Corporate Compliance

Q&A: Using mobile phones to communicate PHI

Compliance Monitor, October 27, 2010

Q: Can mobile phones and smartphones be used to communicate patient information?

A: If the mobile phone or smartphone is used to call another provider and share patient information, this is generally considered permissible and not a significant risk, as long as users reasonably ensure that unauthorized individuals cannot overhear the phone conversation. On the other hand, if the mobile phone or smartphone is used to send patient information via text message, it can be a security risk because text messages are not usually encrypted. After conducting a HIPAA-required risk analysis, the provider may decide, that text messaging is important to providing quality care, and therefore elect to accept the risk. This would not be a violation of the HIPAA Security Rule as long as the provider documents the decision to accept the risk and the reasons why. However, if there is a breach and an unauthorized individual intercepts the text message including PHI, this would be a breach of unsecure PHI and the breach notification interim final rule would apply.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered these questions.

Most Popular