Health Information Management

Q&A: Using mobile phones and smartphones to communicate patient information

HIM-HIPAA Insider, November 16, 2010

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q. Can staff members communicate patient information via mobile and smartphones?

A. If one provider uses a mobile or smartphone to call another provider and share patient information, this is generally considered permissible and not a significant risk, as long as users reasonably ensure that unauthorized individuals cannot overhear the phone conversation. 
 
On the other hand, if the provider uses the mobile or smartphone for text messaging of patient information, it can be considered a security risk because text messages are not usually encrypted. 
 
The provider may decide, after conducting a HIPAA-required risk analysis, that text messaging is important to providing quality care. The provider can elect to accept the risk. This would not be a violation of the HIPAA Security Rule as long as the provider documents the decision to accept the risk and the reasons why. 
 
Remember, though, that if a breach occurs and the text message including PHI is intercepted by an unauthorized individual, this would be considered a breach of unsecure PHI and the breach notification interim final rule would apply.
 
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR answered this question, which originally appeared in the November issue of Briefings on HIPAA.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular