Regulatory Compliance

Doctor using tablet and abstract graphics UI, modern medical healthcare IT, interoperability, and technology concept
Healthcare IT: Challenges and Opportunities in Secure Exchange 1024 404 Team DataMotion

Healthcare IT: Challenges and Opportunities in Secure Exchange

DataMotion Director of Product Andrew McKenna sat down with Content Manager Andrea Meyer and Digital Marketing Specialist Sarah Parks to chat about his experience at the recent HIMSS22 conference, which took place in Orlando, Florida. As a newer addition to Team DataMotion and a first-time HIMSS attendee, Andrew offered unique perspective, sharing highlights of conversations with fellow attendees, observations on the current state of the healthcare IT landscape, and thoughts on where he sees the future of digital exchange within healthcare.

DataMotion: Andrew, thanks for speaking with us today. Before diving into HIMSS, your learnings, and discussions around secure exchange, we’d like to learn about you. Tell us a bit about your role and background.

Andrew McKenna: I have a degree in Computer Science from Mount St. Mary’s University, and recently joined DataMotion as our Director of Product. My role links our engineering, operations, customer success, and sales teams together. I am responsible for the full spectrum of product management, from product strategy to road mapping, culminating in the delivery of products to the market. I love this role because I have the opportunity to see use cases in action, how stakeholders leverage our products, and how we can improve. It’s exciting to discuss and plan the future use cases of our products!

Prior to joining DataMotion, I spent most of my career in product and engineering roles in financial services. I also spent time in the supply chain software space. Throughout my career, I have linked disparate systems to create frictionless digital workflows, allowing data to quickly travel from point A to point B for efficient processing. These workflows helped level silos that were created during previous paradigms of technical revolution. My approach has historically been doing all of the above while striving for end user delight, whether it be a factory user in a supply chain, a financial advisor, or a banking operations user.

DM: This was your first time attending the HIMSS conference. As a first-time attendee, what was the experience like?

AM: As I roamed the Orlando Convention center floor, the first thought I had was wow, this is HUGE. I thought I had been to large conferences before, but the size of the exhibitors’ hall was truly overwhelming. HIMSS was my first conference since the COVID-19 pandemic, and my first healthcare conference ever. I was ready to learn about old and new problems the healthcare industry is facing. Because these problems are new to me (from a healthcare perspective) I was excited at the prospect of thinking through innovative solutions to very different and difficult use cases.

While walking the floor, I met with API and call center companies, EMR (Electronic Medical Records) and EHR (Electronic Health Records) vendors, system integrators, emerging technology providers, healthcare payors and providers, and many others. It was great to finally connect in-person with current and potential partners! I was fortunate to walk the halls with our CEO, Bob Janacek. In doing so, I met quite a few industry leaders who are familiar with DataMotion’s history and vision. While speaking with these folks and hearing their stories, I had an opportunity to discuss potential workflows and use cases for our products. Despite the different industry verticals and varying pain points, we were all there with the goal to improve healthcare technology and the flow of information. This commonality made for a wonderful introduction to the needs across other technology companies and the industry as a whole!

DM: You recently joined Team DataMotion, so for context, you attended a new event, in a new role, exploring a new industry. Tell us how DataMotion’s products, services, and mission shaped your perspective going in.

AM: To level set my learnings, it is important to first define who we are at DataMotion. In short, DataMotion is a secure communications platform. At its core, our platform consists of a governed, trust no one, trust nothing database. Let’s focus on security for a moment–the security level of our platform means that every single communication that is transmitted via DataMotion is transmitted securely and compliantly. In fact, our platform is so highly secure that even DataMotion’s admins cannot see any transmitted data!

The other key of our platform is how we deliver to our customers. We provide well-designed RESTful APIs and other flexible connectors that customers can stitch into their systems. This enables seamless integrations for secure data transmission, including transmissions between disparate systems. The final key to highlight is the fact that we have applications and key integrations available. As a Communication Platform as a Service (CPaaS) organization, we meet our customers where we are needed in the method that is required to provide a simple, right-sized solution for secure transmission of content. We have a long history that has brought us to where we are today. This history has shaped our vision for the future, and I am excited to be a driver of that vision.

DM: Can you tell us a little bit about DataMotion’s contributions to secure exchange in the healthcare ecosystem?

AM: As a technology company that began in the regulated space, healthcare is a natural extension for us. We enable the secure, compliant communication that protects our customers and their patients’ health information. Since 2012, DataMotion has been a member of DirectTrust™, providing a safe, secure, and compliant way to transmit health records between providers, allowing the fast, efficient connection of patient information to the correct part of the healthcare ecosystem.

Payors, providers, patients, and others in the healthcare ecosystem need to be securely linked, with content flowing across verticals. DataMotion is an active player in this area—serving as the nation’s catcher’s mitt for COVID-19 test reporting to the government is one example. Another example is how we have enabled secure communications for a state agency that facilitates ambulatory care for patients. DataMotion also provides solutions for health insurance companies that simplify secure communications processes for both customer service agents and policyholders alike.

DM: This was an enormous event, with attendees from just about every aspect of the healthcare ecosystem, each with their own unique challenges and goals. You had a lot of one-to-one discussions—tell us about your conversations in general and any recurring themes.

AM: Many of the conversations centered on secure data transmission being critical in the world of healthcare. I discussed different solutions with representatives from call center organizations, whose focus is on the industry of home health app providers. If Direct is not available, fax and other early-form CPaaS services still seem to rule for many. As such, most of the folks I spoke to did not have a solution for transmitting content securely and compliantly outside of the specific customer’s four walls. Yes, they can collect the pertinent data and they can send the data within their network. But actually crossing into another provider’s ecosystem seems to be an afterthought.

DM: Based on these conversations, what are your thoughts on the current state of healthcare IT?

AM: I found myself speaking within my comfort zone for much of the show, coming across software providers and integrators that are well known in the financial services vertical. Our conversations led back to the challenges facing healthcare IT.

Today, there are regional applications that handle local to local transfer of pertinent data. But not all regional applications play well with others. For example, some don’t accept specific transmissions, causing failover to manual processes. This brought back memories of transferring my children from one primary pediatrician to another. We had requested electronic records transmission; it was sent. The new pediatrician received the records; however, their EHR could not translate the attachment. Therefore, the records were faxed before our first appointment and we brought a printed record.

Let that sink in: in 2022, because the systems didn’t get along, a nurse at the new office had to manually enter the entire medical history of our children – from a fax!

This problem statement resonates across industries. Like financial services, healthcare is an area where protection of content would be an issue if a solution like DataMotion was not present. These organizations require a service like ours. Without DataMotion, our customers have to build their workflows in addition to building secure messaging protocols. The reality is that DataMotion does the heavy lifting of providing a secure, governed, compliant solution that can be inserted where required.

DM: You mentioned having discussions with representatives from other API companies during the conference. What are some of the larger themes that emerged from those conversations?

AM: Many API companies talked about potential synergies with DataMotion and how, together, we can connect the entire world of payers, providers and patients efficiently and securely. Sure, there are a variety of APIs available for a whole world of needs. But how can you be sure those APIs are secure and will fit in an organization’s workflow? These elements of secure connection and of trust were the commonly-mentioned gaps that came up across many of the conversations. One aspect of these discussions that resonated with our fellow API companies was DataMotion’s customer self-service portal (CSSP), which fills these gaps in the market.

DM: Tell us more about these companies and their approach, DataMotion’s solutions and customer self-service portal, and how it helps the market.

