Health Information Management

HIPAA Q&A: Answering service messages

HIM-HIPAA Insider, May 28, 2012

A: If a physician uses his or her smartphone to contact an answering service, it is not a violation of the HIPAA Security Rule. It may represent a risk, but generally phone transmissions (mobile and landlines) do not need to be encrypted unless the answering service is an automated service where messages are stored on a server that is open to the Internet (such as cloud-based answering services).

Even then, encryption is not required, but it is strongly recommended. Conduct a risk analysis, identify risks such as those related to unencrypted PHI, and then determine whether those risks are acceptable risks. A covered entity or business associate can elect to prohibit physicians and other workforce members from using a smartphone to access messages from an answering service. That, though, is a decision that is made at the entity level and is not a HIPAA mandate.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.

Most Popular