HIPAA

Doctor shaking hands with a man in a suit jacket
DataMotion™ Achieves Full DirectTrust™ HISP Re-Accreditation 600 237 Team DataMotion

DataMotion™ Achieves Full DirectTrust™ HISP Re-Accreditation

Accreditation ensures compliance with DirectTrust HISP Policy requirements and interoperability with conforming HISPs

WASHINGTON, DC and Florham Park, NJ, January 20, 2020 – DataMotion today announced it has achieved full re-accreditation through the DirectTrust™ Accreditation Program for Health Information Service Providers (HISPs). DirectTrust is a non-profit healthcare industry alliance created to support secure, identity-verified electronic exchanges of protected health information (PHI) between provider organizations, and between providers and patients, for the purpose of improved coordination of care.

Founded in 1999, DataMotion today has millions of desktop, tablet and mobile users that leverage its mature, cloud-based secure data exchange platform and services, many for health care applications. In the fall of 2012, the company expanded operations as a HISP and introduced DataMotion Direct. The company achieved its first EHNAC HISP accreditation in 2013, and added the CA and RA accreditation in 2014. Today’s announcement signifies the DirectTrust HISP accreditation renewal, and an ongoing commitment to the increasing adoption and expansion of the Direct Secure Messaging network.

DataMotion HISP services software were audited against a series of technical, physical, and operational criteria and found to be fully in compliance with the Direct Standard™ and the requirements of the DirectTrust Security and Trust framework.

“DirectTrust HISP accreditation certifies that an organization has established and upheld a superior level of trust for its stakeholders, which is a significant distinction. Kudos to DataMotion’s commitment to maintaining the highest standards in privacy, security and confidentiality,” said DirectTrust President and CEO, Scott Stuewe.

“Renewal of our accreditation with DirectTrust demonstrates our commitment to secure, interoperable clinical health information exchange across the care continuum using Direct Secure Messaging,” said DataMotion co-founder and CEO Bob Janacek. “Leveraging our population-scale cybersecurity platform as a service (PaaS), DataMotion Direct allows mHealth apps to aggregate and analyze longitudinal data from disparate ambulatory and acute systems, reduce costs and improve clinical outcomes.”

About DirectTrust Accreditation Program for Health Information Service Providers

The DirectTrust Accreditation Program recognizes excellence in health data processing and transactions, and ensures compliance with industry-established standards, HIPAA regulations and the Direct Standard. Launched in March 2010 as a part of the Nationwide Health Information Network, the Direct Project was created to specify a simple, secure, scalable, standards-based way for participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet.  Today DirectTrust is an American National Standards Institute accredited Standards body and the custodian of the Direct Standard.

DirectTrust participating organizations are evaluated in the areas of privacy, security and confidentiality; technical performance; business practices and organizational resources as they relate to participants in the DirectTrust network and other Direct Secure Messaging participants. Additionally, their process of managing and transferring protected health information is assessed and determined to meet or exceed all DirectTrust criteria and industry standards. Successful completion of the Accreditation Program demonstrates organizations’ adherence to strict standards and participation in the comprehensive, objective evaluation of their business.

About DirectTrust

DirectTrust is a non-profit, vendor-neutral alliance initially created by and for participants in the Direct community, including Health Information Service Providers (HISPs), Certificate Authorities (CAs), Registration Authorities (RAs), doctors, consumers/patients, and vendors. DirectTrust serves as a forum for governance, and accreditation body for persons and entities engaged in exchange utilizing the Direct Standard™, supported by DirectTrust’s robust security and trust framework. The goal of DirectTrust is to develop, promote, and, as necessary, help enforce the rules and best practices necessary to maintain security and trust within the Direct Secure Messaging community. DirectTrust is committed to fostering widespread public confidence in the interoperable exchange of health information. To learn more, visit www.directtrust.org.

Media Contact:
Ed Emerman
Eagle Public Relations
609.275.5162
eemerman@eaglepr.com

About DataMotion

Since 1999, DataMotion secure data exchange technology has enabled organizations of all sizes to reduce the cost and complexity of delivering electronic information to employees, customers and partners in a secure and compliant way. Ideal for highly regulated industries, the DataMotion portfolio offers easy-to-use, CX friendly, encryption solutions for email, file transfer, forms processing and customer-initiated contact. In the healthcare sector, DataMotion is an accredited HISP (health information service provider), Certificate Authority (CA) and Registration Authority (RA) of Direct Secure Messaging. The DataMotion Direct service enables efficient interoperability and sharing of a person’s data across the continuum of care and their broader lives. DataMotion is privately held and based in Florham Park, N.J. For the latest news and updates, visit https://datamotion.com/, follow DataMotion on LinkedIn or Twitter® @datamotion.

