There’s little doubt that team collaboration tools like Slack and Microsoft Teams can streamline and simplify communication in a healthcare environment. With the ability to share files, have direct conversations, and even create dedicated channels for individual patients, these tools offer an easy way for different departments to share crucial information.
As Slack states on its website, a team collaboration tool can greatly improve productivity around diagnostics and procedures:
Say a patient with a history of cardiovascular issues meets with his doctor about symptoms that have recently become more severe. During the first visit, a Slack channel is created and assigned to the patient. It is determined that the patient will need several more diagnostic tests, including an echocardiogram and an electrocardiogram.
Once the tests are completed by technicians, the cardiologist reviews the results in Slack. The cardiologist has some clarifying questions for the technicians before meeting with the patient. So, she messages the technicians in the patient’s Slack channel to get the answers needed to move forward before meeting with her patient.
In short, team collaboration tools can offer quicker responses to case-related questions and strengthened collaboration between departments. It can also simplify hand-off of patient information from one department to another, and allow employees to find all relevant patient information in one central location. Integration with workforce management solutions, meanwhile, lets teams streamline shift scheduling and instantly see who is on duty— and should they need to communicate, they can seamlessly switch between chat, audio, and video calls.
HIPAA and the Risks of Team Collaboration
But as with all new technologies, there are certain challenges and risks—especially when an organization is dealing with sensitive personal health information (PHI) and stringent regulations like the Health Insurance Portability and Accountability Act (HIPAA).
There is no doubt that a team collaboration tool can facilitate some of the most common activities that lead to HIPAA violations. According to HIPAA Journal, the following are some of the most common reasons organizations receive HIPAA fines:
- Snooping on healthcare records
- Failing to perform organization-wide risk analysis
- Failing to effectively manage security risks
- Insufficient electronic-PHI (ePHI) access controls
- Failing to use encryption to safeguard ePHI on portable devices
- Improper disposal of PHI
- Removing PHI from a healthcare facility
- Leaving portable electronic devices and paperwork unattended
- Downloading PHI onto unauthorized devices
- Providing unauthorized access to medical records
Based on the above, it’s easy to see how a HIPAA violation can occur if an employee accesses a collaboration tool on their own mobile device or accidentally shares PHI on a public channel/group.
That said, the benefits of these tools are too substantial to ignore. And if implemented correctly, these platforms can even present fewer risks and complications than many other collaboration solutions. Most significantly, implementing Slack or Teams in a HIPAA-compliant way can actually be easier than making your organization’s use of email compliant.
HIPAA and Email
As HIPAA Journal states:
“HIPAA compliance for email has been a hotly debated topic since changes were enacted in the Health Insurance Portability and Accountability Act (HIPAA) in 2013. Of particular relevance is the language of the HIPAA Security Rule; which, although not expressly prohibiting the use of email to communicate PHI, introduces a number of requirements before email communications can be considered to be HIPAA compliant.”
HIPAA compliance requires that organizations enact access, audit, and integrity controls, as well as robust ID authentication and data transmission security to ensure PHI access is restricted and to closely monitor PHI-related communication. Organizations also need to maintain the integrity of PHI-data, both during transit and at rest , and they need to ensure complete message accountability. Finally, all emails need to be archived for a period of six years.
Practically speaking, this is difficult to do. While solutions exist to provide capabilities like end-to-end email encryption and granular access controls, the constant monitoring of email communication is harder to do. Similarly, keeping full audit logs that provide 100% message accountability and help identify the modification of PHI isn’t easy to implement. Then there is the six-year retention period to consider. Hundreds of thousands of stored emails (with large attachments) can take up valuable storage space and force organizations to resort to encrypted email archiving for PHI.
And should an organization fail to do all of this effectively, the penalties can be severe. A single act of “willful neglect” that was not corrected or addressed can result in a fine of $1.5 million.
The Shift to Team Collaboration Platforms
Because of the risks and challenges that come with email use, many organizations have turned to secure messaging tools aimed specifically at the healthcare sector. These are essentially text messaging apps, but more sophisticated versions exist that can be used on both desktop computers and mobile devices, and even offer audio and video conferencing.
But as secure and compliant as the abovementioned messaging apps are, the reality is that they often lack the features, user experience, and integrations that make modern platforms like Slack and Microsoft Teams so attractive.
For this reason, organizations are shifting towards these more mainstream platforms—but in industries like healthcare and financial services the change can feel daunting. In addition to clearing the high security bar that HIPAA sets, organizations also need to meet the needs of legal and compliance teams.
For example, the compliance team needs to monitor and manage the team collaboration tool to ensure that use is compliant with regulations, while also having access to accurate records that prove compliance after the fact.