AM: The API companies I spoke with handle their areas of expertise well. But there is much more work to do concerning the secure transmission of data. When it comes to protecting personal health information (PHI) and remaining HIPPA compliant while data is transmitted (and while it is at rest), there seems to be a major gap in the market. There are many mature API companies that offer different options. When speaking with them, their default answer is, yes, our code is solid, go build your solution.

DM: Let’s follow up on this—could you chat for a moment about DataMotion’s approach and how we fill some of these market gaps?

AM: Yes! DataMotion provides mature APIs that developers use as a foundation for their development process. In addition to providing military-grade encryption, DataMotion allows customers to try before they buy by testing our APIs in a secure environment. With our portal, users can see our APIs in action as part of their secure exchange workflow. We offer complete modern data exchange, balancing secure, compliant communication with superior usability by leveraging our APIs, connectors, and prebuilt solutions.

DM: You also mentioned that you spoke with attendees representing call center IT departments. Tell us a bit about those conversations, and how DataMotion helps call centers expand their services?

AM: When talking to attendees from call center software companies, it was clear there is a tremendous need for the simple, frictionless, efficient, and secure transmission of content, while maintaining compliance and a high level of customer service.

DataMotion provides the ability for call center teams to expand their services to include the secure and compliant transmission of PHI and personally identifiable information (PII) as well as other sensitive data. And they can do this while maintaining their natural workflows. Secure and compliant communication is a cornerstone of their daily operations. Key to these conversations is that DataMotion can link them, through Direct Secure Messaging, to EHR applications.

DM: You mentioned that you talked to software providers who are attempting to digitize healthcare. What resounded with these folks, and what topics came up?

AM: Yes, these were some fascinating conversations. These organizations are working toward digitization of the healthcare ecosystem and they need to play well in the sandbox of modern systems. In some cases, legacy communications are used as an important failover for more modern methods. While this is a workable back-up, in many of these cases the end user is leaving their workflow or system to achieve what I like to call a break-glass procedure—in case of emergency, break glass and grab the fire hose. While this is functional, it is not optimal.

DataMotion’s secure content exchange solutions keep our clients and their customers in an ecosystem that is familiar to them while staying compliant. Because of this frictionless process, there is no need for users to create another username and password, or to enter a foreign portal. There are no extra steps to get content to the provider that needs health records, or the results of a home health application or device. And thanks to DataMotion’s APIs, there is no need to bring a device back to an office to securely and compliantly download data. Legacy CPaaS methods are still important, and will be for years to come. But how can they be delivered with simplicity in mind?  That is one of the goals of DataMotion’s vision and strategy.

DM: Let’s look into your crystal ball. Based on your conversations and the overall themes at HIMSS, what do you see is the future for healthcare IT?

AM: Absolutely! I would be remiss if I didn’t include future views and workflows that were prevalent in conversations at HIMSS. There are “new” protocols coming to light; many of these have been in existence for quite some time, but with limited adoption. There are also new use cases coming onto the scene, as there’s an enormous push to gather any and all information about a specific patient’s care.

In addition, there are new technologies that provide endpoints to retrieve data from existing platforms. However, there is a resounding hesitation that I need to acknowledge. These newer technologies need to be weighed and vetted. It is critical that the content (a.k.a. the payload) is protected at every step. From a vision perspective, these elements are the cornerstone of our secure exchange solutions.

DM: It sounds like your first HIMSS conference was an eye-opener for you, and you learned a lot about the industry landscape and its pain points. Would you like to share any closing thoughts?

AM: The American healthcare ecosystem is begging to be optimized and digitized. There is technology in place to protect the patients, providers, and the payers; however, the industry needs to take a step back to assess the want to digitize. When they take that step back, they will find that a core segment of solutions are available to them that facilitate the secure transfer of the most sensitive data in the world.

DM: Andrew, thanks for taking the time to sit with us and share your takeaways.

AM: It’s my pleasure—I’m already looking forward to next year’s conference!

We invite you to learn more about DataMotion, our healthcare-focused solutions, and how we can keep your organization’s data secure and compliant. Visit our website or contact our team of security experts for a quick demo.

Man taking notes in a notebook while working on a laptop
HITRUST CSF® Certification, HIMSS 2022, and More: DataMotion’s March Hot List 731 312 Team DataMotion

HITRUST CSF® Certification, HIMSS 2022, and More: DataMotion’s March Hot List

Greetings, readers, and Happy Spring!

March was a busy month on the DataMotion Blog! First, in case you missed it, DataMotion secure mail and Direct Secure Messaging solutions were recently HITRUST Certified. This recognition supports DataMotion’s diligent approach to risk mitigation through security and compliance. In addition to our press release, we took a deeper dive into the HITRUST Certification and why it matters. We also concluded our Microsoft Visual Studio Code Hot Tips and Tricks series on social media, where our dev team shared some of their tips and tricks for using the platform. We’ve curated that series into a single blog post for easy reference.

A few of our team members broke out their sunglasses, sunscreen and mouse ears and traveled to Orlando in March for HIMSS22! In the lead-up to the conference, Doug Rubino and Christian Grunkemeyer shared a few thoughts on this year’s event, hot topics in healthcare interoperability, and what they looked forward to learning more about. We’re eager to share their takeaways from HIMSS in the coming weeks. The discussion around secure exchange in the healthcare ecosystem continues. We invite you to reach out to Doug or Christian to set up a meeting and learn more about how DataMotion’s suite of APIs and other solutions can help your healthcare organization:

Learn More About DataMotion Secure Email and Direct Secure Messaging

Doug Rubino: https://meetings.hubspot.com/dougr

Christian Grunkemeyer: https://meetings.hubspot.com/christiang

And now, for your March Hot List.

What You Should Have Been Reading in the DataMotion Blog in March

Healthcare: A Digital Temperature Check from a First-Time HIMSS Attendee “The pandemic quickly accelerated digital transformation for organizations in all industries, particularly the healthcare ecosystem. COVID-19 highlighted the need for touchless, digital communications in healthcare, especially when dealing with PHI and medical records. This has ushered in a wave of process evaluation and change.”  In this post to the DataMotion Blog, Christian Grunkemeyer shared a few thoughts about attending his first HIMSS conference, the critical importance of the frictionless digitizing of healthcare records, and how DataMotion helped organizations achieve compliance with Meaningful Use Stage 2 by enabling the secure transport of clinical information over the open internet.

Connecting the Healthcare Ecosystems: Interoperability, Healthcare IT, and HIMSS 2022 “How can we improve upon the collection and aggregation of data from providers followed by the requisite analysis and reporting to be followed by the dissemination of actionable data back to the healthcare system and communities?” In Doug Rubino’s latest contribution to the DataMotion Blog, he discusses some of the challenges and opportunities around interoperability between the general and public healthcare ecosystems.

HITRUST CSF® Certification: What Is It and Why Does It Matter? “Your inbox (or LinkedIn feed, perhaps) is inundated by organizations that claim to help you keep your data safe. But you need more than claims to know if you can trust their products. One very easy and effective way to establish a trust baseline is to look for HITRUST certification on the product or solution.” You may have read our announcement last month that DataMotion’s secure mail and Direct Secure Messaging solutions are now HITRUST Certified. But what, exactly, does that mean? In this blog entry by Alex Mushkin, you’ll learn more about HITRUST Certification, the requirements involved, and why this is a label that matters.

Microsoft VS Code – Tips and Tricks Roundup “VSCode has over 14 million users worldwide and counting. According to ZDNet.com, that’s about 58% of all developers, including the developers here at DataMotion! Since VSCode is a widely used, free, and very proficient IDE, the dev team has put some tips and tricks together to help you better use the platform.” DataMotion’s dev team recently started sharing some of their tried-and-true hot tips and tricks for testing APIs on various platforms. In the latest Tip Tuesday Hot Tips and Tricks Series, the team focused on Microsoft Visual Studio Code, and we’ve curated those recommendations into an easily-referenced blog post.

