Best Practices: HIPAA and Electronic Communications

Most health care providers have become accustomed to working in an environment where protected health information (PHI) is appropriately handled on a day-to-day basis. Knowing when to require patient signatures prior to releasing records and finding private areas to have conversations with and about patients seems to be second nature and these scenarios follow some common sense rules. One area that may be more confusing to providers and patients are electronic communications, most commonly including texting and emailing. While these methods might provide quick and user friendly way to communicate with patients, there are security concerns pertaining to HIPAA privacy that outweigh the perceived benefits.

One area of risk when texting and emailing using a handheld device such as a smartphone or tablet device is their size. They are generally small and could be easily stolen, thereby allowing PHI to be accessible to the thief.  The device passcodes and biometric identifiers, e.g. touch ID, may help to deter access but do not provide secure protection of the information contained in the memory of the device.  Another area of concern with texting or emailing occurs when using a wireless or cellular network. In this case, PHI is vulnerable to being intercepted via these networks.

It is also important to consider HIPAA security whenever communicating with patients or other providers. For example, if another provider communicates PHI via e-mail to you, simply replying to that message while including the original message test would produce another point of unsecured PHI exposure. Instead it would be appropriate to respond with a clean/new email communicating to the other provider that email is unsecure for PHI and offer other acceptable forms of contact for your office (such as mail, fax or phone). In the event secure electronic communication is a requirement, there are methods available to assist with data security when transmitting PHI electronically, such as encryption or subscription to secure messaging service.

As a final point, it is appropriate to develop and implement policies to dispose of or recycle devices that PHI has been exchanged on. This could include anything that has a memory including handheld devices, computers, and fax and copy machines. It would be a security-conscious decision to personally ensure destruction of the memory components of any of these devices. In the case of leased equipment where there may be pushback from the vendor to destroy the memory component, the only way to truly verify its destruction is to acquire that component via purchase or other arrangement. This will allow personal accountability for any PHI that may be contained in the memory.

There is a plethora of information on the internet about HIPAA and security. HealthIT.gov is an excellent resource that offers training materials and guidance on this topic.