Contact:
Monica Hutton
Marketing Director
DataMotion
973-455-1245
monicah@datamotion.com

 

 

# # #

Join our Newsletter

Doctor holding stethoscope in hand with different medical icons floating above
The Myths and Meaning of HIPAA 600 238 Andy Nieto

The Myths and Meaning of HIPAA

When I was a child, the threat “just wait ‘til your father gets home” was enough to make me change my attitude. I wasn’t punished much as a child, and time with my father was far happier and positive than not, but that phrase still resonated. For many, the meaning of The Health Insurance Portability and Accountability Act (HIPAA), is in many ways, like that threat.
HIPAA often inspires doom, gloom, and fear. Because of that, it can lead to unintended expectations and behaviors regarding patient information, making effective care coordination a challenge. In reality, HIPAA gives us some guidance about the protection of information and is a very real threat — only if you ignore it. However, it’s not all doom and gloom.

Can vs. Can't

First, let’s look at what you can do with patient medical data under HIPAA. You can:

  • Connect
  • Share
  • Cooperate
  • Consult
  • Question
  • Exchange
  • Communicate
  • Treat

That’s a significant list and it’s all about coordination.

Now let’s compare that to what you can’t do with this same information under HIPAA. You can’t:

  • Ignore
  • Distribute
  • Expose
  • Publish

It’s easy to see how this can be confusing. The security and privacy standards defined by HIPAA combined with the expanded responsibilities under the Omnibus Rule, have created layers of bureaucracy and whole industries have sprung up to “explain” the meaning of it.

Stewardship

So, let’s step back for a minute and look at what HIPAA is really supposed to be about, which to me, is stewardship. Stewardship is the responsible overseeing and protection of something considered worth caring for and preserving. On the official Federal site, it says that the HIPAA Privacy Rule “establishes national standards to protect individuals’ medical records and other personal health information.”

Stewardship implies a personal ownership and responsibility. The word “ethic” implies that very high personal and professional standards should be applied to the responsible management and protection of a patient’s information. It is really about taking care of the health information entrusted to you.

Perhaps the biggest shift in mindset for physicians in the last several years has been the emergence of patient health information as a valuable component of their practice and to treat it accordingly. Let me use an analogy and compare money to information. As a person, you don’t carelessly give away your money or leave it lying around. You don’t share your financial account logins with strangers and you certainly wouldn’t want your financial records being released, exposed or published. As part of our upbringing, from our initial allowance to our first job to your career today, we have been learning about money, its value, and the steps we should take to protect it. Being good stewards of money is a role we recognize and understand. Patient health information should be viewed in the same way.

Medical records are filled with personal data, otherwise known as protected health information (PHI). Once we make the connection that information or data has value and must be treated like money, the standards for HIPAA stop being cumbersome and start being understandable.

Can and Can't Revisited

So, with good stewardship in mind, let’s go back to the “can I” or “can’t I” question and ask yourself the following:

  • Can I connect with another person about a patient? Yes, just make sure that your method of connection is safe and that you have a valid reason for doing so.
  • Can I share a patient’s record with another provider? Absolutely, provided you take steps to ensure the information is protected.
  • Can I cooperate and consult on patients? Of course, but do so in a manner that maintains a patient’s privacy and the protection of the data.

There are a lot of myths around HIPAA, and while the “letter of the law” be confusing at times, “the spirit” and meaning is clear. HIPAA really does not need to be confusing. Be a good steward of the information in your practice of medicine, and you’ll be a long way down the path of complying with HIPAA regulations.

Need to exchange patient records but want to ensure you’re HIPAA compliant?

We can help!

Learn More

Join our Newsletter

Doctor wearing white gloves and stethoscope touching an icon of a person
HIPAA Compliance in the Age of Population Health Management 600 237 Team DataMotion

HIPAA Compliance in the Age of Population Health Management

Population health management (PHM) is the improvement of the health outcomes of a group of patients with similar characteristics. One example of a population in this context are patients suffering from the same chronic condition. The care of patients in this group may be managed similarly, often involving the same treatments, tests, procedures and other forms of care.

The treatment of chronic conditions typically involves multiple parties, from a primary care physician to multiple specialists and of course the patient. This, in turn, requires frequent communications between the parties.

Electronic health records (EHR) systems were intended to facilitate these communications but have some shortcomings. And maintaining Health Insurance Portability and Accountability Act (HIPAA) compliance is a key challenge. This article looks at how organizations can use Direct Secure Messaging to overcome the technical and regulatory challenges of a Population Health Management communication scenario.

