HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Professionals Violate HIPAA with Personal Phones

There is a worrying practice taking place in healthcare centers across the country: The use of personal mobile phones for communicating with care teams and sending patient data. The practice is a clear HIPAA violation, yet text messages, attachments and even photographs and test results are being shared over insecure networks without data encryption, albeit with individuals permitted to view the data.

Even if the recipient of the message or communication is authorized to have access to that information, sending of PHI over an insecure network without the protection of a firewall is a clear security risk. If messages are sent via the hospital’s password-protected WI-Fi network this may be permitted under the HIPAA Security Rule; the sending of text messages via an AT&T network for example, is not.

The Department of Health and Human Services enforces HIPAA compliance via the OCR, which is issuing financial penalties for HIPAA violations and taking a particular interest in the use of mobile technologies and communication of PHI in healthcare centers and between healthcare providers. It is an area of particular concern due to the high risk of interception of data in transit and the accidental divulgence of patient data when devices are lost or stolen.

The use of insecure communication channels has been an issue that the OCR needed to address for some time and it is now getting tough on offenders. When PHI must be communicated between caregivers, standards must exist to ensure the privacy of patients data is not placed under threat.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

When a text message is sent it is almost instantly received; however the message may be sent through numerous servers and the data may remain on those servers for a period of time. The stored data could potentially be accessed and viewed by unauthorized individuals, which clearly breaches HIPAA regulations. If the data is encrypted, a HIPAA violation can be avoided as even though the data is stored on an insecure server, the data itself is secured as it is encrypted. That could be as simple as using a healthcare messaging app on a Smartphone.

The issue has not yet been specifically covered under HIPAA regulations; however it is highly likely that the OCR will issue guidelines and update regulations to cover new technologies and mobile communications in the not too distant future. In the meantime, healthcare companies and care providers should take particular care not to violate HIPAA regulations and only send PHI through secure channels.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.