Smartphones are a wonderful mechanism for communicating with coworkers and finding information quickly. That’s a large reason why 84% of physicians use smartphones for professional purposes.1 Yet, in the age of texting, Snapchat, and Instagram, HIPAA violations are just a send, snap, or tap away. What obstacles might you face protecting patient privacy as a pulmonologist in the smartphone age?
Texting is easy and convenient, but it’s also a HIPAA danger zone. Sending a text message containing protected health information (PHI) – any information in a medical record that can be used to identify a patient – is a HIPAA violation. That said, texting in itself is not an automatic HIPAA violation. There are instances in which texting is permissible2:
- The message does not contain PHI
- The message complies with the “minimum necessary standard”
- There are technical safeguards in place that comply with the HIPAA Security Rule
To the last point, technical safeguards are perhaps most useful in determining when a text message is or isn’t in violation of HIPAA regulations. Technical safeguards such as encryption, malware, firewalls, and authentication tools should be implemented.3 Further, only individuals who need access to PHI to perform their job responsibilities may access it.
Using Unsecured Networks
You may think nothing of emailing your staff about a patient while accessing free Wi-Fi at the local library or coffee shop. However, accessing PHI on an unsecured network could be a HIPAA violation. If you must access PHI on your smartphone, do so on an encrypted network. At the very least, the PHI itself should be encrypted.
Storing PHI in the Cloud
Many pulmonologists have embraced cloud computing for its flexibility and scalability. However, without adequate security for the data you store, you could face HIPAA implications. If you are accessing PHI on your smartphone, turn off any cloud services that are not HIPAA compliant.
There are many uses for mobile photography in pulmonology. For example, you might photograph a radiograph and upload it to your EHR. Not a big deal, right? Not exactly. For one, the photo could contain PHI if the patient can be identified. For another, your smartphone might not be properly protected. There is a list of possible identifiers4 that must be absent from a record for it not to be considered PHI, so be sure any photos you take on your smartphone satisfy that criteria.
Failing to Analyze Risk
Ultimately, HIPAA is about having processes and systems in place to protect patient privacy. To avoid PHI issues, it’s imperative that you follow US Department of Health & Human Services guidelines for risk analysis. These include5:
- Evaluating risks to electronic PHI
- Implementing security measures to address those risks
- Documenting the security measures you take
- Maintaining and applying security protocols
This all begs the question, is banning smartphones in your practice the right thing to do?
The argument for…
There are a number of HIPAA violations just waiting to happen when you allow smartphones in a medical practice. Even if, for example, you follow the rules of texting, you could still wind up in violation of HIPAA regulations if you send information over an unsecured network. What’s more, it’s not just you who has to worry about this: it’s your entire staff. Perhaps it’s best to avoid any uncertainty.
The argument against…
Banning smartphones in the workplace creates a barrier for communication. Considering the vast majority of physicians use smartphones to support their workloads, banning them would hamper productivity. Not to mention, the staff will feel policed or as if they are being punished for no reason. A HIPAA smartphone policy and training is all that’s necessary.
Where do you stand? Should pulmonology practices ban smartphones? Take our poll.
- Physicians’ usage of smartphones for professional purposes in the U.S. from 2012 to 2015. Statista. Accessed July 31, 2018.
- Is texting in violation of HIPAA? HIPAA Journal. Accessed July 31, 2018.
- Barrett C. Healthcare providers may violate HIPAA by using mobile devices to communicate with patients. American Bar Association. October 7, 2011. Accessed July 31, 2018.
- Guidance regarding methods for de-identification of protected health information in accordance with the health insurance portability and accountability act (HIPAA) privacy rule. US Department of Health & Human Services. Reviewed November 6, 2015. Accessed July 31, 2018.
- Guidance on risk analysis. US Department of Health & Human Services. Reviewed March 9, 2017. Accessed July 31, 2018.