The Importance of HIPAA Compliance in Healthcare

HIPAA compliance is a cornerstone of healthcare operations. It’s a critical safeguard for patients’ sensitive health information. Compliance ensures that healthcare organizations maintain the confidentiality and integrity of patient data, promoting trust and accountability in the industry. In the age of population health management — where data sharing and analysis are essential for improving healthcare delivery — HIPAA compliance becomes even more vital.

Understanding the HIPAA Compliance Rule

The HIPAA compliance rule governs how healthcare organizations handle protected health information (PHI), including how PHI is collected, stored, transmitted and used. It establishes guidelines for healthcare entities to protect patient privacy and data security.

HIPAA applies to various healthcare entities, including hospitals, clinics, insurance providers and business associates. It covers healthcare professionals and organizations handling PHI, helping to secure your data. Essentially, it means doctors can share patient information with other doctors to help treat you, but they cannot share it with your neighbor.

The compliance rule mandates strict safeguards for PHI, including administrative, physical and technical measures. These safeguards are designed to prevent unauthorized access, data breaches and other security threats.

Addressing the Three Key Elements of HIPAA Compliance

To achieve HIPAA compliance, healthcare organizations must focus on three key elements:

  1. Administrative: Administrative safeguards involve establishing policies and procedures for protecting PHI. They include workforce training, risk assessments and designating a security officer responsible for compliance. Effective administrative safeguards ensure responsible data handling and HIPAA compliance.
  2. Physical: These measures relate to protecting the physical infrastructure where PHI is stored. This includes access controls, facility security plans and device encryption. With the expansion of EHR and data centers, physical safeguards are essential to prevent unauthorized PHI access.
  3. Technical: Technical safeguards focus on the technological aspects of data security. They cover measures like access controls, encryption and audit trails. Robust technical safeguards are essential for protecting PHI during transmission and storage.

Population Health Management and HIPAA Compliance

Population health management has emerged as a pivotal approach to enhancing patient outcomes and healthcare quality. While the benefits of PHM are evident, it must operate within a framework of strict data privacy and security standards outlined by HIPAA.

Decoding the Main Components of a Population Health Model

Population health models allow healthcare entities to review healthcare data for a population. With this data, they can look for healthcare needs and develop strategies for addressing them. A population health model consists of five main components:

  1. Health assessment and analysis: This component involves collecting and analyzing health data from various sources, including EHRs, claims data and patient-reported information. These insights drive healthcare strategies and interventions. In the context of HIPAA compliance, it’s critical to ensure the collection and analysis of patient data follows privacy and security standards.
  2. Care coordination and intervention: Once health status is assessed, the next step is coordinating care and implementing interventions. This involves collaborating among healthcare providers, care teams and community organizations. HIPAA compliance is critical here, as the sharing of patient information among stakeholders must be managed carefully to protect patient privacy.
  3. Outcome measurement and continuous improvement: The ultimate goal of population health management is to improve health outcomes. Regularly measuring and assessing the impact of interventions is key. This component relies on data analytics and performance measurement. Health information management professionals ensure the data is accurate, complete and accessible while following HIPAA regulations.
  4. Health promotion and disease prevention: Healthcare organizations must ensure that any communication or educational materials promoting health are HIPAA-compliant and do not disclose PHI without the patient’s consent.
  5. Social determinant of health: Organizations collecting data on socioeconomic factors for addressing social determinants of health must protect sensitive information in compliance with HIPAA.

Achieving Successful Population Health Management

With a population health model, healthcare organizations can work to achieve better results for their patients. While population health models are essential, successful PHM hinges on the following:

  • Data integration and analytics: Health management needs a comprehensive and integrated data infrastructure. This infrastructure should enable healthcare organizations to aggregate data from various sources and perform advanced analytics to identify trends and opportunities for improvement.
  • Patient communication: Engaging patients is central to success. Effective patient communication, including the exchange of health information, enables informed decision-making and patient empowerment. Under HIPAA, healthcare providers must ensure secure and compliant communication channels to protect patient privacy.
  • Community partnerships: Collaborating with community organizations, public health agencies and social services is crucial to addressing the social determinants of health. HIPAA compliance extends to these partnerships, necessitating secure data-sharing agreements and risk assessments.

Leveraging Technology for HIPAA Compliance

Technology is pivotal in ensuring patient data privacy and security in today’s digital age. The use of technology and HIPAA compliance can be tricky without the right software. Effective, secure communication among healthcare professionals is essential for timely and accurate patient care. However, this communication must occur within HIPAA regulations to protect sensitive patient information. Secure digital exchange platforms like DataMotion Direct offer a solution by providing a HIPPA-compliant messaging platform.