Explore More

Coming in April

We’re looking forward to sharing a number of items with you in April, including HIMSS takeaways and a deeper look at DataMotion’s secure message center. As always, we invite you to subscribe to the DataMotion Newsletter for industry thought leadership, insights, news, DataMotion updates, and more delivered to your inbox once a month. Finally, don’t forget to follow us on LinkedIn and Twitter for regular updates.

Thanks again for a great March. We look forward to seeing you in April!

Businessman reviewing a piece of paper with a pen in his hand. Surrounded by data points and security locks
HITRUST CSF® Certification: What Is It and Why Does It Matter? 731 312 Alex Mushkin

HITRUST CSF® Certification: What Is It and Why Does It Matter?

Your inbox (or LinkedIn feed, perhaps) is inundated by organizations that claim to help you keep your data safe. But you need more than claims to know if you can trust their products. One very easy and effective way to establish a trust baseline is to look for HITRUST certification on the product or solution. In this article, we’ll review what HITRUST CSF is, its rigorous requirements, and why this important certification matters to you.

What is HITRUST and the HITRUST Certification?

HITRUST is a non-profit organization that was founded in 2007 by a consortium of healthcare, technology, and security organizations, with the goal to help organizations better and more easily safeguard information and manage risk. While the HITRUST Common Security Framework (CSF) was originally established to assist healthcare organizations, HITRUST now serves, and is applicable to, all industries, particularly those that work with a high volume of sensitive information. Achieving HITRUST Certification is no small feat; this certificate is considered the “gold standard” for demonstrating the seriousness and robustness of an organization’s approach to security, privacy, and compliance protection.

What Does the Framework Look Like?

The HITRUST framework is a set of controls that brings together over 40 standards and regulations. HIPAA, HITECH, PCI, GDPR, NIST, ISO and state-specific regulations are included, among others. The HITRUST certification mark means that a service or product meets the requirements laid out by all these standards and regulations. As the most comprehensive framework available, HITRUST CSF includes 14 control categories:

0.0 Information Security Management Program

1.0 Access Control

2.0 Human Resources Security

3.0 Risk Management

4.0 Security Policy

5.0 Organization of Information Security

6.0 Compliance

7.0 Asset Management

8.0 Physical and Environmental Security

9.0 Communications and Operations Management

10.0 Information Systems Acquisition, Development and Maintenance

11.0 Information Security Incident Management

12.0 Business Continuity Management

13.0 Privacy Practices

Within each of these categories, there are objectives. Each category has one or more objectives for a total of 48 among the 14 categories. Each objective can also have one or more “references” or requirements. Adding up all the objectives, categories and requirements, there are a minimum of 156 and a maximum of well over 500 controls (or requirements) a company must implement to become certified. In addition to implementing the controls, each requirement must also be verified, either through a self-assessment, or by a third-party assessor. Each response must be backed by specific evidence demonstrating that the company not only has policies and procedures in place, but also follows them on a regular basis. HITRUST certifications are valid for two years and after that, must be recertified. The certification process typically takes nine months to a year. Because of this rigorous process, you can be assured that HITRUST certified services and products will provide your organization’s data with some serious protection.

Learn More About DataMotion Secure Email and Direct Secure Messaging

Why Look for HITRUST Certification?

Information security and privacy mechanics tend to live in the background, rather than front and center where we can easily see them. This makes it challenging to fully evaluate a product or service’s trustworthiness at first. But when that product or service is HITRUST certified, you can rest assured that a rigorous set of controls have been applied to keep your organization’s information secure and protected.

In short, it’s all about trust, and seeing the company’s credentials for yourself.

Using HITRUST-certified products and services also demonstrates to your customers and partners that you are serious about their information privacy and security. In today’s security-conscious world, customers will often switch businesses after a security breach. In fact, a 2019 study from PCI Pal shows that after a breach, 83% of customers will stop spending with a business for several months. Using a HITRUST certified product can help mitigate both the risk of a breach and of losing customer trust.

No matter what you do, there will always be security risks for your information. It’s no different than getting in the car every morning and driving to work. There’s always a risk of having an accident and sustaining an injury. But by following safety procedures and rules, such as staying alert and wearing a seatbelt, you can mitigate risk, even if you have an accident. HITRUST certified products and services – like DataMotion’s secure mail and Direct Secure Messaging platforms – do the same thing for your information. Reduce your risk by choosing a HITRUST certified service.

Read more about DataMotion’s HITRUST CSF Certification in our press release

Still have some questions on what the HITRUST CSF Certification is? Stop by our frequently asked questions.

Stethoscope laying on clipboard with data points superimposed above it
The Deadline to Comply with ADT Event Notifications is Coming Soon, Here’s What You Need to Know 786 310 Doug Rubino

The Deadline to Comply with ADT Event Notifications is Coming Soon, Here’s What You Need to Know

On May 1, 2021, it becomes a requirement for hospitals, as well as psychiatric hospitals and critical access hospitals, to comply with the Interoperability and Patient Access Final Rule’s requirement to have the ability to send admission, discharge, and transfer (ADT) event notifications. Those who do not comply by this date are no longer eligible for Medicaid and Medicare reimbursements. So, if your organization hasn’t already taken the steps to comply or you haven’t read up on this requirement, then the time to do so is now. Here are a few key things we think you should know in order to comply with the ADT event notifications requirement.

What are ADT Event Notifications?

Admission, discharge, and transfer notifications aren’t a new concept. In fact, some health information exchanges (HIEs) have been capable of sending them for years. What is new, is the requirement for hospitals to send these types of notifications. According to the Centers for Medicare & Medicaid Services (CMS), ADT notifications are “electronic patient event notifications of a patient’s admission, discharge, and/or transfer to another healthcare facility or to another community provider or practitioner.”

Still need to enable ADT notifications? Direct Secure Messaging is your shortest path to compliance... Learn More

The best way to further explain this is with a brief example. Let’s say you go to the emergency room for chest pains. Upon your admission to the ER, they’ll identify the members of your care team – such as your primary care provider (PCP) and any other specialists that you see. After identifying this information, a notification will be sent to the members of this team that would be the most concerned with your latest health status. In this scenario, that would likely consist of your primary care provider and your cardiologist. If, during the course of your care, you are transferred to a post-acute care facility or a rehabilitation center, a notification of this transfer will be sent as well. Finally, once you are discharged, another notification will be sent alerting your care team that you have been sent home so they can schedule follow-up appointments as necessary. Due to this newest CMS mandate, the hospital must have the ability to send each of these notifications. However, if they are unable to identify the members of your care team and you are unable to provide them with this information, then they are under no obligation to send an ADT event notification.

So, to put it in perhaps oversimplified terms, ADT event notifications require hospitals, psychiatric hospitals, and critical access hospitals, to notify the relevant members of your care team whenever a change in care occurs as long as they can be identified.

What needs to be included in a notification?

Healthcare organizations are busy and already inundated with enough data as it is. So, ADT notifications need to be formatted and sent in a way that is easy-to-process by systems and easy-to-consume by individuals. According to CMS, ADT notifications must “convey, at a minimum, the patient’s basic personal or demographic information, as well as the name of the sending institution (that is, the hospital), and, if not prohibited by other applicable law, the patient’s diagnosis.” Including this information makes it easy for individuals to read, understand which patient the notification corresponds to, and view an update on their most recent health status. It also provides some basic fields to assist with routing the message to the right department on the receiver’s end.

