Online Collaboration Platforms Create HIPAA Exposures
Business communications are rapidly and dramatically moving from email to various collaboration platforms like Slack, Workplace by Meta, and Microsoft Teams, notes Brian Mannion, chief legal and data protection officer at Aware, a company in Columbus, OH, that provides technology to identify and reduce risk.
“These platforms are in heavy use by employees to complete their day-to-day activities, using more complex formats such as chats and channel conversations that can be either public to many employees or private to just one,” Mannion says. “It is naïve to think employees are not creating PHI [protected health information] on these platforms.”
Typically, HIPAA compliance is geared toward employees complying with appropriate use policies, as well as cybersecurity and compliance tactics that monitor for sensitive data and take immediate action to mitigate threats, accidental exposure, and malicious sharing. It is important to acknowledge these controls need to be applied to online collaboration platforms.
PHI can easily end up stored as part of collaboration data — a relatively new data set that is uniquely different from other electronic channels because of its fragmented and nuanced nature.
“Business communications on these platforms between employees doing their jobs will include some amount of PHI hidden within this massive unstructured data,” Mannion says. “Healthcare companies have written policies helping employees understand the type of data that should be entered into collaboration platforms, but the reality is employees use the tools provided to get their jobs done as efficiently as possible — which often results in the need to secure the tool in compliance with HIPAA or to implement controls to identify the data and move it off of the collaboration platforms.”
Collaboration data are different from other electronic communications data, Mannion says. Compared to email, this type of conversational data is nuanced and unstructured, creating not only a new data set but a new set of data governance challenges.
“Unlike linear email chains, these new channels fragment conversations and split them into public and private forums. Acronyms, GIFs, and emojis replace labeled attachments and result in a chaos with audio, image, and video files,” Mannion says. “Given the way employees use the platforms, standard email governance and security policies don’t hold up, and can easily result in losing valuable PHI. Not only that, but it creates even more confusion around compliance in the workplace.”
SOURCE
- Brian Mannion, Chief Legal and Data Protection Officer, Aware, Columbus, OH. Phone: (844) 433-3326.
Business communications are rapidly and dramatically moving from email to various collaboration platforms like Slack, Workplace by Meta, and Microsoft Teams. PHI can easily end up stored as part of collaboration data — a relatively new data set that is uniquely different from other electronic channels because of its fragmented and nuanced nature.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.