Role of Secure Digital Exchange Platforms in Achieving HIPAA Compliance

The ideal solution is Direct Secure Messaging (“Direct”) from DataMotion. Direct is a secure email-like communications channel that enables providers to communicate with each other – as well as with patients and other caregivers – in a secure, HIPAA-compliant way. All messages are encrypted and require authentication to send and receive.

Importantly, Direct is an enhancement to EHRs, not a replacement. Providers can access Direct from within most popular EHRs.

On the provider side, Direct helps improve patient outcomes in a PHM environment by facilitating the exchange of patient medical records in a standardized manner. This includes formatted and unformatted data, as well as large files such as radiologic studies and diagnostic images. Direct enables better coordination of care. It also reduces errors and delays over conventional means of information exchange; for instance, delays when records are sent by courier, and mistakes due to the illegibility of handwritten notes.

On the patient side, Direct gets patients engaged in the management of their condition, which boosts outcomes. Patients can, for example, provide timely feedback on how well treatments are working, allowing providers to make adjustments accordingly without a delay for the patient to make an appointment with the provider. Patients can report new symptoms, complications or other issues to the provider immediately, thereby potentially avoiding life-threatening situations. And providers can ensure that patients refilled prescriptions when scheduled, or remind patients of upcoming office visits or tests to take.

Managing healthcare is increasingly a team effort. Frequent, accurate communication between the team members – including the patient – is paramount to achieving good outcomes. Direct offers an effective enhancement to EHRs that can help care providers deliver better patient outcomes while complying fully with HIPAA rules for privacy and security.

Redefining Communication in Healthcare: The Intersection of HIPAA and Digital Collaboration

Healthcare communication’s transformation through modern tech is revolutionizing how healthcare is delivered. This digital transformation enhances efficiency and aids in HIPAA compliance. DataMotion is at the forefront of this change, empowering health care organizations to embrace secure and compliant digital collaboration.

The importance of communication in public health is undeniable. By facilitating the secure exchange of patient data and clinical information, DataMotion contributes to better patient outcomes while ensuring the protection of their sensitive health information. As healthcare continues to evolve, the intersection of HIPAA and digital collaboration becomes increasingly important. Forward-thinking solutions like DataMotion Direct pave the way for a more connected and secure healthcare ecosystem.

Facing the Challenges of HIPAA Compliance in Large-Scale Healthcare Solutions

Large-scale solutions are pivotal for improving patient care and health outcomes. However, these innovations come with a unique set of challenges, particularly in the context of maintaining HIPAA compliance. Understanding the technical and regulatory challenges faced in PHM communication and current solutions to these challenges is instrumental in overcoming these obstacles.

The Challenge of Managing Chronic Conditions

Chronic conditions are complex to manage. They typically involve multiple syndromes, symptoms, tests and treatments. They require multiple specialists to manage effectively, as well as a high degree of patient diligence.

Diabetes is a good example. It cannot be cured, only managed for the remainder of the patient’s life. As with most complex chronic conditions, managing diabetes involves regular visits with specialists to ensure that things don’t get worse. Managing a patient’s glucose level is always the short-term concern, but left unmanaged, diabetes can result in catastrophic outcomes such as the loss of a patient’s feet or eyes, or kidney or heart damage.

In addition to the patient’s primary care physician, medical professionals involved in the management of diabetes could include nurse educators, endocrinologists, ophthalmologists, cardiologists, dietitians, podiatrists, exercise physiologists, dentists and others. The coordination of care between so many providers — and with the patient — is essential.

Addressing Technical and Regulatory Challenges in Population Health Management Communication

Part of the promise of EHR systems was that they would facilitate the level of information exchange between healthcare providers that is necessary for coordinating the care of patients. To do that, the HL7 data standard emerged to ensure that the hundreds of EHR products in the market could “talk to” each other. Unfortunately, different EHR vendors interpret the HL7 standard differently, resulting in incompatible data formats. This, in turn, causes missing or inaccurate patient records.

In addition, some EHR vendors employ a proprietary data format that effectively blocks information exchange with EHRs from other vendors. And, some vendors charge providers to enable their systems to interoperate with others.

These constraints make it harder to manage patient care across providers, rendering the ultimate goal of PHM – better patient outcomes – harder to reach. The alternative for information exchange – provider-to-provider email, postal mail or faxes, can result in HIPAA violations (and are slow and unreliable).

Another challenge is that EHRs were designed to facilitate provider-to-provider care. But for PHM, the patient plays a pivotal role in achieving good outcomes. So, too, can family members or other caregivers, such as home health agencies, that might not have access to an EHR.