What kinds of benefits do patients receive from these notifications?

The goal of ADT notifications is to improve the quality of a patient’s care, improve post-care outcomes, and reduce hospital readmissions. This article by DirectTrust™, a key enabler of healthcare interoperability, provides an excellent, real-life example of how ADT notifications can improve patient care before, during, and after treatment. It explains how sending a notification of ER admission to the patient’s primary care provider, enabled the PCP to immediately get in contact with the treating practitioner to provide necessary information regarding the patient’s prior health. Thus, allowing the practitioner to make more informed decisions while treating the patient.

How can DataMotion help you securely and compliantly send ADT Event Notifications?

Talk to an expert today.

Likewise, following the patient’s treatment, the article highlights how a discharge notification instantly alerts the PCP, so they know that it’s time to schedule a follow-up appointment. This is essential for ensuring that the patient receives the proper care following discharge and to reduce the likelihood of them being readmitted to the ER.

So, in summary, these ADT notifications are a big step forward to increasing the ability for physicians, regardless of if they have treated the patient before, to make informed decisions regarding their care. Resulting in better outcomes and reduced hospital readmissions.

Do recipients need to prepare in any way to receive ADT notifications?

Technically, there is no requirement for hospitals and other healthcare organizations to be able to properly receive and process these notifications. The CMS requirement simply states that hospitals need to have the ability to send a notification in order continue to receive Medicare and Medicaid reimbursements. However, as was alluded to before, many of the benefits of ADT notifications stems from what happens after an event notification is received.

Think of the previous examples of the PCP calling the ER to provide them with a summary of the patient’s health information or the PCP following up to schedule an appointment after receiving an alert that the patient has been discharged from the hospital. Neither of these actions would have taken place if the recipient did not have an organized method of receiving and processing the notifications.

With that being said, there are a couple of ways that recipients can prepare for receiving ADT notifications, mainly related to their provider directory. DirectTrust recommends that those organizations who expect to receive ADT notifications should ensure that all their information in the provider directory is accurate and up to date. In addition, they should verify who in their organization should receive each type of notification in order to ensure that every notification received is routed to the right department. This will, in turn, make it easier for them to accurately address each notification in a timely manner.

How can I enable ADT notifications at my hospital?

As was mentioned previously, hospitals and other healthcare organizations have been sending ADT notifications in some form for years. So, it makes sense that most hospitals already have existing services and technologies in place that they can leverage to enable the sending of event notifications. One existing and widely used technology that can enable these notifications is Direct Secure Messaging. Direct Messaging enables the simple, secure, and compliant exchange of healthcare information between organizations. According to DirectTrust, utilizing Direct grants the shortest path to compliance with the CMS ADT Notifications.

In order to properly utilize this technology to enable ADT notifications, DirectTrust created the Event Notifications via Direct Standard™ Implementation Guide. This guide highlights sample use cases for using Direct to enable notifications as well as provides additional context and content requirements for messages and message metadata.

DataMotion is a DirectTrust accredited HISP, CA, and RA and a proud member of the DirectTrust network.

Need Direct Secure Messaging for your organization?

Learn more about DataMotion’s healthcare solutions.

Doctor holding stethoscope in hand with different medical icons floating above
The Myths and Meaning of HIPAA 600 238 Andy Nieto

The Myths and Meaning of HIPAA

When I was a child, the threat “just wait ‘til your father gets home” was enough to make me change my attitude. I wasn’t punished much as a child, and time with my father was far happier and positive than not, but that phrase still resonated. For many, the meaning of The Health Insurance Portability and Accountability Act (HIPAA), is in many ways, like that threat.
HIPAA often inspires doom, gloom, and fear. Because of that, it can lead to unintended expectations and behaviors regarding patient information, making effective care coordination a challenge. In reality, HIPAA gives us some guidance about the protection of information and is a very real threat — only if you ignore it. However, it’s not all doom and gloom.

Can vs. Can't

First, let’s look at what you can do with patient medical data under HIPAA. You can:

  • Connect
  • Share
  • Cooperate
  • Consult
  • Question
  • Exchange
  • Communicate
  • Treat

That’s a significant list and it’s all about coordination.

Now let’s compare that to what you can’t do with this same information under HIPAA. You can’t:

  • Ignore
  • Distribute
  • Expose
  • Publish

It’s easy to see how this can be confusing. The security and privacy standards defined by HIPAA combined with the expanded responsibilities under the Omnibus Rule, have created layers of bureaucracy and whole industries have sprung up to “explain” the meaning of it.

Stewardship

So, let’s step back for a minute and look at what HIPAA is really supposed to be about, which to me, is stewardship. Stewardship is the responsible overseeing and protection of something considered worth caring for and preserving. On the official Federal site, it says that the HIPAA Privacy Rule “establishes national standards to protect individuals’ medical records and other personal health information.”

Stewardship implies a personal ownership and responsibility. The word “ethic” implies that very high personal and professional standards should be applied to the responsible management and protection of a patient’s information. It is really about taking care of the health information entrusted to you.

Perhaps the biggest shift in mindset for physicians in the last several years has been the emergence of patient health information as a valuable component of their practice and to treat it accordingly. Let me use an analogy and compare money to information. As a person, you don’t carelessly give away your money or leave it lying around. You don’t share your financial account logins with strangers and you certainly wouldn’t want your financial records being released, exposed or published. As part of our upbringing, from our initial allowance to our first job to your career today, we have been learning about money, its value, and the steps we should take to protect it. Being good stewards of money is a role we recognize and understand. Patient health information should be viewed in the same way.

Medical records are filled with personal data, otherwise known as protected health information (PHI). Once we make the connection that information or data has value and must be treated like money, the standards for HIPAA stop being cumbersome and start being understandable.

Can and Can't Revisited

So, with good stewardship in mind, let’s go back to the “can I” or “can’t I” question and ask yourself the following:

  • Can I connect with another person about a patient? Yes, just make sure that your method of connection is safe and that you have a valid reason for doing so.
  • Can I share a patient’s record with another provider? Absolutely, provided you take steps to ensure the information is protected.
  • Can I cooperate and consult on patients? Of course, but do so in a manner that maintains a patient’s privacy and the protection of the data.

There are a lot of myths around HIPAA, and while the “letter of the law” be confusing at times, “the spirit” and meaning is clear. HIPAA really does not need to be confusing. Be a good steward of the information in your practice of medicine, and you’ll be a long way down the path of complying with HIPAA regulations.

Need to exchange patient records but want to ensure you’re HIPAA compliant?

We can help!

Learn More
Doctor wearing white gloves and stethoscope touching an icon of a person
HIPAA Compliance in the Age of Population Health Management 600 237 Team DataMotion

HIPAA Compliance in the Age of Population Health Management

Population health management (PHM) is the improvement of the health outcomes of a group of patients with similar characteristics. One example of a population in this context are patients suffering from the same chronic condition. The care of patients in this group may be managed similarly, often involving the same treatments, tests, procedures and other forms of care.

The treatment of chronic conditions typically involves multiple parties, from a primary care physician to multiple specialists and of course the patient. This, in turn, requires frequent communications between the parties.

Electronic health records (EHR) systems were intended to facilitate these communications but have some shortcomings. And maintaining Health Insurance Portability and Accountability Act (HIPAA) compliance is a key challenge. This article looks at how organizations can use Direct Secure Messaging to overcome the technical and regulatory challenges of a Population Health Management communication scenario.

