Corporate Compliance

Instant messaging and HIPAA

Compliance Monitor, August 19, 2005

Q. Is instant messaging (IM) to communicate at work an acceptable practice under HIPAA?

A. The HIPAA regulations do not and are not likely to ever specify technologies that are permissible or prohibited. IM may be easy to use and it will let others know when you're "online," which is sometimes a business convenience.

However, permitting use of IM, especially for transmitting confidential information, is not prudent. Many concerns that apply to e-mail also apply to IM. For example, is the transmission encrypted if off the local network? Is the authentication of sender and receiver adequate?

IM is also subject to its own set of technical vulnerabilities and attacks, so its use presents the security team with additional burdens of technically securing IM and training the work force on protective measures. Hence, it appears that today, more healthcare organizations prohibit or severely limit IM use, and with good reason.

Editor's note: Kate Borten, CISSP, CISM, president of The Marblehead Group, answered this question. This is not legal advice. Consult with your attorney for legal matters.