Share this article on:
Earlier this year, BioReference Laboratories Inc., (BRLI) discovered that a number of phlebotomists had adopted the practice of using their smartphones to take photographs of laboratory test requests in order to transmit them to BLRI. The practice was drawn to the attention of BRLI on February 9 this year.
An investigation was conducted which revealed smartphones had been used by some of the company’s phlebotomists in Florida for this purpose since January 2013. The practice continued until February 10, 2016.
Over the course of four years, the lab test requests relating to 3,563 individuals had been photographed and transmitted over an unsecured network.
The data typically photographed included full names of patients, birth dates, addresses, medical record numbers, admission/discharge dates, health insurance information, details of the laboratory tests that were ordered, diagnosis codes, and Social Security numbers.
BRLI has no reason to believe that any of the photographs were intercepted, obtained, or viewed by unauthorized individuals or that any data have been used in appropriately. As a precaution, credit monitoring services are being offered to all affected individuals, who have also been advised to monitor their financial and EoB statements for signs of fraudulent activity.
HIPAA Regulations and Smartphones
The use of smartphones and SMS texts to transmit protected health information violates HIPAA Rules. Standard SMS messages are not encrypted, and could therefore be intercepted and viewed by unauthorized individuals. SMS messages may remain on unsecured mobile network operators’ servers for an extended period of time. A covered entity has no control over who can access those messages.
Smartphones often have insufficient authentication controls and there is therefore no guarantee that any PHI sent via SMS will only be read by the intended recipient. SMS messages and PHI could potentially remain on senders’ and receivers’ devices for some time. In the event that a device is lost, stolen, or left unattended, PHI could be viewed by unauthorized individuals.
HIPAA does not ban the use of smartphones for the transmission of PHI. If appropriate administrative, technical, and physical safeguards are employed to keep PHI secure, smartphones can be used healthcare professionals to communicate PHI. To avoid a HIPAA violation, covered entities must use a secure messaging platform.
Not all secure messaging platforms incorporate sufficient security controls to comply with HIPAA. Before any solution is adopted, covered entities must perform a risk assessment and ensure that PHI is safeguarded at all times. In order to be HIPAA-compliant, text messaging platforms must use end to end encryption for transmitted and stored data. The platform must also be protected with robust authentication controls to prevent the unauthorized accessing of PHI.
A secure messaging platform should incorporate delivery and read receipts, allow lifespans to be assigned to messages, and messages to be recalled and remotely deleted. Logs must also be recorded and maintained for auditing purposes.
The use of smartphones to communicate PHI has potential to improve workflows, enhance efficiency, and allow faster decision making, which can improve patient outcomes. However, the failure to use a HIPAA-compliant messaging platform to communicate PHI violates patient privacy and could attract a substantial fine from the Office for Civil Rights.