The Importance of HIPAA Compliance in Healthcare

HIPAA compliance is a cornerstone of healthcare operations. It’s a critical safeguard for patients’ sensitive health information. Compliance ensures that healthcare organizations maintain the confidentiality and integrity of patient data, promoting trust and accountability in the industry. In the age of population health management — where data sharing and analysis are essential for improving healthcare delivery — HIPAA compliance becomes even more vital.

Understanding the HIPAA Compliance Rule

The HIPAA compliance rule governs how healthcare organizations handle protected health information (PHI), including how PHI is collected, stored, transmitted and used. It establishes guidelines for healthcare entities to protect patient privacy and data security.

HIPAA applies to various healthcare entities, including hospitals, clinics, insurance providers and business associates. It covers healthcare professionals and organizations handling PHI, helping to secure your data. Essentially, it means doctors can share patient information with other doctors to help treat you, but they cannot share it with your neighbor.

The compliance rule mandates strict safeguards for PHI, including administrative, physical and technical measures. These safeguards are designed to prevent unauthorized access, data breaches and other security threats.

Addressing the Three Key Elements of HIPAA Compliance

To achieve HIPAA compliance, healthcare organizations must focus on three key elements:

  1. Administrative: Administrative safeguards involve establishing policies and procedures for protecting PHI. They include workforce training, risk assessments and designating a security officer responsible for compliance. Effective administrative safeguards ensure responsible data handling and HIPAA compliance.
  2. Physical: These measures relate to protecting the physical infrastructure where PHI is stored. This includes access controls, facility security plans and device encryption. With the expansion of EHR and data centers, physical safeguards are essential to prevent unauthorized PHI access.
  3. Technical: Technical safeguards focus on the technological aspects of data security. They cover measures like access controls, encryption and audit trails. Robust technical safeguards are essential for protecting PHI during transmission and storage.

Population Health Management and HIPAA Compliance

Population health management has emerged as a pivotal approach to enhancing patient outcomes and healthcare quality. While the benefits of PHM are evident, it must operate within a framework of strict data privacy and security standards outlined by HIPAA.

Decoding the Main Components of a Population Health Model

Population health models allow healthcare entities to review healthcare data for a population. With this data, they can look for healthcare needs and develop strategies for addressing them. A population health model consists of five main components:

  1. Health assessment and analysis: This component involves collecting and analyzing health data from various sources, including EHRs, claims data and patient-reported information. These insights drive healthcare strategies and interventions. In the context of HIPAA compliance, it’s critical to ensure the collection and analysis of patient data follows privacy and security standards.
  2. Care coordination and intervention: Once health status is assessed, the next step is coordinating care and implementing interventions. This involves collaborating among healthcare providers, care teams and community organizations. HIPAA compliance is critical here, as the sharing of patient information among stakeholders must be managed carefully to protect patient privacy.
  3. Outcome measurement and continuous improvement: The ultimate goal of population health management is to improve health outcomes. Regularly measuring and assessing the impact of interventions is key. This component relies on data analytics and performance measurement. Health information management professionals ensure the data is accurate, complete and accessible while following HIPAA regulations.
  4. Health promotion and disease prevention: Healthcare organizations must ensure that any communication or educational materials promoting health are HIPAA-compliant and do not disclose PHI without the patient’s consent.
  5. Social determinant of health: Organizations collecting data on socioeconomic factors for addressing social determinants of health must protect sensitive information in compliance with HIPAA.

Achieving Successful Population Health Management

With a population health model, healthcare organizations can work to achieve better results for their patients. While population health models are essential, successful PHM hinges on the following:

  • Data integration and analytics: Health management needs a comprehensive and integrated data infrastructure. This infrastructure should enable healthcare organizations to aggregate data from various sources and perform advanced analytics to identify trends and opportunities for improvement.
  • Patient communication: Engaging patients is central to success. Effective patient communication, including the exchange of health information, enables informed decision-making and patient empowerment. Under HIPAA, healthcare providers must ensure secure and compliant communication channels to protect patient privacy.
  • Community partnerships: Collaborating with community organizations, public health agencies and social services is crucial to addressing the social determinants of health. HIPAA compliance extends to these partnerships, necessitating secure data-sharing agreements and risk assessments.

Leveraging Technology for HIPAA Compliance

Technology is pivotal in ensuring patient data privacy and security in today’s digital age. The use of technology and HIPAA compliance can be tricky without the right software. Effective, secure communication among healthcare professionals is essential for timely and accurate patient care. However, this communication must occur within HIPAA regulations to protect sensitive patient information. Secure digital exchange platforms like DataMotion Direct offer a solution by providing a HIPPA-compliant messaging platform.

Role of Secure Digital Exchange Platforms in Achieving HIPAA Compliance

The ideal solution is Direct Secure Messaging (“Direct”) from DataMotion. Direct is a secure email-like communications channel that enables providers to communicate with each other – as well as with patients and other caregivers – in a secure, HIPAA-compliant way. All messages are encrypted and require authentication to send and receive.

Importantly, Direct is an enhancement to EHRs, not a replacement. Providers can access Direct from within most popular EHRs.

On the provider side, Direct helps improve patient outcomes in a PHM environment by facilitating the exchange of patient medical records in a standardized manner. This includes formatted and unformatted data, as well as large files such as radiologic studies and diagnostic images. Direct enables better coordination of care. It also reduces errors and delays over conventional means of information exchange; for instance, delays when records are sent by courier, and mistakes due to the illegibility of handwritten notes.

On the patient side, Direct gets patients engaged in the management of their condition, which boosts outcomes. Patients can, for example, provide timely feedback on how well treatments are working, allowing providers to make adjustments accordingly without a delay for the patient to make an appointment with the provider. Patients can report new symptoms, complications or other issues to the provider immediately, thereby potentially avoiding life-threatening situations. And providers can ensure that patients refilled prescriptions when scheduled, or remind patients of upcoming office visits or tests to take.

Managing healthcare is increasingly a team effort. Frequent, accurate communication between the team members – including the patient – is paramount to achieving good outcomes. Direct offers an effective enhancement to EHRs that can help care providers deliver better patient outcomes while complying fully with HIPAA rules for privacy and security.

Redefining Communication in Healthcare: The Intersection of HIPAA and Digital Collaboration

Healthcare communication’s transformation through modern tech is revolutionizing how healthcare is delivered. This digital transformation enhances efficiency and aids in HIPAA compliance. DataMotion is at the forefront of this change, empowering health care organizations to embrace secure and compliant digital collaboration.

The importance of communication in public health is undeniable. By facilitating the secure exchange of patient data and clinical information, DataMotion contributes to better patient outcomes while ensuring the protection of their sensitive health information. As healthcare continues to evolve, the intersection of HIPAA and digital collaboration becomes increasingly important. Forward-thinking solutions like DataMotion Direct pave the way for a more connected and secure healthcare ecosystem.

Facing the Challenges of HIPAA Compliance in Large-Scale Healthcare Solutions

Large-scale solutions are pivotal for improving patient care and health outcomes. However, these innovations come with a unique set of challenges, particularly in the context of maintaining HIPAA compliance. Understanding the technical and regulatory challenges faced in PHM communication and current solutions to these challenges is instrumental in overcoming these obstacles.

The Challenge of Managing Chronic Conditions

Chronic conditions are complex to manage. They typically involve multiple syndromes, symptoms, tests and treatments. They require multiple specialists to manage effectively, as well as a high degree of patient diligence.

Diabetes is a good example. It cannot be cured, only managed for the remainder of the patient’s life. As with most complex chronic conditions, managing diabetes involves regular visits with specialists to ensure that things don’t get worse. Managing a patient’s glucose level is always the short-term concern, but left unmanaged, diabetes can result in catastrophic outcomes such as the loss of a patient’s feet or eyes, or kidney or heart damage.

