Cell Phone Usage at Work & HIPAA Compliance: Uncovering the Risks

The healthcare industry is increasingly embracing mobile technology, integrating smartphones, tablets, and other portable devices into everyday operations across hospitals, clinics, and other workplaces. This shift towards mobile integration, while offering substantial benefits, also brings with it critical considerations for compliance with HIPAA regulations.

Numerous medical institutions, aiming to reduce expenses, have implemented policies that permit their staff, such as doctors and nurses, to utilize their personal electronic devices for work-related purposes. Alternatively, some organizations choose to provide staff with specialized healthcare mobile devices, finding it a more effective way to control network security.

Integrating smartphones in healthcare involves complying with HIPAA's mandates for covered entities to enforce technical policies and procedures. These strategies are vital to guarantee that Protected Health Information (PHI) is accessible only to authorized personnel. This is particularly important when smartphones and other mobile devices are employed to handle, store, or share electronic PHI (ePHI). These devices need solid security, like user logins and several protective measures, to keep data breaches at bay.

The Office for Civil Rights (OCR) mentions that it is okay to use mobile devices in healthcare, as per HIPAA, but you need to have proper physical, administrative, and tech safeguards. These steps are crucial to keep ePHI (electronic Protected Health Information) safe, whether it is on the devices or stored in the cloud. Moreover, it is imperative to form Business Associate Agreements (BAAs) with any external service providers who will interact with the ePHI. The Office for Civil Rights (OCR) elaborates on this in the HIPAA FAQs for Professionals section on the official hhs.gov website:

“Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.”

It is essential that any information stored or sent through these mobile devices is securely guarded to avoid any unauthorized changes, deletions, or access. This includes putting in place robust auditing controls to track access to ePHI and monitor activities that could impact data security.

Risks of Using Mobile Devices in Healthcare

Mobile technology has transformed communication and teamwork among healthcare practitioners, offering straightforward access to cutting-edge health IT tools. Nonetheless, this ease of access is accompanied by specific risks. The Office for Civil Rights (OCR) has issued a cybersecurity newsletter in the past, underscoring the increased dangers linked to using mobile devices for the storage or retrieval of electronic Protected Health Information (ePHI). Misplaced, lost, or stolen portable devices rank among the top causes of security breaches in healthcare.

Despite having security measures in place, there is a significant risk of inadvertently violating HIPAA regulations or internal company policies by those using these devices. In fact, there have been numerous instances where HIPAA violations occurred due to unintended exposure of PHI. Without robust controls, these devices are vulnerable to compromise, potentially leading to the exposure of sensitive ePHI. Moreover, cybercriminals often target smartphones, tablets, and laptops, seeing them as easy access points to infiltrate healthcare networks.

Cell Phone Policy in Healthcare

On the official website of The Office of the National Coordinator for Health Information Technology (ONC), HealthIT.gov, it is recommended that, “Organizations should develop and implement reasonable and appropriate policies and procedures to safeguard health information, including those specific to mobile devices.” The website further provides a detailed list of topics and considerations to bear in mind while formulating a cell phone usage policy in the workplace:

1. Mobile Device Management
   • If the organization allows the use of mobile devices, what should the organization do about managing the use of mobile devices?
     • Has the organization identified all the mobile devices that are being used in the organization? How is the organization keeping track of them?
     • Has the organization assigned responsibility to check all mobile devices used for remote access, to find out if selected security/configuration settings are enabled?
     • Should there be a regular review and audit of the mobile devices?
2. BYOD (Bring Your Own Device)
   • Should the organization let providers and professionals use their personally owned mobile devices within the organization?
   • Should providers and professionals be able to connect to the organization’s internal network or system with their personally owned mobile devices, either remotely or on site?
3. Restrictions on Mobile Device Use
   • Does the organization restrict how providers and professionals can use mobile devices?
     • Can providers and professionals use mobile devices to access internal networks or systems, such as an EHR?
     • Are providers and professionals restricted from using mobile devices when they are away from the organization?
     • Can providers and professionals take their mobile devices home?
     • Should the organization allow texting or emailing of health information?
4. Security/Configuration Settings for Mobile Devices
   • Will the organization institute standard configuration and technical controls on all mobile devices used to access internal networks or systems, such as an EHR?
     • If so, is the organization's current mobile device configuration document, including connections to other systems/applications, inside and outside of the firewall.
5. Information Storage on Mobile Devices
   • Are there restrictions on the type of information providers and professionals can store on mobile devices?
     • If so, where and for how long should the data be stored?
   • Are providers and professionals allowed to download mobile applications to mobile devices? If so, what type(s) of applications are approved?
6. Misuse of Mobile Devices
   • Does the organization have written procedures for addressing misuse of mobile devices?
7. Recovery/Deactivation of Mobile Devices
   • Does the organization have procedures to wipe or disable a mobile device that is lost or stolen?
   • Does the organization have standard procedures to recover mobile devices from providers and professionals when their employment or association with the organization ends?
8. Mobile Device Training
   • How is the organization training its workforce (management, doctors, nurses, and staff) on policies and procedures?
   • How does the organization hold its workforce (management, doctors, nurses, and staff) accountable for non-compliance?