HIPAA compliance in the context of PHM introduces specific challenges that healthcare organizations must address to effectively manage patient data. Here are key challenges related to HIPAA compliance in PHM:

  • Data aggregation and integrations: Clear communication and effective consent management are crucial for obtaining patient consent for data sharing and engagement in population health programs while following HIPAA guidelines.
  • Consent and patient engagement: Obtaining patient consent for data sharing and engagement in population health programs, while complying with HIPAA, requires clear communication and consent management strategies.
  • De-identification and anonymization: It is crucial to de-identify or anonymize patient information before aggregating and analyzing data for population health to protect privacy.
  • Data sharing for research: Collaborative PHM research often requires complying with HIPAA regulations for data sharing and patient consent, adding complexity.

Electronic communication is by far the easiest, most efficient, most reliable and most accountable means of communication between providers and patients. But standard email isn’t a viable option under HIPAA because the identity of the recipient — the reader of the email — cannot be validated. And, regular email is no more secure than sending a postcard with sensitive patient information written on it for all to see, which again presents HIPAA compliance issues. Moreover, regular email lacks documentation and audit trails that all parties involved in the patient’s care can access.

How DataMotion Can Help with These Challenges

Direct offers a secure messaging solution for these challenges. It provides a safe and compliant platform for healthcare professionals to exchange sensitive patient information, ensuring data is protected throughout communication. Using encryption and access controls, Direct helps healthcare organizations share patient data securely while meeting HIPAA requirements. With Direct care coordination, patients can receive better care without information falling through the gaps in healthcare organizations.

HIPAA Compliance and the Nationwide Exchange of Clinical Endpoints

The value of Direct Secure Messaging in large-scale healthcare solutions cannot be overstated. Efficient and secure communication among healthcare providers and organizations is the backbone of effective PHM. DataMotion Direct excels by offering a nationwide exchange network with access to over 2.5 million clinical endpoints.

This extensive network facilitates the secure exchange of clinical information across geographic regions and diverse healthcare entities. Whether it’s sharing patient records, test results or treatment plans, DataMotion Direct ensures sensitive data remains confidential and HIPAA compliant throughout its journey.

Choose DataMotion to Secure Your Healthcare Communication

Large-scale healthcare solutions are transforming how we deliver and manage healthcare. However, with these innovations come significant challenges related to HIPAA compliance and secure communication. DataMotion Direct is a reliable solution, enabling your organization to navigate these challenges effectively.

DataMotion is an accredited Health Information Service Provider (HISP), provisioning Direct services that are fully interoperable with other HISPs. Secure data delivery has been the core of DataMotion’s business since 1999, ensuring your ability to meet HIPAA compliance and Meaningful Use requirements.

By providing secure messaging capabilities and a nationwide network of clinical endpoints, we empower healthcare providers to deliver better patient care while safeguarding the privacy of patient data. If you’re interested in partnering with DataMotion or you want to learn more about our services, contact us online today!

Updated November 1, 2023

Is DataMotion Direct right for your organization?

Contact us to learn more.

Contact Us

Join our Newsletter

Person in white shirt working on a tablet with white mail icons floating above it
Best Practices: HIPAA Email Compliance – Patient Records 1024 403 Team DataMotion

Best Practices: HIPAA Email Compliance – Patient Records

With new HIPAA regulations, patients can have even more access to their medical records. With many patients wanting to receive their information by email, does your organization know the best practices for emailing patient records in compliance with HIPAA?

In January 2016, the HIPAA regulation got more teeth in the area of providing patients their medical records on request (files, notes, diagnostic images, lab results, C-CDAs). The US Department of Health and Human Services published detailed FAQs regarding patient’s rights with respect to requesting their medical records from their care providers:

  • Request full medical records from all HIPAA-covered entities, e.g.
    • labs, imaging and surgery centers
    • insurance plans, hospitals, pharmacies, and physicians
  • HIPAA covered entities have 30 days to respond
  • Provide in the format requested by the consumer
    • Electronic format
    • Specific messaging format
Learn more about how your organization can be sure that they're HIPAA compliant button

Under 45 CFR § 164.524, available at http://www.hhs.gov/hipaa/for-professionals/privacy

The department of Health and Human Services has generated some educational videos for consumers (patients) – instructing them of their rights, and showing some role play at the doctor’s office. There’s also an HHS infographic, which you can find below, that explains the rule as well.

As a secure messaging company, there was some initial dismay at the videos and written guidance HHS provides patients:

“…..covered entities must safeguard the information in transit, and are responsible for breach notification and may be liable for impermissible disclosures of PHI that occur in transit.  The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted e-mail or in another unsecure manner, which the individual has a right to request.  As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.”

