You use your cell phone. A lot. You use your cell phone somewhere in your medical practice, also a lot. You know it. We know it. The U.S. Department of Health and Human Services (HHS), which administers HIPAA, knows it, and so does the Office for Civil Rights (OCR), which hands out penalties for HIPAA violations.
Over four years ago, 84% of practicing physicians reported using a smartphone in their practice, and that number is certainly higher now. Furthermore, recent enforcement actions by OCR have targeted healthcare organizations with deficiencies related to mobile-device HIPAA policy. We all know the potential for danger is there, but the usefulness of smartphones in medicine is simply undeniable.
While a fully HIPAA-compliant approach to mobile devices requires a complete organizational effort, it’s still worth your time to make sure that your own personal HIPAA house is in order. For starters, check out our list of seven common ways that your cell phone could be making you a mobile HIPAA violation:
1) Text Messaging
Texting is insanely useful, but it’s also a potential HIPAA disaster zone. If you’re texting colleagues about patients, and the content of your messages reaches the level of protected health information (PHI), then the full force of HIPAA is going to apply to what you’re doing. Within a reasonable approximation of the law, you can assume that your messages should be encrypted both in transit and “at rest” (when stored on your phone and the phone of whoever is receiving them). Also within a reasonable approximation, this is definitely not the default case for most cell phone messaging apps.
There are other possible pitfalls, too. If your messages contain PHI, then you are likely on the hook for assuring compliance with all facets of the HIPAA Security Rule, not just encryption. This includes considerations of data integrity, access control, auditing, and many other issues. Then, if you’re also texting patients, there is even more to think about. For a primer on this tricky subject, see our post on texting patients.
How to Fix It: Don’t text PHI to anybody through non-medical communications apps. If your organization provides an approved messaging app, then use it, and make sure your colleagues are on it, too. If you’re looking for a medical communications app that will cover you for all of the HIPAA technical safeguards that you need to consider, check out our Spruce Care Messenger.
2) Your Camera Roll
If you work in a hospital, you’ve probably had a consultant ask you to text them a quick picture of an ECG, an x-ray, a rash, or something else. Or maybe you sometimes snap pictures of important findings to upload into your EHR. There are a lot of possible uses for mobile photography in medicine, and it can certainly improve care. However, cell phone makers haven’t built their photo apps with HIPAA in mind, and your medical pictures likely qualify as PHI that isn’t being protected properly.
How can you tell if a picture constitutes PHI? The law defines PHI as all “individually identifiable health information,” so if a picture contains any type of health information along with enough detail to identify a specific individual, then it is PHI. Helpfully, HIPAA law also includes an enumerated list of 18 possible identifiers that must be absent from a record before it can be considered not to be PHI. These “Safe Harbor” criteria give you an easy checklist to run through when making PHI determinations. Assuming there is no text in a given photograph, then the applicable PHI-defining criterion is “Full-face photographs and any comparable images.” The phrase “comparable images” is not explicitly defined, but it is likely to cover any medical picture that conveys as much uniqueness as a “full-face photograph,” such as a notable physical feature or a tattoo.
How to Fix It: Don’t take photographs that meet any of the 18 HIPAA Safe Harbor criteria, especially including pictures of a patient in which they are recognizable. If you need to take such pictures, do so through an app that was designed with HIPAA technical safeguards in mind.
3) Insecure Wi-Fi
You’re in a coffee shop soaking up some complimentary wi-fi on your phone. You check your work email and see that somebody from your practice or hospital team has sent you a message about a mutual patient, which you scan quickly. You don’t respond. Have you committed a HIPAA violation? Maybe!
When you checked your email, you caused the transmission of data from the email server to your phone. Depending on how that connection was established, this transfer might have been unencrypted or suboptimally encrypted, flowing right across the public wi-fi network at the coffee shop. Is it likely that somebody snooped on it? No. Does that matter to HIPAA? No. HIPAA is about processes and systems, and exposing PHI to unencrypted transmission is generally verboten, regardless of outcome and especially if a better way exists and is reasonable to implement.
If you are unaccustomed to thinking about electronic data transmission security, then take the postal system as an analogy. If you send a postcard written in plain English through the mail, anybody who picks it up can read it. This is the equivalent of sending an unencrypted message across an unencrypted connection. If you put that same postcard in an opaque envelope, however, you’re now doing the equivalent of sending an unencrypted message across an encrypted connection; nobody can read it unless they crack the envelope. Alternatively, you could send the postcard without an envelope but write its message in a gibberish language that only your recipient can read. This would be like sending an encrypted message across an unencrypted connection: anybody can pick up the card and look at it, but the message will be nonsensical.
The bottom line: if you’re on a mobile device and want to access PHI across a network, you need to make sure either that your network connection is encrypted or that any PHI you are transmitting is encrypted. There is HHS guidance on this, but it gets technical very quickly (e.g., do you know what NIST is or what they have to say about TLS?)
How to Fix It: Use a remote-access technology solution that ensures a secure, encrypted connection between your mobile device and the PHI that you are accessing. VPN solutions can do this when implemented correctly. Alternatively, if a secure connection cannot be guaranteed, then you should transmit only encrypted PHI.
4) Your Contact List
The contact app on cell phones is maybe the greatest invention ever. The only phone numbers we now know by heart are those we were dialing 15 years ago, and we’re all to the point where we don’t even answer calls if there isn’t a recognizable name attached. It sure is magic to have all those numbers connected to names and stored electronically on our mobile devices. Unless you’re a physician who uses their phone to contact patients, in which case that contact list might be a sneaky but real HIPAA violation. Here, store this in your phone under “HIPAA Police”: 800-368-1019. That’s OCR’s contact number, so you’ll know who’s calling when they come knocking.