Is Texting HIPAA Compliant?

For HIPAA-covered entities, transmitting electronic Protected Health Information (ePHI) over an unsecured network, such as through SMS messages, constitutes a violation of HIPAA regulations. The security of the SMS network is questionable, presenting a significant risk of ePHI interception. To comply with HIPAA and minimize the risk of data breaches, it is essential to transmit ePHI exclusively through secure channels that offer end-to-end encryption.

While many might then ask, “Is iMessage HIPAA compliant?”, the recommendation would also be to avoid this form of communication when transmitting PHI. Back in 2012, Apple rolled out iMessage, a new messaging app. It lets you send iPhone texts, pics, and videos from your device to other Apple gadgets and Macs, whether you are on Wi-Fi or using data. These chats are kept safe with encryption, but Apple also hangs onto your iMessages on their servers for about a month. And if you want, you can back up your messages to iCloud too. HIPAA mandates additional security features for messaging platforms, such as unique user logins and PINs, message monitoring, and automatic logoffs, areas where iMessage and similar platforms are often lacking. The Apple iCloud Terms and Conditions explicitly states:

“If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) your or any third party’s business associate.”

Are Cell Phone Calls HIPAA Compliant?

Phone conversations with patients can comply with HIPAA regulations as long as they align with the purposes for which patients have given implied consent. If the topic of the call deviates from these agreed-upon purposes, the healthcare provider must obtain the patient's consent beforehand. When following HIPAA guidelines on a call, healthcare providers need to start by saying who they are and giving their contact information before they talk about why they are calling. The Federal Communications Commission (FCC) advises keeping phone calls short, around a minute, and texts brief, no more than 160 characters. Furthermore, it is suggested that healthcare practitioners restrict their interactions with patients to prevent excessive communication. This involves not making more than three phone calls to a patient within a week and sending no more than one text message daily. Importantly, using a personal cell phone for patient calls can lead to HIPAA violations if the patient's contact details are stored on the phone and it lacks adequate security measures to prevent unauthorized disclosure of ePHI in case the phone is misplaced or stolen.

Is Apple iCloud HIPAA Compliant?

Launched on October 12, 2011, iCloud is a cloud-based service developed by Apple Inc. It provides users the capability to store their data and keep it synchronized across multiple devices. Known for its excellent authentication and access control features, iCloud ensures data encryption both at rest and during transmission. Apple's encryption standards are strong enough to meet the basic HIPAA compliance requirements. However, vendors handling Protected Health Information (PHI) or electronic PHI (ePHI) in any capacity — whether creating, transmitting, processing, storing, receiving, or maintaining it — must comply with HIPAA regulations AND enter into a Business Associate Agreement (BAA) before any PHI or ePHI can be exchanged between organizations. To this end, Apple does not engage in BAAs and explicitly mentions in its iCloud Terms and Conditions that the storage of PHI on iCloud is not allowed, as it would constitute a breach of HIPAA regulations.

Is Google Voice HIPAA Compliant?

Google Voice, established in 2009, is a Voice over Internet Protocol (VoIP) service that enables users to make and receive calls, send text messages, and forward calls from one number to another, streamlining communication management via a phone. For healthcare organizations handling Protected Health Information (PHI), the paid version of Google Voice within Google Workspace is deemed HIPAA compliant. However, the free version of Google Voice should not be used for professional purposes involving PHI by healthcare entities or their employees, as it does not meet HIPAA compliance standards.

The "conduit exemption" under HIPAA, detailed in the HIPAA Omnibus Final Rule, exempts certain entities transmitting PHI from the HIPAA Security Rule, but this does not include Google Voice. As Google Voice is not classified as a "conduit," it must fully comply with HIPAA regulations. This compliance involves implementing safeguards like access and authentication controls, secure data transfers, and appropriate data storage methods. Additionally, under HIPAA, healthcare organizations must sign a Business Associate Agreement (BAA) with any business associates before sharing PHI with them. Thus, for using Google Voice in contexts involving personal health data, it is essential to have a signed BAA with Google.

