Personal phones are increasingly finding themselves being used by healthcare professional to share patient data with care teams. This is an obvious breach of HIPAA Rules. Even if the data is sent to authorized individuals, the use of insecure and unencrypted networks to share sensitive information such as test results and patient data is a HIPAA violation.
The intended recipient is not the determining factor in this case. Transferring protected health information (PHI) without a protection such as a firewall creates a risk to information integrity and privacy. While sending messages over a password protected Wi-Fi network may be allowed under HIPAA’s Security Rule, use of normal cellular networks is not.
The Department of Health and Human Services’ Office for Civil Rights (OCR) is the arm that monitors compliance with HIPAA and can impose fines and sanctions against violators. Methods being used by doctors and healthcare providers to share PHI is an area they are paying more attention to. The use of mobile devices is causing heightened concern as there is an increased risk of the data being intercepted or accessed by unauthorized individuals should the device be lost or stolen.
As insecure channels are being used more and more, the OCR has started to make examples of those caught using them. The sharing of PHI must be done with sufficient safeguards to protect patient data.
Although text messages are seemingly sent near instantaneously, they transit through a number of servers. Information may be stored by these servers. As this information could be accessed by unauthorized individuals, it constitutes a HIPAA violation. A simple way to potentially stay compliant with HIPAA would be to encrypt the data being sent. Therefore, even if the information was stored on an unauthorized serer, it would be unreadable and unusable if accessed. A number of smartphone apps exist to facilitate secure healthcare messaging.
The OCR is continually issuing guidance. As technology and communication tools evolve, regulations will need to be drawn up to ensure their judicious use. Until official guidance is published, healthcare providers should err on the side of caution and only share PHI using secure and verified tools.