TITLE: Confusion in Text Messaging, Encryption, and HIPAA
A therapist colleague of mine contacted Ring Central (a video and
telephone platform that provides HIPAA BAA subcontractor paperwork upon
request) with questions about their messaging capabilities and
encryption. They were looking for a compliant way to text message with
clients. The support staff directed them to this article:
At first glance, the article would seem to make messaging with clients
golden as a good level of encryption is described and the therapist has
a HIPAA BAA with Ring Central. Right?
Wrong.
A few different topics are getting confused here -- smart phone SMS text
messaging, messaging within Ring Central apps and websites, and HIPAA
BAA subcontractor agreements.
With SMS text messaging by phone it will never be HIPAA compliant (even
if the therapist sends it from within Ring Central) because the client
will get the SMS text message unencrypted on their smartphone.
Messaging within the Ring Central apps and website IS at an excellent
level of encryption -- but won't be covered by the therapist's HIPAA BAA
agreement unless the people messaged are also part of the therapist's
company account or are other therapists with their own Ring Central
accounts with HIPAA BAA subcontractor agreements. This will rarely if
ever cover therapy clients.
This gets confusing. So -- for example -- when I go into my Ring
Central account online and click on "Message" I'm invited to email a
messaging link to anyone I choose. So far so good. But when that
person (like a client for example) goes to that messaging link, Ring
Central REQUIRES them to sign up for their own FREE Ring Central
account. That FREE account WILL NOT be covered by a HIPAA BAA
agreement. So the messages sent to them (inside a Ring Central app or
website) will be encrypted but not HIPAA compliant.
Similar problem with Ring Central video conferencing. As long as the
client DOES NOT sign in with their own free account -- and instead goes
to my anonymous video link -- it will be covered under my BAA agreement
with Ring Central. However, Ring Central invites clients to sign up for
their own FREE account in order to video conference with me. If the
client makes that mistake, then its no longer a HIPAA compliant video
conference session because only one of our two Ring Central accounts is
covered by BAA.
I sometimes wonder why this all is left in such a confusing state?
Of course, I'm not a lawyer, so do your own research too.
*
Michael Reeder, LCPC
* Hygeia Counseling Services : Baltimore / Mt. Washington Village location
I've said several times that the Signal messaging app may not be HIPAA compliant.
I was likely wrong.
From another thread (thank you Siderea): "You don't need a BAA from Signal to be in compliance with HIPAA. Signal is one of the very few platforms that meets the carrier standard not to need one, because they have no access to the contents of messages sent through them."
Person Centered Tech says it best (above), but some factors include:
a) The need to keep copies of all communications in the client's chart. So you have to get messages out of Signal and into your chart. You also have to convince clients not to set their messages to self-destruct or you need to retrieve them before that happens! Signal messages (as of 2016) were not backed up automatically when your phone is backed-up. Lose your phone -- lose your messages.
b) You may need client phone numbers stored in your phone. Do you store them not under their names (initials maybe)? Do you need a BAA agreement with the vendor that backs-up your phone directory?
c) You may need to keep Signal from displaying client names on screen whenever you get a new pop-up alert of a new Signal message.
#Russia#Surveillance#War#Ukraine#FSB#SocialMedia#Messaging: "To aid an internal crackdown, Russian authorities had amassed an arsenal of technologies to track the online lives of citizens. After it invaded Ukraine, its demand grew for more surveillance tools. That helped stoke a cottage industry of tech contractors, which built products that have become a powerful — and novel — means of digital surveillance.
The technologies have given the police and Russia’s Federal Security Service, better known as the F.S.B., access to a buffet of snooping capabilities focused on the day-to-day use of phones and websites. The tools offer ways to track certain kinds of activity on encrypted apps like WhatsApp and Signal, monitor the locations of phones, identify anonymous social media users and break into people’s accounts, according to documents from Russian surveillance providers obtained by The New York Times, as well as security experts, digital activists and a person involved with the country’s digital surveillance operations."
Krypto-Messenger: 740 Millionen Euro nach Encrochat-Hack beschlagnahmt
Ermittler haben nach dem Knacken von Encrochat rund 115 Millionen "kriminelle Unterredungen" von gut 60.000 Nutzern analysiert und 6558 Verdächtige verhaftet.
Donnerstag: Googles Büro-PCs ohne Internet, Netflix wieder mit Nutzerzuwachs
Internetkonzern ohne Internet-PCs + Netflix im Plus + BSI mit mehr Rechten + Lücken in Coldfusion + Störung bei WhatsApp + #heiseshow zu VanMoof, Bard, Blitzer
Interview: Wie Messaging Layer Security sichere Gruppenkommunikation ermöglicht
Verschlüsselte Kommunikation in großen Gruppen soll dank Messaging Layer Security bald keine Herausforderung mehr sein. Co-Initiator Raphael Robert klärt auf.
#EU#Meta#Privacy#Surveillance#UploadFilters#DigitalRights#HumanRights#DataProtection#Messaging: "Together with an affected Facebook user, GFF is filing a lawsuit against Meta. The company automatically scans Messenger messages sent by users. In doing so, the platform violates the fundamental rights to privacy and to control one’s own data. Meta is relying on a European transitional regulation that provides for exceptions to the e-Privacy Directive for a period of three years. The lawsuit aims to oblige Meta not to scan our plaintiff’s messages and, in light of the currently planned new regulation on chat control, have the courts establish that indiscriminate scanning of messages is generally incompatible with fundamental rights." https://freiheitsrechte.org/en/themen/digitale-grundrechte/chatcontrol_facebook