Ways physicians can stay HIPAA compliant when using mobile devices

In today’s era of smart phones and tablets, the question is no longer whether physicians and their staff members should send text messages containing protected health information (PHI), but rather what is the safest way to do so. Here are some tips practices should consider.

Texting, as compared to emailing, may be very useful in addressing immediate healthcare questions and needs, but it also allows for the flow of fairly unprotected information. Text messages can be forwarded to anyone and, unless deleted, the text message will remain both on the sender’s and receiver’s devices permanently.  Another problem is simple user error, such as choosing the wrong contact in the device’s stored contact list.

Practices can take action to prevent unauthorized disclosures. See “Security options” for a list of protective measures from the Office of the National Coordinator for Health Information Technology.

Other precautions

It is not only prudent, but required, to limit messages to only the information absolutely necessary to accomplish the objective. 

Furthermore, large database files should never be attached to text messages because these can greatly increase the number of individuals whose information is exposed, which, in turn, greatly increases the potential financial consequences.

Providers are well advised to implement these safeguards when they transfer PHI electronically. 

Steep fines for HIPAA violations

The penalty for one HIPAA violation can result in a fine of up to $50,000, and identical violations can lead to a maximum fine of $1.5 million in a year. There have been a number of recent enforcement actions against both providers and payers, big and small.

In addition, with the HIPAA rules now applying directly to business associates, the field for potential violations has broadened.  In many instances, the violations resulted from loss or misuse of portable devices.  The Office for Civil Rights  expects full compliance on HIPAA security.  Providers should consider themselves on notice.

Passwords: A simple and inexpensive way to  prevent unauthorized access to or use of any device.  Merely password-protecting the device does not negate certain reporting obligations that may arise under federal or state law if the device is lost or stolen.

Remote Wiping: There are a variety of applications and software that can be installed on a device that allow the device owner to erase data from the device remotely in the event it is lost or stolen. Remote wiping may obviate the state and federal reporting obligations depending on how quickly the device is wiped.

Encryption: This technique adds an additional layer of security. Under the Health Information Portability and Accountability Act (HIPAA), entities have various obligations regarding an unsecured breach of PHI.  However, if the PHI is correctly encrypted, the PHI is secured and the same obligations no longer apply.

Secured Networks: This avoids interception by unauthorized users.

Delete PHI: Immediate removal of PHI from devices clearly avoids access by unintended recipients. Additionally, when discarding or returning the device to a telecommunications provider, all PHI stored on the device must be erased.

Zachary B. Cohen, JD, and Michael G. DiFiore, JD, are associates at Garfunkel Wild, P.C. in Great Neck, New York. Send your legal questions to medec@advanstar.com.