Corporate Compliance

Q&A: HIPAA and cell phones

Compliance Monitor, June 10, 2009

Q: I keep hearing rumors that the Department of Health and Human Services (HHS) will modify HIPAA to include rules on cell phone use by employees in the workplace. I already know some physician practices don’t allow cell phones in the office. Is HHS going to rule on this?

A: There is no specific rule. A number of healthcare organizations have restricted use of cell phones by employees, patients, and visitors for a couple of reason (besides interfering with biomedical equipment in some areas of facilities). The reasons are most cell phones have cameras and there is a privacy concern that pictures will be taken of patients or patient information. The second reason is generally text messaging is not secure and represents a security risk if the text message includes PHI.

Verizon, for example, offers a very secure Blackberry network but that only protects the text message if it is sent to another individual on the same network. If the text is sent to another carrier, the text is not secure. Also, software on the market allows the encryption of text messages between cell/smart phones but the drawback is the software needs to be installed on both the sender and the recipient’s phones to be of any use. Cell phone use can represent a security and privacy risk depending on how used but no specific regulations prevent their use.

This reader submitted question was answered by Chris Apgar, CISSP. If you have a compliance question for our experts, send it to Compliance Monitor’s editor Ben Amirault.

Most Popular