Are Cell Phones HIPAA Compliant?

What are we without our cell phones? In the modern age, smart technology has taken center stage and remains our main form of communication. Whether you work in the medical field or you’re an office worker, chances are that you’re checking your mobile device on a regular basis. 

For those in the medical field, this leaves us with the issue of HIPAA compliance. We’re left asking if mobile devices are HIPAA compliant and the ways in which they can pose a potential security risk. 

Lucky for you, we’re here to answer your most pressing questions regarding electronic protected health information, the HIPAA compliance of phones, and the ways in which you can ensure HIPAA compliance from your medical staff. 

TABLE OF CONTENTS

What is HIPAA, and What Does it Stand for?

HIPAA stands for Health Insurance Portability Act of 1996. Signed by President Bill Clinton, there are several aspects of healthcare that HIPAA covers. While we won’t go into massive detail here, these are the core features that build the act:

  • Health care access, portability, and renewability. This protects health insurance coverage for workers and their families in the event they lose their jobs. 
  • Preventing healthcare fraud and abuse. This sets out national standards for health insurance coverage and healthcare transactions. 
  • The right to privacy. This covers the privacy and security of a person’s medical data, keeping it confidential and ensuring it doesn’t end up in the hands of third parties. 

What About HITECH?

HITECH, which stands for The Health Information Technology for Economic and Clinical Health Act, was put into play in 2009 as an economic stimulus bill. Its purpose was to revise and improve aspects of HIPAA that focused on privacy and security. 

It increased the scope of protection for people while also increasing the penalties that can be brought against those who are non-compliant with HIPAA. As a result of HITECH, it became easier to enforce established rules and better protect patients. 

What are the Security Risks of Cell Phones in Healthcare? 

If it has access to a medical portal, then it’s a risk. This means that it isn’t just cell phones that have the potential to break HIPAA compliance, but also laptops, tablets, and other smart devices. While we’re focusing on mobile phones here, it’s important to remember that they aren’t the only potential risk. 

Mobile devices do have the potential to leak electronic PHI, and this is something that no hospital or medical office can afford to happen – both financially, and in terms of the damage it can do to patients. Additionally, mobile devices are not nearly as secure as in-house computers that are internally linked to the organization’s network. 

This is partly because mobile devices don’t have firewalls, antivirus protection, or encryption technology like computers do. There is also the fact that people do tend to lose their mobile devices, and if one that contains sensitive medical information is lost or stolen, it could become exceptionally problematic quickly. 

These are some of the most significant risks to using a mobile device that’s connected to a healthcare system’s resources:

  • The loss of theft of the mobile device 
  • Sending information using unsecured WiFi networks 
  • Using outdated operating systems (security breach risk)
  • A lack of adequate authentication 
  • Sharing devices with others which can lead to an information breach 
  • Emails do not tend to be encrypted, which is another security risk 

How Do Cell Phones Violate HIPAA Regulations?

This follows on quite nicely from the previous section. Cell phones by themselves are not a violation of HIPAA regulations, but they have the potential to be. All of the examples above are clear reasons why medical professionals should avoid using cell phones for medical information. 

It is very easy for smart devices to be compromised because they have less security, and even mobile health apps remain a risk when they are on a mobile phone. Mobile devices are a popular target for cybercriminals and hackers because the systems are easier to access than a PC or laptop. If patient privacy is compromised, that means the cell phone violated HIPAA. 

How Does HIPAA Regulate Cell Phone Use in Healthcare? 

First, it should be noted that the use of mobile devices within the healthcare sector is not prohibited by HIPAA. There are no specific rules or regulations that apply to these devices, but the same regulations as normal apply to them. 

It doesn’t matter what network or connection you are using, as long as you are making HIPAA-compliant phone calls and ensuring that all data is properly protected and safe. It is the work of the HHS and OCR that ensures the privacy of patients on mobile devices. 

It has been compared to the Telephone Consumer Protection Act of 1991 in that the use of mobile devices that receive, transmit, or store PHI must follow a set of specific security measures in order to follow HIPAA compliance. 

What are these regulations? You’re about to find out. 

Steps You Can Take to Ensure Your Phone is HIPAA Compliant 

As a form of reiteration, there is no set of rules that makes a mobile device HIPAA compliant. There are no rules for mobile users or third-party service providers to follow; it is simply a case of sticking to advice and guidelines that have been laid out by the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE). 

The guidelines were developed by IT experts within each organization, helping to provide better security for their business associates in the medical field. It covers everything from text messages and phone calls to emails shared between health care providers. 

