The HIPAA Guide - Celebrating Over 15 Years Online

Can Healthcare Professionals Use Personal Phones at Work Without Violating HIPAA?

May 30, 2024HIPAA Advice Articles0

Healthcare professionals can use personal phones at work without violating HIPAA if the phone is not used to create, receive, store, or transmit Protected Health Information (PHI), or – if it is – provided that safeguards are in place to protect the privacy and security of PHI, and that any disclosures of PHI over personal phones are permitted by the Privacy Rule.

The answer to the question can healthcare professionals can use personal phones at work without violating HIPAA is situation specific. For example, a nursing assistant taking a photo of a celebrity patient to post on social media without the authorization of the celebrity patient is a violation of HIPAA as it is an impermissible disclosure of Protected Health Information (PHI).

In contrast, community health workers who may need to urgently communicate patients’ health conditions, and whose personal phones have been equipped with HIPAA compliant communications apps (i.e., Microsoft Teams), can use personal phones at work without violating HIPAA  – provided disclosures of PHI comply with the minimum necessary standard.

Between the above extremes of HIPAA compliance, there are many situations in which using a personal phone to create, receive, store, or transmit PHI could violate HIPAA – but might not. These may depend on the circumstances of a disclosure, whether it is oral or digital, what type of communications system is involved, and who PHI is being disclosed to, or received from.

Examples of When Healthcare Professionals can use Personal Phones at Work Without Violating HIPAA

To find examples of when healthcare professionals can use personal phones at work without violating HIPAA, it is necessary to define “at work”. This is because the service delivery location at which a healthcare professional might be “at work” could be a a patient’s home, a hospital, or another location. The service delivery location can be a contributing factor when determining if using a personal phone at work is a violation of HIPAA. For example:

  • A community health worker, whose personal phone has not been equipped with a HIPAA-compliant communication app sends images of a home health patient’s injury to their supervisor because it is the patient’s best interests to do so and the patient has given their consent for the communication.
  • A nurse in a hospital uses their personal phone to facilitate a video call between a patient and the patient’s family (as was sometimes the case during the COVID-19 pandemic). It is not a violation of HIPAA if the nurses only facilitates the call or only answers questions from family members with the patient’s consent.
  • An off-site physician receives a call on their personal phone from a case manager asking for advice on how best to treat a patient with whom both have a treatment relationship. Provided the call is conducted over a secure connection or app, the off-site physician is not violating HIPAA when using their personal phone.

While these examples of when healthcare professionals can use personal phones at work do not violate HIPAA, it is important to remember that the “compliance conduct” of healthcare professionals is governed by employers’ policies, rather than by HIPAA. In theory, a healthcare professional might not be violating HIPAA when using a personal phone at work, but may be sanctioned by their employer for violating an organization’s policy for personal phone use.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

HHS Guidance can be Interpreted to Provide More Extreme Examples

When discussing examples of when healthcare professionals can use personal phones at work without violating HIPAA, it is important to remember the Privacy and Security Rules were published at a time when most personal phones were only capable of voice calls. Phone cameras, video messaging apps, and social media platforms were still many years away.

For this reason, many organizations’ HIPAA telephone rules apply to voice communications only. However, when you apply HHS guidance for other types of communications to the capabilities of personal phones, there can be some extreme examples of when healthcare professionals can use personal phones at work without violating HIPAA – this one in particular:

In 2008, HHS wrote that if a patient initiates contact by unencrypted email, healthcare providers can assume the patient has given their implied consent for communications via an unsecure channel of communication. While the guidance also advises alerting patients to the risks of unsecure communications, it reminds providers they have to accommodate “reasonable” requests and let the patient decide whether to continue (in this case) communicating via email.

In theory, this guidance could be interpreted as, if patients contact healthcare professionals via personal phone numbers, email accounts, or social media aliases,  healthcare professionals could use mobile phones at work without violating HIPAA to reply to patients. While taking this interpretation of HHS’ guidance at face value could lead to compliance issues elsewhere, this extreme example demonstrates the complexity of answering the question can healthcare professionals can use personal phones at work without violating HIPAA and training workforces to be HIPAA compliant.

Why It Is Advisable to Review Your Organization’s Policies for Personal Phone Use

Because of the many scenarios in which using a personal phone at work may – or may not – violate HIPAA, it is advisable for covered entities and business associates to review their organizations’ policies for personal phone use. The policies should be amended as necessary to account for the use of HIPAA-compliant communication apps or circumstances in which healthcare professionals can use personal phones at work without violating HIPAA.

Healthcare professionals are also advised to review their organizations policies for personal phone use due to the possibility that they may be violating their employer’s policies even if they are not violating HIPAA. Covered entities, business associates, and members of either’s workforce who are unsure about when healthcare professionals can use personal phones at work without violating HIPAA should seek professional compliance advice.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

The HIPAA Guide is a registered trademark. Copyright © 2007-2026 The HIPAA Guide. All rights reserved.