5 common HIPAA violations in mobile communications (and how to avoid them)

HIPAA is the much lauded, often misspelled, and sometimes ignored Health Insurance Portability and Accountability Act of 1996, a federal law that specifies who can look at, receive, and use patients’ health information as well as measures that protect the confidentiality, integrity, and security of the information. Although the health IT landscape has evolved dramatically since HIPAA was introduced, what hasn’t changed is the ease with which its standards can be violated in the pursuit of delivering patient care.

As we all know, sensitive patient data is everywhere. It’s in electronic health records, medical images, lab results, billing files, research initiatives, and even provider communications. There are seemingly endless ways protected health information (PHI) can be exposed throughout a hospital or health system. It must be handled with proven security methods during creation, transfer, and storage — and even disposal. With security and privacy issues on the rise in 2021, it’s critical to be fully aware of and educated on how every employee and partner uses, shares, and stores patient data to avoid noncompliance, reputational harm, and serious financial penalties.

Avoiding HIPAA fines

No health system wants to face HIPAA fines from the Department of Health and Human Services Office for Civil Rights (OCR). Organizations are assessed penalties for a range of HIPAA infractions, ranging from pervasive systemic noncompliance to lack of risk analysis to a failure to implement safeguards for information that is most vulnerable to being compromised. In the event of a breach, it’s important to show your organization has done its homework regarding the protection of sensitive information. Meeting the stipulations of the HIPAA Privacy Rule (which applies to electronic, written, and oral PHI) as well as the Security Rule (which requires effective security protocols for electronic health information) can be accomplished with the right approach.

Frequent HIPAA violations and ways to steer clear

1. Failing to assess organizational risk

Due diligence is the name of the game when it comes to HIPAA. Putting off an assessment of where and how PHI can be accessed and exploited will ultimately result in catastrophe. Organizations are frequently cited for this failure, which is tantamount to pretending cyber threats don’t exist and wishing away potential problems.

Organizations frequently overlook mobile communications because the communication is often between user-owned devices, like smartphones and tablets. Consider these organizational risk questions:

  • Have you assessed the risks associated with privately owned (BYOD) mobile devices?
  • Have you mandated a secure HIPAA-compliant mobile communication solution?
  • Do your users use unsecure communication methods like SMS text messages or unencrypted emails?
  • If you have a prescribed method for secure mobile communication have you validated if your workforce is using it or ignoring it?

Improper use of mobile communication can be a very difficult area to get under control and ignoring it can pose an organizational risk if the OCR finds a lack of adequate risk assessment and mitigation.

Solution: Given the old adage that you don’t know what you don’t know, a thorough effort to determine how PHI flows throughout your organization is essential. HIPAA requires that covered entities and business associates perform periodic security risk assessments. This must include an evaluation of the people, systems, and devices involved at every step, spanning both internal and external partners and dependencies. Once you’ve completed your assessment, develop a mobile policy that becomes a living template for governing how your organization will use mobile devices, including user-owned devices, in a HIPAA-compliant manner.

The more effective your clinical communication solution is at supporting clinician communication and clinical workflows, the more likely your staff will adopt the HIPAA-compliant solution and comply with policies. Training on your policies and auditing workforce adoption of mandated communications tools are key components to effectively address this significant HIPAA risk area.

2. Disclosing PHI via unsecure communication methods

Carelessly handling PHI in communication is a major issue. But texting just seems so simple and innocuous, right? A clinician needs a consult on a patient and zips off a text to an on-call physician. But the text contains the patient’s name and identifying case details, and the texting app of choice is a consumer option and not a HIPAA-compliant texting app. A big mistake, but a common one.

Even during the nationwide public health emergency caused by COVID-19, the OCR is still encouraging healthcare providers to use secure solutions to protect patient information.

So is texting secure? Short answer: That depends.

SMS texting apps that are part of the standard Apple iOS or Android phones are simply not secure. Consumer texting apps don’t cut it when it comes to the level of security required for healthcare communication. While some offer encryption, few provide the necessary security and access to complementary tools such as the enterprise directory, on-call schedule, and clinical alerting that make them truly effective.

Solution: When your health system’s secure messaging solutions don’t provide significant functional benefits over the ease of SMS texting, users aren’t likely to adopt the approved messaging solution. As staff continue to use SMS texting, they will continue to exchange unsecure PHI.

Encrypted paging is often a key component to a healthcare organization’s secure communication strategy. Encrypted pagers offer a low-cost option to provide secure messaging to staff who don’t use smartphones at work or in hard-to-reach places where smartphones lose reception.

3. Overlooking the audit trail

Hospitals are no strangers to audits, so why do many overlook the need to maintain a log of electronic provider correspondence? Having zero visibility into the precise actions requested and taken to coordinate care is a definite blind spot.

Solution: Not only should provider communication be guarded from a security standpoint, but it also should be captured in an unalterable audit trail with date and time stamps alongside the messages. This supports HIPAA compliance as well as the ability to perform a root-cause analysis associated with a sentinel event, quality improvement initiative, or a malpractice claim.

4. Taking a lax approach to information access

Which personnel can access which types of information needs to be well-defined for consistency with HIPAA’s “minimum necessary” standard. The accounting department, contact center, leadership team, and clinicians all need access to different information to do their jobs well. Unfortunately, malicious insiders have been known to access and exploit sensitive data simply because it wasn’t properly protected.

Solution: Particularly when it comes to mobile communication tools and solutions, a strong password policy and multi-factor authentication are crucial to prevent unauthorized eyes from accessing information they shouldn’t. Role-based permissions are key, and shared credentials are a definite no-no.

5. Lacking the ability to remotely wipe PHI

Smartphones and other devices can be easily lost or stolen. When they are, the massive amount of data housed on these pocketsize computers is at risk. This means text-based exchanges about patient treatment plans, provider contact information, and imaging could be exposed. Particularly if this content exists on a device without proper access controls (see above), this common situation could quickly become a major reportable breach.

Solution: A secure messaging app should offer your IT team the ability to enforce strong access controls and remotely wipe data in the event a device used in a health system is lost, stolen, or if an employee or clinician is terminated or no longer credentialed to practice at your organization.

Locking down patient information

Patient PHI is everywhere in today’s hospitals. Meeting HIPAA standards for its protection should be a focal point for healthcare leaders as they strive to avoid data breaches and fines as well as the loss of their good standing in the eyes of the community. Spok provides peace of mind for safeguarding PHI and maintaining an audit trail across enterprise-wide clinical communication. Spok also maintains exceptional standards of security as a third-party partner. 

Ready to rectify PHI wrongs?

Check out the Guide to Secure Messaging in Healthcare to fully understand the steps required to improve your handling of patient PHI and avoid HIPAA violations.

Join the Spok blog and stay informed on the latest updates in clinical communications.

Related Blogs