In addition to the patient’s primary care physician, medical professionals involved in the management of diabetes could include nurse educators, endocrinologists, ophthalmologists, cardiologists, dietitians, podiatrists, exercise physiologists, dentists and others. The coordination of care between so many providers — and with the patient — is essential.

Addressing Technical and Regulatory Challenges in Population Health Management Communication

Part of the promise of EHR systems was that they would facilitate the level of information exchange between healthcare providers that is necessary for coordinating the care of patients. To do that, the HL7 data standard emerged to ensure that the hundreds of EHR products in the market could “talk to” each other. Unfortunately, different EHR vendors interpret the HL7 standard differently, resulting in incompatible data formats. This, in turn, causes missing or inaccurate patient records.

In addition, some EHR vendors employ a proprietary data format that effectively blocks information exchange with EHRs from other vendors. And, some vendors charge providers to enable their systems to interoperate with others.

These constraints make it harder to manage patient care across providers, rendering the ultimate goal of PHM – better patient outcomes – harder to reach. The alternative for information exchange – provider-to-provider email, postal mail or faxes, can result in HIPAA violations (and are slow and unreliable).

Another challenge is that EHRs were designed to facilitate provider-to-provider care. But for PHM, the patient plays a pivotal role in achieving good outcomes. So, too, can family members or other caregivers, such as home health agencies, that might not have access to an EHR.

HIPAA compliance in the context of PHM introduces specific challenges that healthcare organizations must address to effectively manage patient data. Here are key challenges related to HIPAA compliance in PHM:

  • Data aggregation and integrations: Clear communication and effective consent management are crucial for obtaining patient consent for data sharing and engagement in population health programs while following HIPAA guidelines.
  • Consent and patient engagement: Obtaining patient consent for data sharing and engagement in population health programs, while complying with HIPAA, requires clear communication and consent management strategies.
  • De-identification and anonymization: It is crucial to de-identify or anonymize patient information before aggregating and analyzing data for population health to protect privacy.
  • Data sharing for research: Collaborative PHM research often requires complying with HIPAA regulations for data sharing and patient consent, adding complexity.

Electronic communication is by far the easiest, most efficient, most reliable and most accountable means of communication between providers and patients. But standard email isn’t a viable option under HIPAA because the identity of the recipient — the reader of the email — cannot be validated. And, regular email is no more secure than sending a postcard with sensitive patient information written on it for all to see, which again presents HIPAA compliance issues. Moreover, regular email lacks documentation and audit trails that all parties involved in the patient’s care can access.

How DataMotion Can Help with These Challenges

Direct offers a secure messaging solution for these challenges. It provides a safe and compliant platform for healthcare professionals to exchange sensitive patient information, ensuring data is protected throughout communication. Using encryption and access controls, Direct helps healthcare organizations share patient data securely while meeting HIPAA requirements. With Direct care coordination, patients can receive better care without information falling through the gaps in healthcare organizations.

HIPAA Compliance and the Nationwide Exchange of Clinical Endpoints

The value of Direct Secure Messaging in large-scale healthcare solutions cannot be overstated. Efficient and secure communication among healthcare providers and organizations is the backbone of effective PHM. DataMotion Direct excels by offering a nationwide exchange network with access to over 2.5 million clinical endpoints.

This extensive network facilitates the secure exchange of clinical information across geographic regions and diverse healthcare entities. Whether it’s sharing patient records, test results or treatment plans, DataMotion Direct ensures sensitive data remains confidential and HIPAA compliant throughout its journey.

Choose DataMotion to Secure Your Healthcare Communication

Large-scale healthcare solutions are transforming how we deliver and manage healthcare. However, with these innovations come significant challenges related to HIPAA compliance and secure communication. DataMotion Direct is a reliable solution, enabling your organization to navigate these challenges effectively.

DataMotion is an accredited Health Information Service Provider (HISP), provisioning Direct services that are fully interoperable with other HISPs. Secure data delivery has been the core of DataMotion’s business since 1999, ensuring your ability to meet HIPAA compliance and Meaningful Use requirements.

By providing secure messaging capabilities and a nationwide network of clinical endpoints, we empower healthcare providers to deliver better patient care while safeguarding the privacy of patient data. If you’re interested in partnering with DataMotion or you want to learn more about our services, contact us online today!

Updated November 1, 2023

Is DataMotion Direct right for your organization?

Contact us to learn more.

Contact Us
Stethoscope on table next to a person in scrubs working on a laptop
Where is Your Personal Health Record? 600 237 Team DataMotion

Where is Your Personal Health Record?

As the United States healthcare industry continues its journey to digital/electronic health records that can be easily exchanged as patients move between care settings, practical questions abound:

  • Who owns your electronic health records?
  • Where are your health records?
  • How can they be consolidated?
  • Where should they be stored?
  • Who should have access?
  • How can they be shared?

Legally, each individual ‘owns’ their personal health data and records, but very few of us have actual ‘control’ over them, at least from a storage, curation and management standpoint. An individual’s ‘longitudinal record’ — a comprehensive collection of well-care records, like annual physicals and labs, and episodic care records, like diagnosis and treatment for illness or injury, is not typically in one place.

The benefits of personal health records include easier health information access and a secure place to store all of one’s healthcare data.

What Is a Personal Health Record (PHR)?

PHRs are essential to modern healthcare, empowering individuals to manage their own health information and play a more active role in their healthcare. At their core, PHRs are digital archives that comprehensively record a person’s medical history, treatment plans, medications, allergies, and more. Unlike electronic health records (EHRs), which are under the control of healthcare providers, PHRs are created and maintained by patients, allowing them to take charge of their health data.

As the healthcare landscape embraces digital transformation, PHRs have become a valuable tool for promoting patient-centered care. However, they also raise important questions about data security, interoperability, and privacy.

Types of Personal Health Records

PHRs come in two main types, catering to different needs and preferences:

  • Tethered PHRs: These are often linked or “tethered” to a specific healthcare institution or provider’s EHR system. Patients can access their medical information from that particular provider or network. Tethered PHRs ensure data accuracy and direct integration with a healthcare system, but they may limit access to a patient’s complete health history.
  • Standalone PHRs: Standalone PHRs are independent of any healthcare institution or EHR system. Patients create and manage their records, adding information like medical history, prescriptions, and test results themselves. These offer greater health data portability and control but require more active patient involvement in keeping them updated.

Managing PHRs Across Healthcare Providers

Managing personal health records across multiple providers is crucial for comprehensive and coordinated healthcare. Here are the main considerations for working across providers:

  • Interoperability: Interoperability between PHRs and EHRs is crucial for seamless healthcare data exchange and improved patient care. Standards like Health Level 7 and Fast Healthcare Interoperability Resources promote a standard and secure way of data exchange between PHRs and EHRs. Some PHR platforms offer integration with multiple EHR systems.
  • Consolidation: Consider digitizing your paper form PHRs by scanning or taking clear photos to create electronic versions. Organize the digital records from your multiple providers into your chosen PHR platform.
  • Permissions and security: PHR users must carefully manage access permissions. Sharing specific data with relevant providers ensures they have the necessary information while safeguarding sensitive details.
  • Data accuracy: Regularly updating PHRs to reflect recent diagnoses, medications and test results delivers the most accurate information. This helps healthcare providers make informed decisions.
  • Emergency access: Make sure your emergency contact information is up-to-date and configure it to allow healthcare providers to access critical information in case of an emergency.
  • Mobile apps: Many PHR platforms offer mobile apps, making accessing and managing records on the go convenient.
  • Back up your data: Regularly back up your PHR data using secured means to prevent data loss. Store backup securely, and consider using a trusted cloud storage for redundancy.

