There is a worrisome practice happening in healthcare centers throughout the country: The utilization of personal cellular phones for contacting health care teams and transmitting patient information. The practice clearly violates HIPAA Rules, nevertheless text messages, attachments, and photographs of and examination results are being disclosed over unsafe networks with no data encryption.
Even though the recipient of the information or communication is permitted to access that information, transmitting PHI through a vulnerable network with no firewall protection is an obvious security risk. Sending messages through the password-protected Wi-Fi network of the hospital is permitted according to the HIPAA Security Rule; but transmitting text messages through AT&T for instance, is not.
The Department of Health and Human Services Office for Civil Rights is the main enforcer of HIPAA compliance. OCR issues financial penalties for HIPAA violations and there is concern about healthcare organizations using mobile technologies for PHI communication. OCR is particularly concerned because there is a high risk that data in transit could be intercepted and patient information unintentionally exposed when mobile devices are lost or stolen.
OCR has been addressing the issue of using unsafe communication channels for a while. When communicating PHI between caregivers, safeguards must be implemented to make sure the privacy of patient information is not threatened.
Whenever sending a text message, it is virtually instantaneously received; but the message might be delivered via several servers and the information might be kept on those servers for some time. The stored information could possibly be accessed by individuals unauthorized to view the information, which naturally violates HIPAA Rules. If the data is encrypted in transit, a HIPAA violation can easily be avoided. Even if the information is kept on a vulnerable server, as long as the information is encrypted, it is safe and secure. A healthcare messaging application on a smartphone will help to ensure HIPAA compliance.
The HIPAA regulations do not specifically cover this issue yet; nonetheless it is very likely that OCR will provide additional guidance on the matter soon. For the time being, healthcare organizations and care providers must take extra that they do not violate HIPAA regulations and should only send PHI via safe and secure channels and never via SMS messages.