Health care technology is changing. As caregivers and their business associates embark on their digital transformations, they’re adopting new ways of communicating with patients, insurance companies, pharmacies and other stakeholders. Although these techniques are convenient and cost-effective, they’re often relatively novel from a HIPAA standpoint. In other words, using these technologies can have unexpected ramifications in terms of privacy and security.

Joel Maloff, senior vice president of strategic alliances and chief compliance officer at Phone.com, provided us with detailed insight on how health care companies are starting to cope, knowledge gaps, pain points, repeat offenders (users) and what MSPs should know.

Phone.com’s Joel Maloff

Phone.com, which just announced that nearly 500 solutions providers have joined its growing channel partner program and that more than 30,000 businesses across the United States and Canada currently use its cloud-based unified communications and collaboration (UC&C) services platform, works with companies to earn the seal of HIPAA compliance.

Ahh HIPAA. It’s no secret that HIPAA compliance in a post-GDPR digital age is getting increasingly complex. A gosh darn headache, to be frank. Data from The U.S. Department of Health and Human Services (HHS) says that 70% of the health care market is not HIPAA compliant. This is practically screaming for support from channel partners, cloud and managed IT services providers, resellers and agents. But more on that later.

Communication in health care is changing in some pretty big ways. Maloff describes these changes as occurring along two axes — technological and regulatory. In many ways, the technological axis is what’s driving the regulatory axis.

“The widespread adoption of SIP trunking is one example of note; experts forecast SIP trunking utilization in health care to grow exponentially in the coming years,” says Maloff. “SIP trunking is a way of running voice calls over the internet — VoIP — as opposed to TDM phone lines. This saves health care companies time and money. There’s less overall equipment to maintain, and IT staff only need to spend time maintaining their internet infrastructure, as opposed to internet plus TDM equipment. As a result, they’re saving up to 50% on their telecom costs.”

Here’s the thing, though — traditional analog phone lines aren’t covered under HIPAA.

So, in essence, the switch to SIP trunking, and VoIP in general, as opposed to TDM, is really punching up the emphasis on HIPAA. All VoIP phone systems include voicemail, which means that every time a patient calls and leaves a message, it gets recorded on a server. And that means that the phone call becomes personal health information (PHI).

It doesn’t stop there.

“Most companies do not have the time, effort or expertise necessary to build a full-featured SIP trunking phone system themselves — and they definitely don’t have the time to run it” says Maloff. “As a result, most organizations look forward a channel partner or managed services provider to run their VoIP implementation. If they’re a health care company, it means that their service provider needs to sign a Business Associate’s Agreement.”

There are other ways in which new technology adoption is affecting regulation. It can become a  bee nest of a situation when it comes to something as simple as making a phone call.

Pharmacies are now texting SMS reminders to their customers, doctors are texting patients, etc. It’s a simple, fast and effective way to …

…get in touch with patients without the drag of making a phone call.

But of course, it’s not that simple.

“When you text with a patient, you’re committing their information to an electronic record — it turns into PHI,” says Maloff. “This is PHI that gets stored on your phone, unencrypted, and also gets mirrored in the cloud with your phone carrier that you never signed a BAA with. In other words, if you just text a patient with the default SMS app that comes on your smartphone, you’re probably going to get into trouble. You can incur a fine of up to $50,000 per text.”

Yeesh.

This has created a new market for SMS applications in the health care space. This is a specialized application that sends encrypted texts via SMS, stores them in an encrypted format, includes mobile device management so you can wipe the texts off your device and reminds you to get patient consent before texting with them.

So, how has Phone.com been able to capitalize on the growing need for HIPAA compliance?

Maloff says that Phone.com’s success has been positioning themselves as a HIPAA-compliant company that provides technological solutions, as opposed to a technology company that sells HIPAA-compliant solutions. In other words, they’re not just checking a box.

“We pursued a mission to become HIPAA compliant and to design our solutions around that central fact, when we could have just tweaked our existing solutions to fill out a few HIPAA checkboxes,” states Maloff. “We are now HIPAA-compliant in a space where according to figures from the HHS, 70% of the market is not. Further, we fully audited our VoIP platform to identify spaces where we could have violated HIPAA and rebuilt it with new built-in tools.”

Impressive indeed. Phone.com partner Frances Harvey, founder of My Solution Services, an online business manager service that specializes in working with mental health professionals, is a huge advocate of Phone.com’s HIPAA-compliant business communications services, which offer entry to or expansion in the highly lucrative health care sector.

“Our most popular service is managing their [mental health professionals’] phones and scheduling,” said Harvey. “Finding a great VoIP service, with great customer service, a great app, that is HIPAA-compliant and offers a BAA has been very challenging. This, being HIPAA-compliant, is the biggest need for mental health care by far. It is not negotiable.”

Since announcing Phone.com as HIPAA compliant, they have issued more than 900 business associate agreements.