Wow – unsecure email is OK for sending PHI (Protected Health Information) as long as the healthcare provider warns the patient that there is a security risk, and the patient accepts that risk. How do you track that? Is it realistic to think both sides of that transaction will be truly cognizant of the requirement to inform, and the real security risk?

I turned to our CMO, Dr. Peter Tippett for some guidance and perspective. What’s the best practice for a physician’s office to be in compliance with HIPAA when emailing medical records to a patient?

His response – so practical, and sensible:

Covered entities should always use some form of secure messaging when emailing medical records to patients for several reasons.

  1. Email encryption, logging and other HIPAA requirements are expected and required UNLESS the patient EXPLICITLY is warned, and EXPLICITLY agrees to unencrypted mail.  Keeping these warnings and permissions straight and getting the right message to the right patient via the right modality will fall in the “too hard” category for most covered entities.
  2. Covered entities will worry because they will be sued anyway if a patient, for example agrees to receive blood test results one week; and a few months / years later, gets sent something truly private, which is exposed because it was regular email.
  3. Most patients will not answer the question at all as to whether or not it would be ok after a warning to send the message via regular email – which could lead to errors, so a hard stop in the workflow, and risk of not meeting the 30 day delivery window.
  4. The fact that at least some patients will want the message securely, will require all covered entities to have a solution.

Given that email is such a convenient way to exchange files, and email encryption solutions such as DataMotion SecureMail is so affordable and easy to use by senders and recipients – this new HIPAA measure is another driver for adoption by covered entities. It also enables files up to 2GB – perfect for diagnostic images. It’s a small price to pay for HIPAA email compliance (and happy patients)!

Infographic about health information rights

Contact us to learn more about how we can help your organization remain HIPAA compliant.

Contact Us

Join our Newsletter

Hands holding graphic of two white clouds with a lock symbol
Salesforce Service Cloud and HIPAA Compliance 1024 403 Team DataMotion

Salesforce Service Cloud and HIPAA Compliance

Q: My company sells to the healthcare industry. Is it a HIPAA violation when my Customer Service Rep replies to a support ticket on Service Cloud? I mean, Salesforce is HIPAA compliant, right?

A: You very well may be in violation of HIPAA standards.  Here’s why.

Yes, the Salesforce platform itself can be made HIPAA compliant.  Salesforce will sign a Business Associates Agreement (BAA) and if you connect Shield as an addon HIPAA compliance tool, you’ll get monitoring, encryption, and auditing functionality of your Salesforce instance.  But that’s only part of the compliance requirements story because it only covers the data while it’s residing within the Salesforce data storage ecosystem – the data at rest.

HIPAA also applies to data in motion.  Simply stated; data containing protected health information traveling over a public network (like the Internet) must be encrypted in transit.

So let’s take a look at your scenario:  Suppose you’re a customer service account representative using Service Cloud to view a new support ticket.  A customer sends an inquiry explaining that his doctor wants him to get additional testing to rule out prostate cancer and he wants to know if his insurance covers the new tests.  The customer’s contact information plus a medical condition equals Protected Health Information (PHI) and needs to comply with HIPAA guidelines.

While you’re viewing the information on Service Cloud, it’s covered by HIPAA (see the first paragraph above).  But when you reply to that ticket the PHI is almost always copied as part of the ongoing dialogue thread and is sent from your company to the customer via email or other messaging format.  It’s now data in motion traveling over the Internet, and your company (not Salesforce) is responsible to encrypt the message before it’s sent in order to be HIPAA compliant.

Luckily, there are solutions, like DataMotion SecureMail, that integrate easily with Salesforce and Salesforce Marketing Cloud, and have the ability to filter by policy rules and keywords and automatically encrypt messages containing PHI.  Our solution also adds event monitoring, logging, and tracking for better visibility and governance (proof you need in the event of a HIPAA audit by the feds)!

Summary

Yes, the Salesforce Platform can be made HIPAA compliant.  But when you reply to a Service Cloud ticket, that’s data in motion and it’s not Salesforce’s responsibility to encrypt that data.  Your company needs to ensure those messages are encrypted between Salesforce , or any customer relationship management platform, and your customers.  If not, you’re subject to fines, penalties, data breaches, and loss of reputation.

Updated April 12, 2023

Learn more about our products to find out which ones will give your healthcare organization’s patient data exchange a clean bill of health.

Tour Services

Join our Newsletter

What Exactly Is a HISP? 1024 310 Team DataMotion

What Exactly Is a HISP?

In the healthcare industry, data is everything. From research to treating patients, having the right data to work with is critical. However, when patients need to see different doctors or specialists to receive treatment, exchanging information can become confusing.