Security and Privacy Concerns

Security and privacy are paramount when it comes to PHRs due to the sensitivity of the data they contain. Failure to secure patient information can lead to fines and violations, affecting patient trust and the organization’s reputation. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines the standards for protecting and sharing patient information to ensure effective and private healthcare.

Here are some of the main privacy and security concerns you should be aware of:

  1. Data breaches: PHRs are attractive targets for cybercriminals. A breach can expose personal health information, leading to identity theft, insurance fraud or blackmail. Robust encryption and authentication protocols are essential to protect against unauthorized access.
  2. Unauthorized access: Unauthorized individuals gaining access to a person’s PHR can lead to privacy violations and misuse of health information. Strong access controls and multi-factor authentication can help prevent this.
  3. Data ownership: Determining who owns and controls PHR data can be complex. Patients typically own their health data, but healthcare providers may have legal responsibilities. Clarifying ownership and access rights is crucial.
  4. Interoperability risks: Sharing PHRs across different healthcare providers raises interoperability challenges. Data may be exposed to more entities, increasing the risk of unauthorized access if not properly secured during transfer.
  5. Consent management: Patients should have granular control over who can access their PHR data. Effective consent management systems are necessary to ensure data is only shared with authorized parties.
  6. Data retention and deletion: PHRs should allow for data retention policies and easy deletion of outdated materials to maintain data accuracy and reduce privacy risks.
  7. Trust in PHR providers: Trustworthy PHR providers should adhere to strict security standards and privacy regulations, providing transparent policies and regular security audits.
  8. Regulatory compliance: PHRs must comply with healthcare data privacy laws like HIPAA or the General Data Protection Regulation (GDPR), adding another layer of responsibility for security and privacy.

Legal and Ethical Considerations

Developing and using PHRs means accounting for all the legal and ethical considerations involved. These systems deal with personal health information, making it essential for PHRs to protect users and hosts from breaches and violations. Here are some of the critical considerations for PHRs:

  1. Privacy laws: All PHRs must comply with the relevant HIPAA or GDPR laws or face fines and other ramifications. These laws mandate strict controls on how health information is stored, collected, and shared.
  2. Informed consent: Ethical use of PHRs requires informed consent from individuals before collecting or sharing their health data. This includes clearly explaining how that data will be used and who will have access.
  3. Security measures: Implementing strong security measures is both a legal and ethical obligation. Protecting health data from breaches and unauthorized access is essential.
  4. Minimizing bias: PHR developers and users must be cautious about introducing bias into the data. Biased data can lead to unequal healthcare outcomes, which raises ethical concerns.
  5. Accessibility: PHRs should be designed to accommodate individuals with disabilities, ensuring equitable access to healthcare information.
  6. Ethical data use: PHRs should not be exploited for commercial gain or used unethically, such as in discriminatory practices.

The Future of Personal Health Records

The PHR model is a grassroots approach and needs a boost from a major cloud services player to get it going. There needs to be significant support to get these apps adopted and the data flowing from clinical repositories into PHRs at a population scale. Then, the patient control and resulting consumerization of healthcare can drive more value from clinical service providers. With the 21st Century Cures Act giving patients the right to access all electronically protected health information in their records, steps are being made towards a patient-focused, accessible PHR approach.

PHRs might take the form of individual responsibility — the patient collects, maintains, and curates their own EHRs using a cloud service and application. These personal health record apps and systems give patients lots of control over their records and ease of access. Showing up in a clinical setting with all your health information accessible from your iPhone is the type of immediacy and control digital natives expect.

In the absence of a major cloud service initiative, medical associations representing chronic conditions or cancers can build critical mass among their patients. Suppose the American Cancer Society or the American Diabetes Association offered an app with a PHR function. In that case, they could build a base of users that would not only control their health records as they moved through their care plans and clinical settings, but they could also provide population health data for research and candidates for clinical trials – perhaps as easily as an opt-in offer.

One way or another, the push for more data to be accessible to patients and their caregivers programmatically will continue, and the demand for clinical information exchange technologies and services that are interoperable and cost-efficient will expand rapidly as well.

Discover the Power of Secure Healthcare Communication with DataMotion

In an increasingly interconnected healthcare landscape, secure communication is essential. DataMotion offers cutting-edge Direct Secure Messaging solutions that revolutionize how healthcare professionals exchange critical patient information. With DataMotion’s advanced and secure healthcare solutions, you can enhance patient care, streamline workflows and ensure compliance with stringent policy regulations.

Contact us online to explore our patient-forward PHR solutions today.

Updated November 1, 2023

Looking for clinical information exchange technologies and services?

Learn more about our solutions.

Learn More
Blurred cars driving quickly through a tunnel
Adding a Secure Message Center to Self-Service Portals and Apps 1024 403 Christian Grunkemeyer

Adding a Secure Message Center to Self-Service Portals and Apps

Self-service started long ago with things like the self-service gas pump (1947) and automated teller machine (1967) – primarily for economic reasons. Self-service often helps to reduce the cost of doing business, and when it comes to digital self-service – is available 24×7. But ever since the introduction of online banking and online brokerage services, the idea of “self-service” has become increasingly more important – particularly in financial services. Account holders want online access to view a balance, initiate payment transactions, buy investments or to check credit account charges – from portals and smartphone apps. A perfect self-service arrangement – convenient and efficient for both the consumer and the business. But every self-service process can reach its limit – and then customers want an equally effective communication channel to get help. That’s where a secure message center becomes a key link between efficient self-service and efficient customer service.

Infographic displaying how secure message centers work with internal users and external clients

What is a secure message center?

A secure message center adds web-mail, web-form or web-chat services natively to financial services self-service customer portals or apps so that clients can easily ask questions about their account and even share supporting files or images (receipts for a credit charge dispute, a tax return as part of a loan application process). Client messages and files are routed to responsible employees – account teams, support personnel, or contact center agents for a response. Case numbers may be assigned for tracking in ticketing systems, and response notifications are sent via email or SMS text channels to notify customers of a waiting reply. For security and regulatory compliance reasons, the message content (and any uploaded file or image attachments) must use encryption for security, and detailed logging and tracking reports which provide history and proof for compliance audits.

How is a secure message center enabled?

Enabling an efficient secure message center requires an assessment of the workflows end-to-end. What type of inquires are expected? Can they be categorized for efficient routing? What is the log-on process to use it? How should the secure message center look? What type of message features does it need? What type of file attachments do customers need to upload and share? Which employees need to respond to messages? What type of applications and user interfaces will the employees use to receive messages? There’s a litany of questions that will drive the design and requirements for the secure message center – all centered around making the communications workflow as seamless and efficient as possible.

Figure: Secure Message Center architecture

Infographic for DataMotion's SDX Platform

How should customers access a secure message center?

Secure message centers have evolved from traditional email encryption services, which provide similar security and tracking features, but generally force users to create a separate login on a separate web-portal to send or receive secure messages. By contrast, an integrated secure message center shares a financial services portal login (via SSO techniques) at a minimum, and at best – blends seamlessly into the service portal’s user interface. Taken a step further – corresponding mobile apps can be offered as an alternative to web portal access and the secure message center features and functions are replicated in the mobile app as well. Under the hood – this requires a secure messaging service that supports SSO services and exposes web service APIs for the secure messaging service functions, management and provisioning. This simplifies the addition of secure message center features in financial services self-service portals and mobile apps.

How do employees access the secure message center?

