themselves, a lost or stolen phone would not result in a data breach—or a violation. You should be able to set preferences for messages to be automatically deleted either after a set time period or once they have been read.
• Control forwarding. For text messages to be truly secure, messages should not be saved, copied, or forwarded to other recipients, in order to prevent sensitive content from being viewed by anyone except the intended recipient.
• Audit. The fact that messages are not stored on your phone might seem to complicate audit functions, but if your provider makes usage data and monitoring information easily available to administrators, you will preserve compliance with HIPAA’s audit rules.

Secure Email

Email remains an extremely helpful tool for quickly sharing files, but it is not secure. However, encrypting your email will enable HIPAA-compliance and ensure that only authorized users will be able to open and read your messages.

• Identity validation. Find a provider that validates the recipient’s identity. Common approaches including requiring recipients to answer a secret question or otherwise verify their email methods.
• Audit. Seek out tools that provide the option of tracking and logging emails, which is necessary for auditing purposes.
• Mobile. Because lost or stolen mobile devices pose such a big HIPAA breach threat, it is essential to use an encrypted email provider that also works on mobile devices—key for therapists working on the go.
• Sender support. One of your biggest email threats lies in emails sent by patients. If your encrypted email setup is too onerous, patients are far less likely to use it. Many email encryption programs do not make it easy for non-users to collaborate. That’s where cloud-based file encryption can come in handy, because it can allow patients to launch encrypted files securely to you without requiring downloads or setup.
• Message storage. Many email encryption products do not securely store and back up all files in a centralized way. This can pose problems down the line with record retention, so ask questions of your provider about how you can obtain an audit trail.

End-to-end Encryption

Cloud-based file sync and share programs make it extremely simple to store files, exchange them with other health care professionals and patients, and sync them across computers and mobile devices. When a provider makes changes to a file from a tablet, for instance, a cloud-based file-sharing program will store and show the changes when the file is opened again from the provider’s laptop or desktop.

• Encryption. Most cloud providers encrypt data at rest and in transit, but the real key is finding solutions that encrypt on devices; otherwise, file synchronization poses a tangible risk of an HIPAA breach. Protecting your files in the cloud with file-level end-to-end encryption, however, adds that additional layer of protection that ensures that the file is always encrypted, regardless of its location, turning the cloud into a HIPAA-compliant safe haven.
• Easy sharing. One of the nice features of cloud sync and share programs is that shared folders make it easy to exchange information with frequent collaborators. The ability to sync across different devices and share files externally makes cloud-based file-sharing ideal for managing patient files at a clinic that contracts with multiple physical therapists, or at a practice that frequently interacts with external organizations. But it is essential to find a security provider that preserves encryption while sharing data.
• Seamless security. Bear in mind that encryption solutions, like everything else, should preserve the user experience that makes the cloud so convenient. Otherwise, therapists and others will not use them, exposing you to potential violations.
• Separate data from keys. Ideally, you should seek out a security provider that is independent from your storage provider. This way, the encryption keys will be totally separate from the content, which means that neither your encryption program nor your cloud storage provider can access your files. This assures that only you and the users you authorize are able to retrieve and work with encrypted data.

As we have outlined, employing these safeguards can help health care providers take the necessary precautions to keep patient records safe and meet HIPAA security requirements—and even boost productivity.

Asaf Cidon is the chief executive officer and cofounder of Sookasa. He can be reached at asaf@sookasa.com.