Healthcare providers and healthcare-related businesses are subject to all the same pressures to adopt new technologies for information management that any modern business is, including portable devices such as smart phones and tablets. Using modern technologies can help improve patient care and the overall patient experience, while cutting costs and improving efficiencies of operation.
But healthcare-related businesses that manage personal information also have obligations to protect individually identifiable information about individuals’ health, health care, health care services, and payment for such services, known as “PHI,” or Protected Health Information, under the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. HIPAA enforcement is on the increase, and mobile devices have shown themselves to be a prime source of breaches, according to information published on the US Department of Health and Human Services Web site identifying large breaches affecting more than 500 individuals, known informally as the “HIPAA Wall of Shame.” Under the HIPAA Security Rule, entities have an obligation to consider the security of data in motion and at rest and take the necessary steps to protect it from improper uses or disclosures. When PHI is sent to a portable device as a text message, as an e-mail, or using some other communication method, such as a browser or an app, there are two considerations.
First, is the communication secure? Do we know who are the parties that are communicating, and is the method of communication protected from interception or alteration? Proper authentication and authorization of both the device and the user must be in place, including requirements that the user of the portable device be identifiable and auditable. Any actual transmission of information containing any PHI must be secured by encryption to manage the risks of exposure or alteration. The only reasonable exception would be communication with an individual (a patient, not a staff member or business partner) who has exerted their rights under HIPAA and has specifically requested unencrypted communications, has had the risks of doing so explained to them, and has accepted those risks.