Corporate Compliance

HIPAA Q&A: Answering service messages

Compliance Monitor, June 6, 2012

Q: Is a physician who uses an answering service and receives unencrypted messages from an answering service in violation of the HIPAA Security Rule?

A: A physician who uses a  smartphone to contact an answering service is not in violation of the HIPAA Security Rule. This activity may represent a risk, but  mobile and landline telephone transmissions generally don’t require encryption unless the answering service is an automated service that stores messages on a server that is open to the Internet (e.g., cloud-based answering services).
Even then, encryption is not required, but it is strongly recommended. Conduct a risk analysis, identify risks such as those related to unencrypted PHI, and then determine whether those risks are acceptable.
Covered entities and business associates can elect to prohibit physicians and other workforce members from using smartphones to access messages from an answering service. However, this is a decision made at the entity level, and is not a HIPAA mandate.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.

Most Popular