Secure or HIPAA Compliant - What's the Difference?

Clinical messaging platforms as an increasingly important healthcare communication resource. Information and communication technologies at Organ Procurement Organizations and Transplant Centers must satisfy various regulatory requirements due to the sensitive nature of the information. Gone are the days where organ transplants could be coordinated through diverse and fragmented communication avenues; emails, faxes, phone calls, text messages, health records, etc. Scaling these processes to meet the demand for organ transplants results in a need for scalable methods for real-time information sharing and coordination.

Organizations using protected health information (PHI) or personally identifiable information (PII) are required to comply with Health Insurance Portability and Accountability Act (HIPAA) regulations. Alignment with HIPAA needs to address these critical areas:

1. Technical - data encryption at rest and during transmission.

2. Administrative - explicit protocols and processes for disaster recovery, data access privileges.

3. Physical - environment requirements for dedicated servers, locations must be backed up regularly in separate geographic areas, and multi-factor authentication procedures for all employees.

Nearly all modern information technologies (WhatsApp, iMessage, etc.) have addressed most Technical areas with end-to-end encryption in transit and during storage to prevent eavesdropping from third-parties. However, these technologies do NOT comply with the Administrative or Physical safeguards required by HIPAA. A report from the Health Care Compliance Association showed that hospitals had received direct feedback from CMS saying that texting was not permitted - see more from the article by

OPOs handle PHI and PII routinely in order to evaluate potential donation events and coordinate organ and tissue recovery. Proper security and regulatory alignment must be exercised with patient information, referral information, potential donor information, serologies, past medical history, etc. Every OPO needs a HIPAA compliant information sharing mechanism for communication internally and among all covered entity partners, e.g., transplant centers and donor hospitals.

Many HIPAA compliant vendors will also follow more strict security rules from HITRUST or ISO 27001 or NIST.

Recent Posts