You use your cell phone. A lot. You use your cell phone somewhere in your medical practice, also a lot. You know it. We know it. The U.S. Department of Health and Human Services (HHS), which administers HIPAA, knows it, and so does the Office for Civil Rights (OCR), which hands out penalties for HIPAA violations.<\/p>\n
Over four years ago, 84% of practicing physicians reported using a smartphone in their practice, and that number is certainly higher now.[1] Furthermore, recent enforcement actions by OCR have targeted healthcare organizations with\u00a0deficiencies related to mobile-device HIPAA policy.[2] We all know the potential for danger is there, but the usefulness of smartphones in medicine is\u00a0simply undeniable.<\/p>\n
While a fully HIPAA-compliant approach to mobile devices requires a complete organizational effort,\u00a0it’s still worth your time to make sure that your own personal HIPAA house is in order. For starters, check out our list of\u00a0seven common ways that your cell phone could be\u00a0making you a mobile HIPAA violation:<\/p>\n
Texting is insanely useful, but it’s also a potential HIPAA disaster zone. If you’re texting colleagues about patients, and the content of your messages reaches the level of protected health information (PHI), then the full force of HIPAA is going to apply to what you’re doing. Within a reasonable approximation of the law, you can assume that your messages should be encrypted both in transit and “at rest” (when stored on your phone and the phone of whoever is receiving them). Also within a reasonable approximation, this is definitely not the default case for most cell phone messaging apps.<\/p>\n
There are other possible pitfalls, too. If your messages contain PHI, then you are likely on the hook for assuring compliance with all facets of the HIPAA Security Rule, not just encryption. This includes\u00a0considerations of data integrity, access control, auditing, and many other issues.\u00a0Then, if you’re also texting patients, there is even more to think about. For a primer on this tricky subject, see our\u00a0post on texting patients<\/a>.<\/p>\n How to Fix It:<\/strong> Don’t text PHI to anybody through non-medical communications apps. If your organization provides an approved messaging app, then use it, and make sure your colleagues are on it, too. If you’re looking for a medical communications app that will cover you for all of the HIPAA technical safeguards that you need to consider, check out our Spruce Care Messenger<\/a>.<\/p>\n If you work in a hospital, you’ve probably had a consultant ask you to text them a quick picture of an ECG, an x-ray, a rash, or something else. Or maybe you sometimes\u00a0snap\u00a0pictures of important\u00a0findings to upload into your EHR. There are a lot of possible uses for mobile photography in medicine, and it can certainly improve care. However, cell phone makers haven’t built their photo apps with HIPAA in mind, and your medical pictures likely qualify as PHI that isn’t being protected properly.<\/p>\n How can you tell if a picture constitutes PHI? The law defines PHI as all\u00a0“individually identifiable health information,” so if a picture contains any type of health information along with enough detail to identify a specific individual, then it is PHI. Helpfully, HIPAA\u00a0law also includes an\u00a0enumerated\u00a0list of 18 possible identifiers<\/a> that must be\u00a0absent from a record before it can be considered not to be PHI. These “Safe Harbor” criteria give you an easy checklist to run through when making PHI determinations. Assuming there is no text in a given\u00a0photograph, then the applicable PHI-defining criterion is “Full-face photographs and any comparable images.” The phrase “comparable images” is not explicitly defined, but it is likely to cover any medical picture that conveys as much uniqueness\u00a0as a “full-face photograph,” such as a notable\u00a0physical feature or a tattoo.<\/p>\n How to Fix It:<\/strong> Don’t take photographs that meet\u00a0any of the 18 HIPAA Safe Harbor criteria<\/a>, especially including pictures of a patient in which they are recognizable. If you need to take such pictures, do so through an app that was designed with HIPAA technical safeguards in mind.<\/p>\n You’re in a coffee shop soaking up some complimentary wi-fi on your phone. You check your work email and see that somebody from your practice or hospital team has sent\u00a0you a message about a mutual patient, which you scan quickly. You don’t respond. Have you committed a HIPAA violation? Maybe!<\/p>\n When you checked your email, you caused the transmission of data\u00a0from the email server to your phone. Depending on how that connection was established, this transfer might have been unencrypted or suboptimally encrypted, flowing right across the public wi-fi network at the coffee shop. Is it likely that somebody snooped on it? No. Does that matter to HIPAA? No. HIPAA is about processes and systems, and exposing PHI to unencrypted transmission is generally verboten, regardless of\u00a0outcome and especially if a better way exists and is reasonable to implement.<\/p>\n If you are unaccustomed to thinking about electronic data transmission security, then take the postal system as an analogy. If you send a postcard written in plain English through the mail, anybody who picks it up can read it. This is the equivalent of sending an un<\/strong><\/span>encrypted message across an un<\/strong><\/span>encrypted connection. If you put that same postcard in an opaque envelope, however, you’re now doing the equivalent of sending an un<\/strong><\/span>encrypted message across an encrypted connection; nobody can read it unless they crack the envelope. Alternatively, you could send the postcard without an envelope but write its\u00a0message in a gibberish language that only your recipient can read. This would be like sending an encrypted message across an un<\/strong><\/span>encrypted connection: anybody can\u00a0pick up the card and look at it, but the message will\u00a0be nonsensical.