HIPAA doesn't just apply to medical professionals. Any professional (Lawyers, Accountants, Educators, etc...) who works with protected health information (PHI) can potentially fall under HIPAA. As an information security consulting company, we are well aware of the complexities of HIPAA. We designed SecurePaging to be the very best, HIPAA compliant, urgent messaging solution. We offer a standard "Business Associate Agreement" (BAA) without additional charge.
Most vendors' HIPAA "compliant" products store messages on the user's smartphone (and any other platform their app supports). They tell you their product is HIPAA compliant because the data stored on the user's telephone is encrypted and many even offer a remote "wipe capability".
Technically, they may be correct. What they don't tell you is that a lost or stolen device that contains (encrypted) PHI is a reportable event
, that is, unless a risk assessment is performed which demonstrates the device was in compliance with both policy and technical controls at the time of loss.
Taking this further, remote "wipe" only works if their app is able to connect to the vendors servers. Remote "wipe" does not account for any backups made of the telephone to either the users' computers and/or cloud services. It is entirely possible, if not probable that un-countable copies of the data will be floating around well after the phone has been "wiped".
Some of these products don't even offer a BAA....
SecurePaging does NOT store messages on any user device.
Our BAA allows for the use of the following SecurePaging interfaces for transmitting PHI:
Email is excluded from our BAA covered interfaces
- Mobile 1st User Web Interface
due to the nature of Email and the need to service clients' use of the email interface in ways which would not be HIPAA complaint. Of course, those who require HIPAA compliance can still use the e-mail interface, just not for transmitting PHI.