It is important to note that while Google Workspace can comply with HIPAA standards, it is not automatically configured for HIPAA compliance upon purchase. Users must actively configure settings such as access controls, audit controls, user authentication, and encryption to meet compliance requirements. Signing a Business Associate Agreement (BAA) with Google is an important initial action, yet it is just a step in the comprehensive procedure to guarantee that Google Voice is utilized in accordance with HIPAA standards.

How Can I Make My Cell Phone HIPAA Compliant?

Although there is not a one-size-fits-all solution to guarantee that every application, communication, and activity on a personal cell phone adheres to HIPAA standards, healthcare organizations and their staff can take several proactive measures to prevent HIPAA violations or data breaches and strive for a HIPAA compliant phone. The HealthIT.gov website provides various tips for safeguarding and securing health information when utilizing a mobile device:

Use a Password or Other User Authentication

Authentication is the process of verifying the identity of a user, process, or device. Mobile devices can be configured to require passwords, personal identification numbers (PINs), or passcodes to gain access to it. The password, PIN, or passcode field can be masked to prevent people from seeing it. Mobile devices can also activate their screen locking after a set period of device inactivity to prevent an unauthorized user from accessing it.

Install and Enable Encryption

Encryption protects health information stored on and sent by mobile devices. Mobile devices can have built-in encryption capabilities, or you can buy and install an encryption tool on your device.

Install and Activate Remote Wiping and/or Remote Disabling

Remote wiping enables you to erase data on a mobile device remotely. If you enable the remote wipe feature, you can permanently delete data stored on a lost or stolen mobile device.

Remote disabling enables you to lock or completely erase data stored on a mobile device if it is lost or stolen. If the mobile device is recovered, you can unlock it.

Disable and Do Not Install or Use File Sharing Applications

File sharing is software or a system that allows Internet users to connect to each other and trade computer files. But file sharing can also enable unauthorized users to access your laptop without your knowledge. By disabling or not using file sharing applications, you reduce a known risk to data on your mobile device.

Install and Enable a Firewall

A personal firewall on a mobile device can protect against unauthorized connections. Firewalls intercept incoming and outgoing connection attempts and block or permit them based on a set of rules.

Install and Enable Security Software

Security software can be installed to protect against malicious applications, viruses, spyware, and malware-based attacks.

Keep Your Security Software up to Date

When you regularly update your security software, you have the latest tools to prevent unauthorized access to health information on or through your mobile device.

Research Mobile Applications (Apps) Before Downloading

A mobile app is a software program that performs one or more specific functions. Before you download and install an app on your mobile device, verify that the app will perform only functions you approve of. Use known websites or other trusted sources that you know will give reputable reviews of the app.

Maintain Physical Control

The benefits of mobile devices - portability, small size, and convenience - are also their challenges for protecting and securing health information. Mobile devices are easily lost or stolen. There is also a risk of unauthorized use and disclosure of patient health information. You can limit an unauthorized users’ access, tampering or theft of your mobile device when you physically secure the device.

Use Adequate Security to Send or Receive Health Information Over Public Wi-Fi Networks

Public Wi-Fi networks can be an easy way for unauthorized users to intercept information. You can protect and secure health information by not sending or receiving it when connected to a public Wi-Fi network, unless you use secure, encrypted connections.

Delete All Stored Health Information Before Discarding or Reusing the Mobile Device

When you use software tools that thoroughly delete (or wipe) data stored on a mobile device before discarding or reusing the device, you can protect and secure health information from unauthorized access. HHS OCR has issued guidance that discusses the proper steps to take to remove health information and other sensitive data stored on your mobile device before you dispose or reuse the device.

Compass IT Compliance Makes HIPAA Compliance Easy

When properly secured, the integration of mobile devices in healthcare settings can greatly enhance efficiency, productivity, and patient care results, while simultaneously cutting down on operational expenses. The main objective is to make certain that these devices neither infringe on patient confidentiality nor become susceptible to network security breaches.

Compass IT Compliance offers tailored solutions that not only align with HIPAA regulations but also fit seamlessly into the dynamic environment of healthcare IT. From developing comprehensive mobile device management strategies to conducting thorough risk assessments and audits, our services are designed to ensure that your organization's use of mobile technology enhances patient care without compromising security and compliance. We provide the tools and guidance necessary for healthcare entities to confidently implement and manage mobile technologies, ensuring that patient data is protected and that your organization stays ahead of the curve in compliance and security standards. With Compass IT Compliance, healthcare providers can embrace the benefits of mobile technology, secure in the knowledge that their compliance and security needs are expertly managed. Contact us today to learn more and discuss your unique HIPAA challenges!