The legal team, meanwhile, needs easy access to team collaboration records for use during litigation—both for external matters and internal employee matters. But finding, collecting, and exporting these records can be difficult when you’re dealing with a platform where hundreds (or even thousands) of messages are being created every single day.
5 Steps to Successful Implementation of a Team Collaboration Tool
In order to meet security, compliance, and legal needs, organizations should follow the steps below when implementing a team collaboration tool:
1. Deploy a Secure & Compliant Tool
It’s important to ensure that the tool you settle on actually complies with HIPAA regulations. Every well-known tool touts its security features and advanced user management, but that’s not enough to keep you on the right side of the rules. Look for a tool that explicitly states that it supports HIPAA compliance.
Both Slack and Microsoft Teams are HIPAA compliant, although the way they are implemented and configured, as well as the versions being used, are important. Slack, for instance, only supports HIPAA compliance if you’re using Enterprise Grid—the lower-tier versions do not have the necessary security features.
2. Monitor the Platform
As with email, constant monitoring of communication is a requirement for HIPAA compliance. So, when implementing a collaboration platform, an organization also needs to deploy a monitoring tool to help prevent the unauthorized sharing of PHI.
Slack states that, “you are responsible for using Slack APIs to implement tools and processes for monitoring your members’ use of Slack. You will need to use Slack’s Discovery APIs, and we recommend setting up an external Data Loss Prevention (DLP) provider to enforce message and file restrictions and exports.”
Modern data loss prevention (DLP) solutions, like those offered by Pagefreezer, can help companies keep a close eye on exactly what is being said or shared. For example, with a monitoring solution in place, if an employee shares a piece of PHI, like a health insurance number on a public channel where it shouldn’t be shared, a platform administrator would immediately receive a notification to let them know this has happened.
3. Archive Content Relevant to Regulations
Healthcare organizations should be archiving all team collaboration content. Not only is this necessary to comply with the retention requirements of HIPAA (just like with email), but it also forms part of the comprehensive monitoring of the collaboration platform.
Modern archiving solutions are able to provide a complete and accurate record of all platform communications, including edited content and deleted messages. So, even if data changes on the live platform, the archive will still have all of the original content. This means that there can be no disagreements about what was said, shared, or authorized—every version of every message is retained.
4. Facilitate eDiscovery and Litigation
Another crucial reason why organizations should be archiving team collaboration data is that it greatly streamlines eDiscovery. Online data from collaboration tools are increasingly relevant to legal matters, which means it’s crucial that legal teams are able to gain access to data.
But given how much data is being generated within a collaboration workspace every single day, it can offer challenges when organizations try to incorporate collaboration content into existing eDiscovery workflows. Platforms like Slack and Microsoft Teams require a new approach to eDiscovery.
In order to be able to deal with this data effectively, legal teams need to:
- Have easy access to the platform: Legal teams need to be able to access Slack records without the involvement of IT or any other department. If they have to depend on IT backups to access Slack records, the process will simply be too complex and time-consuming.
- See edited and deleted content: A particularly incriminating piece of content is likely to be edited or deleted by the user before the legal department has time to collect and preserve it, which means they should have some way of not only viewing content that is currently live on the platform, but also view data that has since been edited or deleted.
- Quickly search the platform: If relying on simple archives and backups, legal teams will struggle to find the particular content they’re looking for. Instead, they need to be able to quickly and accurately search for users, channels, and keywords that are relevant to the legal matter they’re dealing with.
- Export evidence in defensible format: Once relevant content has been found, it needs to be exported in a defensible format that proves the authenticity of the record. In many instances, legal teams will also want to export Slack data in a format that can be ingested by an eDiscovery platform like Relativity, Exterro, or ZDiscovery.
To help legal and compliance teams gain access to sensitive yet crucial data—like private channels and direct conversations—a tool like Slack does provide data exports, but these are JSON files that lack context and are difficult to work with. A better alternative is to make use of a tool that has access to a collaboration platform’s discovery APIs.
5. Manage Record Retention Schedules and Legal Hold
Companies typically do not want to hold on to data any longer than is required by retention regulations, which in the case of HIPAA is six years. Once a retention period runs out, stored data can become little more than a liability, so disposing of it quickly and effectively is important. With this in mind, organizations need to find a way of deleting records as soon as they are no longer needed. Manual deletion can be time-consuming and error-prone, so an automated solution is best.
At the same time, it’s important that legal teams are able to place data on legal hold to ensure that crucial evidence isn’t deleted during regular retention scheduling.
The above is a condensed version of our white paper, How to Mitigate the Legal & Compliance Risks of Team Collaboration Tools in Healthcare. For more detail, including 8 crucial questions every healthcare company should ask when implementing a team collaboration tool, download the full paper below.