This is where HISPs come in. A HISP is an entity or organization that facilitates the secure exchange of health information. HISPs provide the necessary infrastructure, standards and services to enable healthcare organizations, providers and systems to share health-related data securely. In other words, they make the exchange of patient data easier than ever.

Defining HISPs and Their Fundamental Purpose

What does the acronym “HISP” stand for? It means “health information service provider.” The term HISP is often used when discussing Direct Secure Messaging. HISPs facilitate the safe exchange of data and information between healthcare organizations. Some of the most valuable benefits of using a HISP include:

  • Collaborative care: When patients need treatment from other providers and specialists, the relevant healthcare professionals can send their information and medical history accordingly. Additionally, professionals can log patient health information on systems like health information exchanges (HIEs), allowing any healthcare facility to access common health records.
  • Data analytics: The healthcare industry is constantly producing valuable data. HISPs make it possible to collect and analyze health data to reduce healthcare costs and manage the health of a population.
  • Secure messaging: HISPs enable secure messaging services that allow healthcare entities to exchange sensitive health information while ensuring data privacy and compliance with health information security standards.
  • Interoperability support: HISPs help achieve interoperability by exchanging information across different healthcare systems, electronic health records (EHR) platforms and other health-related applications.
  • Data standards compliance: HISPs ensure data exchanged follows standardized protocols and data standards promoting consistency and compatibility.
  • Patient consent management: HISPs often include mechanisms for managing patient consent preferences for sharing health information.

The Inner Workings of HISPs

HISPs work by allowing health plans, doctors, practices and hospitals to exchange health information. A HISP’s primary function is to manage the security and sharing of patient healthcare data. All HISPs are monitored and regulated by the DirectTrust™, run by the United States Department of Health and Human Services (HHS).

HISPs offer cost-effective, rapidly deployed services that comply with health information-sharing regulations. A HISP is a much more reliable and preferred alternative to faxing information or using virtual private networks. These providers also offer access to the DirectTrust network. This network allows trading partners to exchange protected health information safely via the internet.

Health Information Exchange Systems

An electronic HIE aims to improve the interoperability and accessibility of patient data across different healthcare organizations. It gives doctors, nurses and other healthcare professionals access to patient’s health information securely.

These systems can significantly improve the completeness of a patient’s records, which has a significant impact on the care they receive. The more information a healthcare provider has about the patient, the more thorough they can be, resulting in better quality of care for the patient. This includes the patient’s past and current diagnostics, medications, and other information that could improve patient outcomes and make it easier to treat them and identify an issue.

By using an HIE to share patient information promptly, doctors will have better information and avoid readmissions and errors. If a patient is allergic to something or responds more favorably to a specific type of treatment, that information would be readily available to the care provider.

The Role of HISPs in Healthcare and Patient Data Protection

HISPs offer healthcare organizations (hospitals, physicians, health plans, health information exchanges) and consumers an onramp to the Direct Secure Messaging network, where trading partners can exchange protected health information (PHI) in a structured and unstructured format across the internet with maximum security and privacy.

Exchange partners can easily find each other on the DirectTrust network through a healthcare provider directory (HPD), promoting fast collaboration and interoperability in sharing patient information.

Understanding Direct Messaging in HISPs

The nationwide messaging service delivered by HISPs and overseen by DirectTrust represents a modern, affordable, and standards-based alternative to sharing clinical data by fax, virtual private networks, and proprietary interfaces. The latter exchange methods are costly and increasingly outmoded as healthcare embraces digital communications with the economies, scale, and ubiquity of the internet.  Operationally, HISP-delivered Direct Secure Messaging services are most closely related to fax in that both methods “push” data between senders and recipients and return a delivery notification upon completion.

Collectively, HISPs are the communications backbone of the DirectTrust health information exchange.  Individually, they are access points to the DirectTrust network and are referred to as DirectTrust network service providers or Direct Trusted Agents.  Direct Secure Messaging, Direct exchange, ONC Direct, and HISP services are the terms generally used to describe the clinical data exchange service HISPs provide.

Because the electronic medical record message attachments (HL7 C-CDAs or CDA) processed by HISPs meet Health IT interoperability standards, PHI exchanged via Direct Secure Messaging can be sent and received from EHR workflows. The same standard allows data sharing among any EHR and any software solution connected to a HISP.  To use email as an analogy, you may have Microsoft Outlook installed on your computer, but if it isn’t connected to an email network, your emails can’t go anywhere, and none can get to you. Similarly, your EHR can send and receive Direct-compliant messages, but those messages won’t go anywhere unless you and those who you are communicating with have valid HISP service, addresses and DirectTrust certificates.

For Health IT developers seeking ONC/EHR Certification, HISPs are important partners. HISPs provide certification requirements related to Direct Secure Messaging that are out of scope for most developers, enabling them to meet and satisfy Certification requirements.

