HIPAA Encryption for iPhones and Android Phones
Do Smartphones Used in Healthcare have to be Encrypted?
There is an understandable level of misunderstanding about HIPAA encryption for iPhones and Android phones. The misunderstanding arises because the HIPAA Security Rule categorizes the encryption of Protected Health Information (PHI) as an “addressable” requirement when PHI is communicated outside of a covered entity´s communications network. This categorization alone creates three issues about HIPAA encryption for iPhones and Android phones:
- What health information is protected and what is not?
- How does an “addressable” requirement differ from a “required” requirement?
- How is a covered entity´s communications network defined?
The issues are further complicated by exclusions to the HIPAA Security Rule that exist for physician/patient communications and because encryption alone does not make a Smartphone used in healthcare HIPAA compliant. This article examines the questions mentioned above, explains why HIPAA encryption for iPhones and Android phones is not enough to make a Smartphone used in healthcare HIPAA-compliant, and offers a solution to reduce the risk of PHI breaches.
What is Protected Health Information?
Protected Health Information is defined by the HIPAA Privacy Rule as any individually identifiable health information that is maintained or transmitted in any form – including oral communications that are created or received by a healthcare provider. The information can relate to the past, present or future physical or mental condition of an individual; the provision of health care to an individual, or payment for that health care.
In addition to being orally communication, individually identifiable health information can be written or included in an image or video; and can include such details as names, addresses (even a zip code), email addresses, telephone numbers, social security numbers and vehicle license plate numbers.
The failure to protect the integrity of PHI in transit can result in confidential information being intercepted and/or compromised. If in doubt, healthcare providers should always treat any individually identifiable health information as PHI unless permission has been given by the patient for their information to be made publically available. Such instances would include for research and marketing purposes.
The Difference between “Addressable” and “Required” Requirements
Some in the healthcare industry have taken the approach that because a requirement is not “required”, its implementation is not essential in order to become HIPAA compliant. It is important to emphasize that this is not the case at all.
“Addressable” requirements have to implemented as if they were “required” requirements unless (a) an alternative security measure is implemented that accomplishes the same purpose, or (b) it can be demonstrated that the security measure is not necessary to protect the integrity of PHI.
In respect of HIPAA encryption for iPhones and Android phones, it would be very difficult to think of a scenario in which a suitable alternative to encryption could be deployed, and almost impossible to conceive a situation in which the transmission of PHI without encryption would be acceptable – subject to the explanation of a covered entity´s communications network provided below.
How is a Covered Entity´s Communications Network Defined?
The term “covered entity´s communications network” relates to an internal electronic communications network that is protected from the outside world by an appropriate firewall. Once an email, an SMS or an Instant Message is transmitted outside of the firewall, the communication is considered to have left the network.
Protecting communications containing PHI behind a firewall is possibly the only scenario when HIPAA encryption for iPhones and Android phones could be avoided. However, it is an impractical one. The owners of the Smartphones would never be able to communicate outside of the covered entity´s network or send messages over a public 3G or WiFi service.
This would mean it would be impossible to send any individually identifiable health information to on call doctors or communicate about patient healthcare with nurses working in the community. Effectively, HIPAA encryption for iPhones and Android phones is a necessity unless healthcare organizations ban the use of Smartphones in the workplace or stop communicating PHI altogether.
The Communication Problem and Its Solution
Banning the use of Smartphones in the workplace would create a major communication problem for healthcare organizations. Studies show that four-out-of-five physicians and three-out-of-four nurses use a personal Smartphone to support their workloads. Eliminating the speed and convenience of Smartphones would be detrimental to productivity.
A solution to this problem is the implementation of a secure messaging system. Secure messaging systems work in an identical manner to commercially available messaging apps, but comply with the requirements of the Security Rule with regard to HIPAA encryption for iPhones and Android phones while PHI is in transit.
However, the issue of HIPAA compliance is not resolved by encryption alone. HIPAA encryption for iPhones and Android phones is just one element of the Security Rule that has to be addressed in order to be compliant. Consequently secure messaging solutions also meet the criteria listed in the administrative, physical and technological safeguards for communicating PHI in compliance with HIPAA.
Find out more about HIPAA Encryption for iPhones and Android Phones
To find out more about HIPAA encryption for iPhones and Android phones, the issues related to safeguarding the integrity of PHI in transit and how they can be resolved, you are invited to download and read our “HIPAA Compliance Guide”.
In addition to explaining why PHI should be encrypted, our guide to HIPAA compliance elaborates on the scenarios in which the lack of encryption can result in a breach of PHI and the penalties that can be imposed by the Department of Health and Human Services.
The guide also explains some of the benefits of HIPAA encryption for iPhones and Android phones – such as streamlined workflows, the elimination of phone tag and enhanced productivity. These benefits more than compensate for any costs associated with implementing a secure messaging solution and are well worth considering if the flow of communications in your HIPAA covered entity still lacks HIPAA encryption for iPhones and Android phones.