HIPAA Encryption for iPhones and Android Phones

Should healthcare providers encrypt data in the smartphones they use? There is some misunderstanding regarding encryption for iPhones and Android phones and HIPAA. The misunderstanding is largely due to the HIPAA Security Rule only stating that the encryption of Protected Health Information (PHI) is an “addressable” requirement, if PHI is transmitted beyond a covered entity’s communications network. This condition results in three issues regarding HIPAA encryption for iPhones and Android phones:

  • What health data must be secured?
  • What is the difference between an “addressable” and a “required” provision?
  • What is the definition of a covered entity’s communications network?

The issues are even more complicated because there are exceptions to the HIPAA Security Rule for doctor/patient communications and because encryption, by itself, doesn’t make a healthcare smartphone HIPAA compliant. This article looks at the issues mentioned above, clarifies why encrypting iPhones and Android phones in healthcare isn’t enough to make them HIPAA-compliant, and presents a solution to minimize the chance of a PHI breach and HIPAA violation.

What is Protected Health Information?

The HIPAA Privacy Rule defines Protected Health Information (PHI) as any individually identifiable health information that’s created, maintained or transmitted in any format – which includes oral communications. The data pertains to the past, current or future mental or physical health of a person; the healthcare services provided to a person, or information used for payment for health services.

Besides being orally communicated, individually identifiable health information may be written or integrated in a photo or video; and could consist of such information as names, email addresses, physical addresses (including a zip code), phone numbers, social security numbers and car license plate numbers.

The inability to secure PHI in transit could cause confidential data to be intercepted or exposed. Healthcare companies must always consider individually identifiable health information as PHI except if a patient has given consent to make the data available to the public. Such cases could include PHI for research and advertising purposes.

“Addressable” versus “Required”

A few people in the healthcare sector think that simply because a requirement isn’t a “required” element its implementation is not necessary to be HIPAA compliant. It is essential to point out that this isn’t the case by any means.

“Addressable” requirements must be implemented except if (a) a different security measure is applied that achieves a similar purpose or (b) it could be shown that the security measure isn’t required to safeguard PHI confidentiality, integrity, and availability.

In relation to HIPAA encryption for iPhones and Android phones, it will be quite hard to think of a situation in which an appropriate substitute to encryption can be used, and nearly impossible to think of a scenario wherein transmitting PHI with no encryption is acceptable – as governed by the explanation of what a covered entity’s communications network is.

What is the definition of a Covered Entity´s Communications Network?

The phrase “covered entity’s communications network” pertains to an internal digital communications network that is secured by a firewall and protected from access from the outside world. As soon as an email message, an SMS or an Instant Message is sent beyond the firewall, the communication is said to have moved outside of the network.

Safeguarding communications containing PHI by a firewall is perhaps the only way that HIPAA encryption for iPhones and Android phones can be avoided. Nonetheless, it is not practical. Smartphone owners would be unable to connect beyond the covered entity’s network or deliver messages through a public 3G or WiFi service for instance.

This means it is not possible to transmit any individually identifiable health information to on call physicians or talk with nurses doing community work about patients. HIPAA encryption for iPhones and Android phones is a requirement except if healthcare companies prohibit using smartphones in the place of work or cease communicating PHI completely using the devices.

The Communication Problem and Solution

Prohibiting the use of smartphones in the place of work would create a big communication issue for healthcare companies. Research studies reveal that four out of five doctors and three out of every four nurses make use of a personal smartphone. Getting rid of the speed and handiness of smartphones might be unfavorable to productivity.

A remedy to this dilemma is the use of a secure messaging system. Secure messaging systems function in the same way as commercially accessible messaging applications, but conform to the Security Rule requirements with respect to HIPAA encryption for iPhones and Android phones whilst PHI is being transmitted.

Nonetheless, the concern of HIPAA compliance isn’t fixed by encryption alone. HIPAA encryption for iPhones and Android phones is only one aspect of the Security Rule that must be met to be compliant. Secure messaging platforms must comply with all of the physical, administrative and technological requirements of the HIPAA Security Rule before they can be used to communicate PHI.