The Impact of HISPs on Healthcare Communication and Data Exchange

Some HISPs are end-user-facing with recognizable brand names and user interfaces while others operate behind the scenes as an integrated module of an EHR or similar health IT solution. Those that tightly integrate with EHRs or HIEs are sometimes owned and operated by the solution vendor and provide a captive service tailored to the solution. Independent (aka: pure-play) HISPs are typically full-service providers offering a range of connectivity and service options to suit the needs of a range of end-user requirements.

HISPs provide multiple sub-services underlying the Direct Secure Messaging service, including:

  • Direct Secure Messaging Addresses
    Direct addresses are similar to typical email addresses with the exception that they operate exclusively on the DirectTrust network.  DirectTrust network operators recognize the specialized digital certificate affixed to a Domain/Direct Address and can only be issued by an accredited DirectTrust HISP. The digital passport represented by the certificate makes Direct addresses unique from Gmail, Outlook, Yahoo, and similar addresses that operate on standard email.  The Certificate also encrypts messages and confirms the identity of the sender and receiver, resulting in non-repudiation.
  • DirectTrust Onramp Connectivity Options
    • Edge protocols (eg: XDR or S/MIME)
    • Web-based mail portal with accessibility support
    • Protocol transformation and routing: SMIME/SMTP, IHE XDR, web services
  • Digital Certificate Issuance and Live Cycle Management
    • The DirectTrust-authorized digital certificates provisioned by HISPs require specialized management and sharing capabilities that only HISPs are qualified to provide.
    • Participation in the DirectTrust Accredited bundle
    • Certificate issuance and registration authority
  • Identity Authentication (aka: identity proofing)
    • To keep the DirectTrust network clean of bad actors (e.g: spammers), HISPs are required to confirm the true identity of participants in Direct Messaging prior to provisioning a Direct Address
  • Message Delivery Notification
    • Message completion acknowledgements collected and reported out by HISPs are considered to be irrevocable proof of message delivery and thus have important weight in legal and CMS reporting
  • Direct Secure Messaging Service Support
    • Online and phone support for onboarding, connectivity issues and outages, and other service needs
    • High-availability and disaster recovery
  • Healthcare Provider Directory (HPD)
    • Publish Direct Addresses to DirectTrust HPD
  • Enforcing DirectTrust Rules of the Road
    • Maintain accreditation attesting to trust relations
    • Security and Trust Framework

The most notable benefits of using Direct Secure Messaging in healthcare include:

  • Reduced administrative costs: Secure messaging is a cost-effective solution and does not need manual processing. It’s easier to share information and can be done without needing extra staff members. This process saves time by cutting down on paperwork, which allows healthcare workers to spend more time caring for their patients.
  • Improve engagement and satisfaction: Healthcare centers, clinics, hospitals and practices that use secure messaging can provide patients with better experiences. Patients can now communicate more effectively and much faster with their healthcare providers. They no longer need to wait hours in a waiting room or make unnecessary trips to doctors or specialists. A more complete picture of patient health history drives a better quality of care and patient outcomes.
  • Streamlined scheduling: Security and efficiency are the two most important factors when dealing with healthcare information. Secure messaging embodies both of these factors. It allows for easy and highly secure communication between patients and healthcare providers. This system makes it convenient for the patients and greatly reduces time spent on administration.
  • Enhanced privacy and data protection: Healthcare providers and information sharing need to be taken seriously. Sensitive patient information needs to be well-protected. This information includes medical records, prescriptions and test results. Secure messaging protects this data through two-factor authentication, ensuring only the right people can access it. Encryption is used to protect this data from cyber threats and lowers the risk of identity theft. Using secure messaging in healthcare allows practitioners to trust their patient’s information is safe.

The Synergy Between APIs and HISPs

API stands for “application programming interface.” This software intermediary allows two applications to talk to each other and allows users to integrate various automation tools. Using an API can reduce administrative costs and boost efficiency. With automation, the amount of manual processing required is greatly reduced. From handling patient scheduling to grouping information together, automation and API can significantly enhance the efficiency and uses of a HISP.

Real-time data available through an API can be an excellent source for reliable data analysis and generating real-time insights. Aside from helping patients receive better care, APIs help providers give them the best patient experience possible.

Contact DataMotion Today for HISP Services

Now that you know everything about HISPs, be sure to read our blogs to learn everything you need to know about Direct and the Healthcare Provider Directory. DataMotion is an accredited HISP of Direct Secure Messaging, and we can support your HISP needs. Contact our team today to learn more.

Updated April 16, 2024

Join our Newsletter