There is a concerning practice taking place in healthcare centers across the country: The implementation of personal mobile phones for communicating with care teams and sending patient data. The practice is a clear HIPAA breach, yet text messages, attachments and even photographs and test results are being sent via over insecure networks without data encryption, albeit with individuals allowed to view the data.
Even if the recipient of the message or communication is permitted to have access to that data, sharing PHI over an insecure network without the protection of a firewall is a clear security danger. If messages are sent over the hospital’s password-protected Wi-Fi network this may be permitted under the HIPAA Security Rule; the sending of text messages via an AT&T network for instance, is not.
The Department of Health and Human Services enforces HIPAA compliance through the OCR, which is issuing financial fines for HIPAA violations and taking a particular interest in the use of mobile technologies and communication of PHI in healthcare centers and between healthcare groups. It is an area of particular worry due to the high risk of interception of data in transit and the accidental divulgence of patient data when devices are lost or illegally taken.
The implementation of insecure communication channels has been an issue that the OCR needed to address for some time and it is now getting tough on offenders. When PHI must be communicated between caregivers, standards must exist to ensure the privacy of patients data is not placed under threat.
When a text message is shared it is almost instantly received; however the message may be sent through many servers and the data may remain on those servers for a period of time. The stored data could possibly be accessed and viewed by unauthorized people, which clearly breaches HIPAA regulations. If the data is encrypted, a HIPAA breach can be avoided as even though the data is stored on an insecure server, the data itself is secured as it is encrypted. That could be as easy as using a healthcare messaging app on a Smartphone.
The problem has not yet been completely covered under HIPAA regulations; however it is highly probably that the OCR will issue guidelines and update regulations to cover new technologies and mobile communications in the near future. Meanwhile, healthcare firms and care providers should take particular care not to violate HIPAA regulations and only send PHI through secure mediums.