Initiating in 1996, the term “HIPAA” abbreviated for the “Health Insurance Portability and Accountability Act” is a commandment body of federal regulations that aims to establish national standards and protect sensitive patient health information. HIPAA intends to:
Since HIPAA’s Security and Privacy Rules were amended, HIPAA and pagers compliance has come under discussion. According to HIPAA journal, the healthcare organizations that still use pagers as a communication form should ensure that there is the capability to remotely delete messages from a pager to secure the PHI’s confidentiality which stands for “Protected Health Information)” if a pager is stolen or lost; likewise, all the communications are encrypted and a message accountability system should be in place. On rare occasions, electronic Protected Health Information (ePHI might be transmitted via the paging system.) However, on the analog and digital broadcasts, the system might not be encrypted.
Before the introduction of the rules regarding HIPAA and pagers compliance, pagers were seen as inefficient and time-consuming. Regardless of whether communication of PHI should be facilitated within a message pager, often the recipient has to call back the source of the message to determine its workflow’s priority and obtain further details. Although the creation of misunderstandings develops when messages are passed on second-hand and when 1 person is unavailable right away, the phenomenon could lead to phone tag. However, the absence of message responsibility is another pager communications problem.
The HIPAA Journal presented a report which highlights that several domains of the services including rehabilitation centers, clinics, medical centers, and hospitals monitored radio communication containing PHI but they are usually unencrypted. “Unencrypted pages and radio communications was found to be a systemic problem affecting most states in the US”, according to the report. However, when when patients are moved from one healthcare facility to another – especially in case of “Interfacility Transfers (IFT)”, then unencrypted radio communication containing PHI are being conveyed, They include the sensitive patient’s data including their medical diagnoses records, dates of birth, contact numbers, names, updates of patient status, treatment orders, preparation requests for in-facility transfer, bed requests, and emergency department. If the information is not encrypted then their might be a risk of hackers to steal the information. Therefore, in Public Safety PHI Radio communication Systems, proper Encryption techniques are required.
According to HIPAA Journal published in 2018, today, many institutions of healthcare are in favor of encrypted messaging platforms which led to the abandoning of their antiquated pager systems. It is revealed that a recent security breach has hit the data of several hospitals which leads to interception of the private communications and private messages in Missouri by a “radio hobbyist” as they have employed Software Defined Radio (SDR) which is an easily obtainable hardware and they might have accessed it for around $30. In this regard, data on visits of 100’s the patient, some of which were for very delicate situations like alcohol withdrawal, suicidal ideation, and drug overdose were among the unencrypted information.
The Department of the United States “Health and Human Services (HHS)” is investigating the Monroeville, Pennsylvania 911 center dispatch because of the violations of federal privacy law i.e., a HIPAA breach that occurred in August 2012. In this case, the medical histories, birth dates, driver’s license numbers, and patients’ names were disclosed to non-authorized workers of Monroeville, rendering to the complaint received by the former police chief that the center sent protected health information.
To tackle the situation, Lynette McKinney, the Monroeville manager said, “Anyone who has called the police, called the fire department, used our [emergency medical service] who could be affected by the breach”.
Certain fines for HIPAA violations can reach millions of dollars as non-compliance can be quite expensive for corporations. The HHS decided that only the most severe “Tier 4” Penalty Tier should be subject to the yearly maximum penalty of $1,919,173 (currently $1.5 million). However, as depicted in table 1, there are maximum and minimum fines for HIPAA violations with different Penalty Tiers, but with a Penalty Per Year (cap) of $1,919,173 for multiple violations of the same provisions of HIPAA.
The laws of HIPAA are applicable to business associates, clearinghouses, health plans, and providers of healthcare. Contrary, schools may not be generally regarded as the covered entities under the regulations, although the laws may be applicable to the in some circumstances, such as when the students get the services of healthcare. But HIPAA may still not apply in these circumstances, because any gathered health information of the student would be part of the student’s education records, which are governed by FERPA so, which means that they may be excluded from the HIPAA Privacy Rule.