Some of the core suggestions include:

  • Equipping all members with company tablets that contain approved programs and apps for the use of their practice or organization. This also allows you to configure their settings to ensure better security.
  • Make the use of strong passwords that are HIPAA compliant mandatory. 
  • Conduct routine malware checks, updates, and configuration tests on all of the devices that have been handed out for security purposes. 

In addition to these points, there are also the below-suggested guidelines for healthcare professionals to follow. 

Make Sure Mobile Devices are Included in Risk Assessments 

These risk assessments should be carried out several times a year, and the audit should be performed by a licensed and trusted auditing firm. More specifically, this audit should be a HIPAA/HITECH one to identify and assess any potential risks to:

  • Confidentiality of ePHI
  • Integrity of ePHI
  • Availability of ePHI

This will go through all of the information that your organization stores, processes, or transmits using mobile or desktop devices. It should also be mandatory to ensure that you’ve covered entities thoroughly and are able to highlight even the smallest risk of breach. 

Enforce Passcode Protection 

You must ensure that every cell phone user understands that it is their responsibility to set a passcode on their smart devices and keep the contents properly protected. Where possible, two-factor authentication should always be used to provide the highest level of security. 

Ensure Patient Data is Handled Using Secure Apps 

There is a list of approved apps from HHS and OCR that have been cleared for sending text messages and automated appointment reminders to patients. The only third-party texting services that should ever be used for medical information or communication must be the ones that are secure and already approved by the medical industry. 

This is because SMS text messaging services from standard providers are not secure. Even though companies like Apple have made improvements to the security of their iMessage feature, it is nowhere near secure enough to be reliable for the safety and security of patient information in the medical field. 

Advise Staff Not to Use Unsecured WiFi Networks

We’re all tempted to use the WiFi at the local coffee shop when we are on lunch or on the way to the practice. However, even if it is just to send automated appointment reminders, this can still pose a massive risk to security. 

Unsecured WiFi networks are a huge danger, and you must remind your staff of this on a regular basis. It only takes a moment to hack into a mobile device through these networks and steal confidential information. Wait until you are at the practice or hospital before you check your email or tap into secure apps. 

Provide Extensive Training, Policies, and Procedures 

It’s not going to be easy. Everyone in the medical field is busy and overwhelmed all the time, and we understand that. However, it is important to take out the time to implement training for HIPAA compliance with mobile devices because it’s so easy for these things to slip. 

They need to understand policies and procedures as well as be kept up to date on the latest potential threats and any updates that need to be made to the secure apps that they use. 

Is Your Healthcare Staff HIPAA Compliant While Mobile?

The truth is, your healthcare staff probably aren’t HIPAA compliant while using their cell phones. This is because it’s so easily forgotten, and very few practices and hospitals remember to go through mobile safety or simply haven’t found the time to do it. 

However, a breach of HIPAA can become very costly and damaging, both to you and your patients. As a result, it is essential that you keep your staff updated and help them find the time to go through the rules. It doesn’t take long, and they won’t regret it. 

What are the Consequences of Using a Cell Phone That is Not HIPAA-Compliant?

You might want to sit down for this. The penalties that you can receive as a result of using a cell phone that is not HIPAA compliant are:

  • Fines of up to $1.5 million – per violation category per year that the violation has been allowed to persist
  • Having to potentially cover the costs incurred by a breach if data is exposed
  • Damage to your reputation 
  • Damage to your patients in terms of the leaking of their personal information 

Alternatives to Using a Cell Phone for Communication Purposes 

If you don’t want to use a cell phone for medical communication, there is nothing wrong with that. It can be difficult to maintain HIPAA compliance, especially when there are so many potential risks associated with using them. 

Unfortunately, your list of alternatives remains fairly small. You can’t really send text messages or make phone calls to patients without a cell phone – unless you want to call them from your office while you are there. 

However, for emails, you can use a PC, laptop, or tablet. These tend to be much more secure because they have access to security features that cell phones just don’t. Even tablets tend to have firewalls and tighter safety features to keep information protected. 

If you want to keep using your mobile phone but you aren’t sure how to send text messages or make HIPAA-compliant phone calls safely, there are some great approved apps you can consider. These are:

  • Zinc
  • QliqSoft
  • TigerText
  • Spok Mobile

To Conclude 

HIPAA is so important, both for the security of your patients but also for the reputation and integrity of your medical practice. Even though cell phones are the main way in which we communicate in the modern age, that doesn’t mean they are without their risks. 

If we’re asking whether or not cell phones are HIPAA compliant, the answer is that they are so long as you are following the security measures we listed and using approved third-party services for sending texts and making calls to patients. 

We know it can be a little confusing to try and tackle, but we hope this guide has been able to make things clearer as well as provide you with a little more information on how it all works.