For account management and lower volume, or ‘un-categorized’ inquires – an email client such as Outlook may be most suitable. For high volume, contact center workflows, employees will often use a CRM like Salesforce Service Cloud to manage the customer database, automate and track customer interactions for support and retention – even for marketing and sales touchpoints. So, the secure message center must integrate with the backend applications and UIs that your employees use, while maintaining end-to-end message security and verifiable compliance with security policy and privacy regulations – always ‘must have’ table stakes of a secure message center design for financial services firms.

The benefits to digitally integrating and transforming your self-service customer portal

By updating your self-service customer portal and mobile apps with a secure message center, you can transform the way you and your customers/clients work together. Your customer feels enabled to easily do business with you. Your response and outreach are more complete and efficient. And, your business can often reduce costs. A win-win for everyone. This solution is a notch on the belt of “digital transformation” and how to improve the interaction between clients and your customer teams that respond to their needs.

Want to learn more about how to secure workflows in self-service customer portals? Visit us at the DataMotion Developer’s Center, financial services solutions pageor Contact Us for a consultation.

Find out the 10 questions you should ask when implementing a secure message center

Get Whitepaper
Blue globe, keyboard and numbers
Achieve Office 365 CJIS Compliance 1024 403 Christian Grunkemeyer

Achieve Office 365 CJIS Compliance

Moving from an on-premises Exchange server to Microsoft Office 365 (O365) can have numerous benefits. Microsoft promotes its cloud productivity suite to yield better collaboration, increased productivity and a reduced cost of ownership.  Many state and local government agencies eager for those benefits are making a move to the cloud with O365. According to Microsoft, approximately 5.2 million people use Microsoft Cloud for Government services including Azure Government, Office 365 Government, and Dynamics CRM Online Government, an impressive figure. However some government agencies need to access the FBI’s Criminal Justice Information Systems (CJIS) database to fulfill their mission. These agencies must achieve Office 365 CJIS compliance for security rules that restrict their ability to use O365 to exchange CJIS information, or CJI for short. This information must be protected in motion and at rest whenever it is outside a secure CJIS datacenter.  Specific rules and the entire FBI CJIS Security Policy are posted here.

According to its website, Microsoft will sign a CJIS Security Addendum for Office 365 CJIS compliance in states where they have established CJIS Information Agreements. At this time there are 26 states where Microsoft has a signed CJIS Security Addendum – the most recent being with Missouri (February 2017).   States that don’t have CJIS approval for O365 as of March 2017 include Alabama, Connecticut, Florida, Idaho, Indiana, Iowa, Louisiana, Maine, Maryland, Mississippi, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Dakota, Ohio, Oklahoma, Rhode Island, South Dakota, Vermont, West Virginia, Wisconsin and Wyoming.

While these states are not prohibited from using cloud services, they must be able to demonstrate Office 365 CJIS compliance if using those services.   For them to use O365 to transmit CJI and PII (Personally Identifiable Information), the following CJIS security policy sections must be addressed.

“5.8        Policy Area 8: Media Protection

Media protection policy and procedures shall be documented and implemented to ensure that access to digital and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting and storing media.

5.8.1      Media Storage and Access

The agency shall securely store digital and physical media within physically secure locations or controlled areas. The agency shall restrict access to digital and physical media to authorized individuals. If physical and personnel restrictions are not feasible then the data shall be encrypted per Section 5.10.1.2.

5.8.2      Media Transport

The agency shall protect and control digital and physical media during transport outside of controlled areas and restrict the activities associated with transport of such media to authorized personnel.

5.8.2.1   Digital Media during Transport

 Controls shall be in place to protect digital media containing CJI while in transport (physically moved from one location to another) to help prevent compromise of the data. Encryption, as defined in Section 5.10.1.2 of this Policy, is the optimal control during transport; however, if encryption of the data isn’t possible then each agency shall institute physical controls to ensure the security of the data.”

When an agency moves from an on premise secure Exchange server to O365, emails containing CJI must be protected – and that is commonly done through encryption. While O365 does contain an email encryption capability, that encryption occurs after the O365 cloud receives the unencrypted data.  For those 24 states without a Microsoft CJIS Security Addendum, this is a violation of CJIS security policy. To achieve Office 365 CJIS compliance, the email must be encrypted before it arrives in the O365 cloud, and must remain encrypted until it is received or retrieved by the intended recipient.

One solution to this issue is to employ a third party email encryption solution designed to enhance the security of O365 and address the CJIS security policy issues.  Such solutions offer more depth in encryption features and capabilities and integrate well with the Office 365 suite of applications. To achieve this end-to-end encryption requirement, the email can be encrypted at the Outlook client using an encryption plug-in, and routed through O365 to the recipient, or to an email encryption platform in a CJIS compliant datacenter to await recipient retrieval. In this way – O365 can be adopted, while maintaining CJIS compliance for PII and CJI. You can learn more about securing email in Office 365 here.

Office 365 is a great tool and can offer state and local agencies many benefits – and with proper implementation can meet the stringent requirements for CJIS security.

Learn more about how we can help state and local agencies meet CJIS compliance requirements

Learn More
Hands holding graphic of two white clouds with a lock symbol
Salesforce Service Cloud and HIPAA Compliance 1024 403 Team DataMotion

Salesforce Service Cloud and HIPAA Compliance

Q: My company sells to the healthcare industry. Is it a HIPAA violation when my Customer Service Rep replies to a support ticket on Service Cloud? I mean, Salesforce is HIPAA compliant, right?

A: You very well may be in violation of HIPAA standards.  Here’s why.

Yes, the Salesforce platform itself can be made HIPAA compliant.  Salesforce will sign a Business Associates Agreement (BAA) and if you connect Shield as an addon HIPAA compliance tool, you’ll get monitoring, encryption, and auditing functionality of your Salesforce instance.  But that’s only part of the compliance requirements story because it only covers the data while it’s residing within the Salesforce data storage ecosystem – the data at rest.

HIPAA also applies to data in motion.  Simply stated; data containing protected health information traveling over a public network (like the Internet) must be encrypted in transit.

So let’s take a look at your scenario:  Suppose you’re a customer service account representative using Service Cloud to view a new support ticket.  A customer sends an inquiry explaining that his doctor wants him to get additional testing to rule out prostate cancer and he wants to know if his insurance covers the new tests.  The customer’s contact information plus a medical condition equals Protected Health Information (PHI) and needs to comply with HIPAA guidelines.

While you’re viewing the information on Service Cloud, it’s covered by HIPAA (see the first paragraph above).  But when you reply to that ticket the PHI is almost always copied as part of the ongoing dialogue thread and is sent from your company to the customer via email or other messaging format.  It’s now data in motion traveling over the Internet, and your company (not Salesforce) is responsible to encrypt the message before it’s sent in order to be HIPAA compliant.

Luckily, there are solutions, like DataMotion SecureMail, that integrate easily with Salesforce and Salesforce Marketing Cloud, and have the ability to filter by policy rules and keywords and automatically encrypt messages containing PHI.  Our solution also adds event monitoring, logging, and tracking for better visibility and governance (proof you need in the event of a HIPAA audit by the feds)!

Summary

Yes, the Salesforce Platform can be made HIPAA compliant.  But when you reply to a Service Cloud ticket, that’s data in motion and it’s not Salesforce’s responsibility to encrypt that data.  Your company needs to ensure those messages are encrypted between Salesforce , or any customer relationship management platform, and your customers.  If not, you’re subject to fines, penalties, data breaches, and loss of reputation.

Updated April 12, 2023

Learn more about our products to find out which ones will give your healthcare organization’s patient data exchange a clean bill of health.

Tour Services