According to the American Hospital Association’s senior consultant for risk and cybersecurity assessment, “When sending or receiving personal health information, the AHA recommends all hospitals and health systems use secure data transmission platforms that are in full compliance with standards of the HIPAA Data Privacy and Security Rules”.
Healthcare organizations should abandon digital paging and unencrypted radio channel by moving towards the secure and more reliable techniques i.e., Secure Messaging. It is the commercially available secure app that only communicate with the encrypted communications network and adheres to the Rule of HIPAA Security. It only allows authorized staff to access the apps’ features while maintaining the confidentiality of PHI by receiving documents, sharing photos, and sending messages. Moreover, there will be no risk to the integrity of PHI and if a medical service providers or professionals forget to log out of the secure apps, then a time-out feature will ensure the time-out session and kick them out from the network after a period of inactivity.
Healthcare institutions that are still using the outdated pager and radio systems and yet haven’t switched to encrypted text messaging services or encrypted voice radio traffic should be aware of the HIPAA compliance laws as they apply to paging and radio communications, HIPAA privacy violations, and their penalty structure and should adopt an optimized solution corresponding to storing and receiving pager messages and using secure messaging apps, systems and devices.
-By Brian Martin
Global Communication Services
Alder, S. (2022, January 23). What are the Penalties for HIPAA Violations? HIPAA Journal. https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
Are Pagers HIPAA Compliant for ePHI? (n.d.). Topgallant Partners. Retrieved December 19, 2022, from https://topgallant-partners.com/are-pagers-hipaa-compliant-for-ephi/
Etemadieh, A. (2018, July 2). Beware: Hospital pagers can cause HIPAA violations. Paubox. https://www.paubox.com/resources/beware-hospital-pagers-can-cause-hipaa-violations/
Feds investigate HIPAA privacy violations at dispatch center. (2013, March 27). EMS1. https://www.ems1.com/communications-dispatch/articles/feds-investigate-hipaa-privacy-violations-at-dispatch-center-elbdlYZ5H96WWS26/
HIPAA Journal. (2018a, April 3). What Happens if You Break HIPAA Rules? HIPAA Journal. https://www.hipaajournal.com/what-happens-if-you-break-hipaa-rules/
HIPAA Journal. (2018b, June 26). Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist. HIPAA Journal. https://www.hipaajournal.com/unencrypted-hospital-pager-messages-intercepted-viewed-radio-hobbyist/
Journal, H. (2016, October 27). Study Highlights Risk of PHI Exposure from Unencrypted Healthcare Pagers. HIPAA Journal. https://www.hipaajournal.com/study-highlights-risk-phi-exposure-healthcare-pagers-3648/
HIPAA Journal. (2020, January 9). Does HIPAA Apply to Schools? HIPAA Journal. https://www.hipaajournal.com/does-hipaa-apply-to-schools/
HIPAA journal. (n.d.). HIPAA Compliance and Pagers. HIPAA Journal. Retrieved September 9, 2022, from https://www.hipaajournal.com/hipaa-compliance-and-pagers/
Magnusson, A. (n.d.). What Are the Penalties for Violating HIPAA? (Civil & Criminal) | strongDM. Discover.strongdm.com. https://www.strongdm.com/blog/hipaa-violation-penalties
Ouellette, P. (2013, March 27). HHS investigating HIPAA violation at Pa. 911 dispatch center. HealthITSecurity. https://healthitsecurity.com/news/hhs-investigating-hipaa-violation-at-pa-911-dispatch-center
TheDatahoarder. (2021, April 10). Receiving and storing pager messages. DataHoards. https://www.datahoards.com/receiving-and-storing-pager-messages/
Wei, W. (2015). The Effects of HIPAA’ s Privacy Rule on Medical Research. https://scholarworks.arcadia.edu/cgi/viewcontent.cgi?article=1032&context=undergrad_works
Contact us today to see how we can help you with your Radio and Paging HIPAA Compliance evaluation and solutions.