In fact, the exact way your contact list can betray you is a bit subtle. If you don’t label the contacts as patients, and you don’t have any written communication with them (e.g., text messages) on your phone, you might think you’re in the clear, but it’s not quite that simple. If you store patients as contacts, you’ll also have to ban every other app from accessing the list, because many apps leverage your phone book as a way of improving your (and their) social network.
With your phone book’s help, social apps might view one of your patients as being a likely “friend of a friend” of another of your patients, simply because they share the common connection of you. This can lead to those services recommending your patients to each other as new connections to make. If somebody then recognizes somebody else from your elevator or waiting room, the dots become easy to connect, and it’s likely that PHI has now been leaked. This goes double if you practice in a sensitive or niche field, such as psychiatry, where simply knowing that someone is a patient is a weighty fact.
One significant bummer: if patients are storing your number in their contact lists, all of the above nightmare scenario can still occur, even without you doing anything wrong. If your patients let their social apps access their phone books, the apps can figure out that two people with the same saved number (yours) likely know each other. This seems to have happened to at least one psychiatrist recently.
How to Fix It: Only store patient contacts within secure communication apps that were designed with HIPAA in mind. Of course the Spruce Care Messenger fits this bill perfectly, which you probably already guessed. If you want to be extra cautious, you could also recommend to your patients not to store your number in their contact list if they allow their social apps to access it.
5) It’s Just so Stealable
HIPAA spends a lot of time discussing “reasonable and appropriate administrative, technical, and physical safeguards” for organizations that interact with PHI. With this in mind, now let us agree that there is almost nothing less physically safeguarded than a cell phone. They are literally designed to be as small and easily mobile as possible, and they are high-value targets for theft. If your phone is a gateway to your patients’ PHI, either because you store PHI on the phone directly or because the phone is set up to access PHI across a network, then you need to take its intrinsic stealability seriously.
Start by assuming that your phone can be stolen at any moment; internalize that you cannot put an effective “physical safeguard” on it. Your only option is to plan around this vulnerability by adopting the best “administrative” and “technical” safeguards that you can. See what we’re doing there? HIPAA is about processes and systems, and it allows you to compensate for deficiencies in one area by beefing up in others. You just have to put thought into it.
How to Fix It:
Administrative safeguards: Decide which, if any, PHI you really need to access from your phone. Remove your phone’s access to PHI that you don’t need. If you are storing PHI directly, delete any that you don’t absolutely need. Make it a policy to turn on encryption, passwords, and other technical features wherever you can.
Technical safeguards: Modern iOS and Android phones use whole-disk encryption when their passcode is enabled. Enable your passcode, and set the phone to wipe if too many incorrect codes are entered. After this, if possible, store PHI (or PHI access) only within apps that require further authentication after the passcode, such as the Spruce Care Messenger. If your phone supports it, also enable the ability to remotely wipe the device, so you can clear its memory from afar if it gets stolen.
6) The Cloud
First of all, there is no “cloud”; it’s just somebody else’s computer. When data is stored “in the cloud,” it is simply being stored on a remote computer. This can be convenient, letting you access your email, contacts, photos, and other information from all sorts of different devices, but it unfortunately comes with enormous security and HIPAA implications.
For better or worse, mobile devices have moved strongly toward using “cloud” technologies by default, and this is what is most dangerous if you’re subject to HIPAA. You can design a HIPAA-compliant process to take and store PHI-containing photographs on your phone, for example, but if your camera roll is automatically backing up to a cloud service, this can undermine all of your careful work. Many cloud services do not have security that is acceptable for HIPAA purposes, and even if they do, you likely don’t have the necessary signed business associate agreement (BAA) in place to keep the HIPAA chain intact.
How to Fix It: Identify all points of PHI storage or access on your phone and determine if a cloud service is set to back up any of them (e.g., iCloud backing up photos on an iPhone). Turn off any such cloud service that you find unless it is specifically built to be HIPAA-compliant and you also have a BAA in place with the organization supplying it.
7) Your Risk Analysis is Nonexistent
For the third time in this article, I’m going to say that HIPAA is about processes and systems. There is no such thing as a “HIPAA-compliant” phone, just like there is no such thing as a phone that is non-HIPAA-compliant. Everything depends on the processes that you have designed and your policies surrounding them. And when it comes to electronic PHI, the most important of these may be the “risk analysis” process.
If you don’t want your phone to be a permanent HIPAA violation, you have to follow the governmental guidelines for ongoing risk analysis. In a nutshell, this means that you have to:
- Evaluate the likelihood and impact of potential risks to electronic PHI
- Implement appropriate security measures to address the risks identified
- Document the chosen security measures and the rationale for adopting those measures
- Maintain continuous, reasonable, and appropriate security protections
Have you done this? If not, it doesn’t matter how much encryption you’re using; you can never be HIPAA compliant. If you’re part of an organization, it’s also likely that somebody in your group has already done this and has created specific policies for mobile devices. You should find them, read them, and follow them. When it comes to HIPAA, the last thing you want is to be on the wrong side of a documented policy.
How to Fix It: Get yourself right with risk analysis for electronic PHI. If your organization isn’t doing it, then start. If you already are, then learn about your group’s policies and follow them.
That’s it for now. Again, this list isn’t meant to cover every possible pitfall inherent to cell phones and HIPAA, since there are literally infinite ways for your smartphone to help you break the law. But it’s a good start, and it’ll help you avoid some of the most common and dangerous mistakes, allowing you to protect both yourself and your patients.
This article is part of a series of posts relating to HIPAA law and regulation. The information provided is meant as general guidance only and is not intended to be legal advice.
- Google/Manhattan Research. Screen to Script: The Doctor’s Digital Path to Treatment. (Google, 2012).