Technology has evolved in ways never imagined when the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. Email, social media and cell phones have become ubiquitous tools in our work and personal lives, oftentimes blurring the lines between the two. HIPAA requires that all covered entities and business associates must have secure technology for the electronic transmission of Protected Health Information (PHI), and policies and training in place for all employees to avoid breaches.
HIPAA’s Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. Some common patient identifiers are names, birthdates and medical record numbers. Other less obvious ones include vehicle license plate number, URLs and IP addresses. Healthcare professionals must know and understand the entire list of 18 patient identifiers. Any one of the 18 identifiers when related to a patient’s health condition, healthcare provision or payment data is considered PHI.
Below are basic guidelines for employees of covered entities and business associates when using email, cell phones and social media to avoid HIPAA breaches.
Email: Secure Systems Required
If the body of an email or its attachments contains PHI, it must be sent through a secure system that uses state-of-the-art encryption methods. However, if a patient requests use of unsecured email and acknowledges the risks, either verbally or in writing, the covered entity or business associate is no longer liable for any PHI disclosures that may occur.
HIPAA breaches occur when employees neglect to use encrypted email, even when sending emails to colleagues within the same medical practice or company. For example, an email from a physician to another physician containing a patient’s name and diagnosis must be encrypted.
Among healthcare workers, email attachments often contain PHI. Healthcare professionals should take precautions and always use encryption when sending or forwarding emails with attachments that may contain PHI such as itemized statements for medical services rendered, medical records and spreadsheets with aggregated information.
Cell Phones: The Problem in Our Pockets
You would be hard pressed to find a healthcare worker who doesn’t use a cell phone or other mobile device while on the job. Here are a few guidelines to avoid HIPAA violations:
Mobile devices should be secured, password protected and not shared with others
Users should transmit data via secured Wi-Fi networks
Users should encrypt emails sent or received on mobile devices
Mobile users should take care not to take photos or videos that capture patient identifiers, for any reason, even as a means to communicate information with co-workers and business associates
For example, a physician who has a question about coding might assume that it is permissible to take a photograph of a patient’s chart and email it to her medical coding firm. This would be allowable only if the physician’s phone was password protected and equipped with encryption technology, she was using a secure Wi-Fi network and the image was not stored on her device or in the cloud.
While there is no specific HIPAA rule regarding cell phone usage, many healthcare organizations apply their overarching HIPAA policies to them. After conducting a mandatory risk assessment, all covered entities should provide a secure technology and extensive training on mobile device policies and procedures for their employees.
Social Media: Only with Written Permission
Medical practices oftentimes include patients in social media posts as part of their marketing and promotion strategy. Images of patients and other PHI can be included in social media posts only if a patient has given his or her written consent, and then only for the purpose specifically mentioned in the consent form.
Common social media HIPAA violations includes:
Posting of images and videos of patients without written consent
Posting of any information that could allow an individual to be identified
Sharing of photos, videos, or text on social media platforms within a private group
Posting of gossip about patients
Protect Patients, Clients and Ourselves
Email, cell phones and social media are a part of our daily lives and can be especially susceptible to security breaches and HIPAA violations. Covered entities and their business associates must have physical, network and process security measures in place and follow them to ensure HIPAA compliance. Our healthcare information is a private matter, and it is the duty of those who provide any form of healthcare services to protect it.