<\/p>\n The bottom line: if\u00a0you’re on a mobile device\u00a0and want\u00a0to access PHI across a network, you need to make sure either that your network connection is encrypted or that any PHI you are transmitting\u00a0is encrypted.\u00a0There is HHS guidance<\/a> on this, but it gets technical very quickly (e.g., do you know what NIST is or what they have to say about TLS?)<\/p>\n How to Fix It:<\/strong>\u00a0Use a remote-access technology solution that ensures a secure, encrypted connection between your mobile device and the PHI that you are accessing. VPN solutions can do this when implemented correctly. Alternatively, if a secure connection cannot be guaranteed, then you should transmit only encrypted PHI.<\/p>\n The contact app on cell phones is maybe the greatest invention ever. The only phone numbers we now know by heart\u00a0are\u00a0those we were dialing 15 years ago, and\u00a0we’re all to the point where\u00a0we don’t even answer\u00a0calls if there isn’t a recognizable\u00a0name attached. It sure is magic to have all those numbers connected\u00a0to names and stored electronically on our mobile devices. Unless you’re a physician who uses\u00a0their phone to contact patients, in which case that contact list might be a sneaky but real HIPAA violation. Here, store this in your phone under “HIPAA Police”: 800-368-1019. That’s OCR’s contact number, so you’ll know who’s calling when they come knocking.<\/p>\n In fact, the exact way your contact list can betray you is a bit subtle. If you don’t label the contacts as patients, and you don’t have any written communication with them (e.g., text messages) on your phone, you might think you’re in the clear, but it’s not quite that simple. If you store patients\u00a0as\u00a0contacts, you’ll also have to ban every other app from accessing the list, because many apps leverage your phone book\u00a0as a way of improving your (and their) social network.<\/p>\n With your phone book’s help, social apps might\u00a0view\u00a0one of your patients as being a likely “friend of a friend” of another of your patients, simply because they share the common connection of you. This can\u00a0lead to those services recommending your patients to each other as new connections to make. If somebody then recognizes somebody else from your elevator or waiting room, the dots become easy to connect, and it’s likely that PHI has now been leaked. This goes double if you practice in a sensitive or niche field, such as psychiatry, where simply knowing that someone is a patient is a weighty fact.<\/p>\n One significant bummer: if patients are storing your number in their<\/em> contact lists, all of the above nightmare scenario can still occur, even without you\u00a0doing anything wrong. If your patients let their social apps access\u00a0their phone books, the apps can figure out that two people with the same saved number (yours) likely know each other. This seems to have happened to at least one psychiatrist recently.<\/p>\n How to Fix It:<\/strong>\u00a0Only store patient contacts within secure communication apps that were designed with HIPAA in mind. Of course the Spruce Care Messenger<\/a> fits this bill perfectly, which you probably already guessed.\u00a0If you want to be extra cautious, you could also recommend to your patients not to store your number in their contact list if they allow their\u00a0social apps to\u00a0access it.<\/p>\n HIPAA spends a lot of time discussing “reasonable and appropriate administrative, technical, and physical safeguards” for organizations that interact with PHI. With this in mind, now let us agree\u00a0that there is almost nothing less physically safeguarded than a cell phone. They are literally designed to be as small and easily mobile as possible, and they are high-value targets for theft. If your phone is a gateway to your patients’ PHI, either because you store PHI on the phone directly or because the phone is set up to\u00a0access PHI across a network, then you need to take its intrinsic stealability seriously.<\/p>\n Start by assuming that your phone can be stolen at any moment; internalize that you cannot\u00a0put an effective “physical safeguard” on it. Your only option is to plan around\u00a0this vulnerability by adopting the best “administrative” and “technical” safeguards that you can. See what we’re doing there? HIPAA is about processes and systems, and it allows you to compensate for deficiencies in one area\u00a0by beefing up in\u00a0others. You just have to put thought into it.<\/p>\n How to Fix It:2) Your Camera Roll<\/h1>\n
3) Insecure Wi-Fi<\/h1>\n
4) Your Contact List<\/h1>\n
5) It’s Just so Stealable<\/h1>\n
\nAdministrative safeguards:<\/strong> Decide which, if any, PHI you really need to access from your phone. Remove your phone’s access to PHI that you don’t need. If you are storing PHI directly, delete any that you don’t absolutely need. Make it a policy to turn on encryption, passwords, and other technical features wherever you can.
\nTechnical\u00a0safeguards:<\/strong>\u00a0Modern iOS and Android phones use whole-disk encryption when their passcode is enabled. Enable your passcode, and set the phone to wipe if too many incorrect codes\u00a0are entered. After this, if possible, store PHI (or PHI access) only within apps that require\u00a0further authentication after the passcode, such as the Spruce Care Messenger<\/a>. If your phone supports it, also enable the ability to remotely wipe the device, so you can clear its memory from afar if it gets stolen.<\/p>\n6) The Cloud<\/h1>\n