Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

HIPAA Demands Smart Decisions for Smart Phones

If you had to guess how many Americans use a smartphone, what would your answer be? If it seems to you like they’re everywhere, you’re right! Here’s proof that we’ve officially embraced the mobile technology revolution — As of January 2017, about three-quarters of Americans owned a smartphone (that number is likely higher now.)1 We rely on them for everything – for calls to others, for entertainment, for information, the list goes on. We’re counting on them so much, in fact, that the average user spends almost 3 hours per day on a smartphone and 51% of us check our phones a few times per hour!2 While it seems smartphones are a new human appendage, it’s important to recognize when their use is appropriate and when it’s not, especially in the workplace. As a HIPAA covered entity, business associate, or business associate subcontractor, it’s even more important to gauge when or if PHI should be accessed or stored on personal devices at all.

Should smartphones be used to access PHI?

Last week, the Oklahoma Department of Veteran Affairs allegedly violated HIPAA Rules when the Department allowed medical aides to access electronic medical records using their smartphones. A scheduled internet outage (where was their contingency plan?) prevented employees from gaining access to veterans’ medical records, potentially causing significant disruption and preventing “hundreds” of veterans from receiving their medications. Now, three Democrat lawmakers, who have also called for two top Oklahoma VA officials were fired over the incident, have accused the center of a HIPAA violation. While the matter is still under investigation, lawmakers are fighting about whether HIPAA laws were violated.3 An investigation is currently underway.3 Were HIPAA rules broken in this case? We will see, but should smartphones ever be used to access PHI?

What HIPAA says about mobile devices

It’s possible to maintain the integrity of PHI using a mobile device, but if security measures are insufficient, covered entities are at risk of violating HIPAA regulations. Entities that use mobile devices in the workplace must implement data security to protect any patient health data that is accessed through the device, stored on it, or transmitted by it. Many times, mobile devices lack adequate security controls and encryption, allowing the exposure of PHI saved on them. They’re also easily lost or stolen due to their mobility. Cybercriminals view them as a natural entry point into healthcare networks. So what about network security? Devices like smartphones often use public Wi-Fi.

If your organization is going to allow mobile devices, there are a host of rules, policies, and procedures that must surround them to avoid a breach. HIPAA Rules require that you complete a Risk Assessment, documenting administrative processes; physical security controls, and technical procedures, which includes reviewing all systems and equipment capable of storing, transmitting or touching ePHI (including smartphones)! Your Risk Assessment document must be a living one.

Using your Smartphone’s Camera

Here’s another case where smartphone use and HIPAA collide. In September 2017, the University of Pittsburgh Medical Center was under investigation after several nurses and doctors lined up at the door of an operating room to take pictures and videos of an unconscious man with what was described as a “medical anomaly.” Medical workers used the camera on their smartphone to capture the medical wonder and then shared the files with others without consent from the patient. The Pennsylvania Department of Health reported that the material taken on personal cell phones “had no clinical justification,” and staffers “shared those videos and photographs to others uninvolved with the patient’s care.” Risk Assessments must be performed on an ongoing basis, and the hospital’s CEO issued a suspension to the attending physicians and a repeat of HIPAA training; A clear violation of HIPAA? Absolutely!5

HIPAA Rules surrounding patient photos

HIPAA does not require health care providers to obtain permission before taking pictures if they are to be used in the patient’s medical care or to put in their medical record. Providers can also use these pictures for training and teaching purposes, such as teaching medical students, as long as they don’t contain identifying information. Identifying information includes things like the patient’s name, the patient’s face or recognizable facial details, and tattoos or unique birthmarks. They can also use them in outside settings such as conferences, as long as they contain no identifying information. If the photos include identifying information, they can’t be used unless the patient gives written permission.

Using Mobile Devices Wisely

Like it or not, smartphones are part of our existence today. To avoid your own HIPAA violation, make sure you have robust data security measures in place to protect any PHI that could pass through smartphones. Regularly conduct a Risk Assessment. Ensure your employees are reminded of the rules surrounding mobile devices during your annual HIPAA training. Make sure your organization has a Bring Your Own Device policy in place that outlines policies, standards, and other rules for personal devices like smartphones, tablets, and laptops.

Health and Human Services’ Office for Civil Rights October 2017 newsletter offers terrific guidance on using mobile devices. You can find it here: Mobile Devices and Protected Health Information (PHI).

Total HIPAA can help you with all of your HIPAA documentation and training needs, including contingency planning, risk assessments, and your BYOD policy. Please let us know how we can help.

  1. http://www.pewresearch.org/fact-tank/2017/01/12/evolution-of-technology/
  2. https://www.bankmycell.com/blog/smartphone-addiction/
  3. https://newsok.com/article/5604107/state-lawmakers-allege-veterans-affairs-committed-hipaa-violation-director-calls-that-unfathomable
  4. https://www.cnn.com/2017/09/15/health/upmc-denver-patient-genitals/index.html

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)