Will HIPAA haunt you? 4 risky ways you could be using your mobile device

In recognition of Halloween, we’re going to dive into a hair-raising, spell-binding topic—HIPAA violations. Eek!

More specifically, HIPAA violations that occur every day across hospitals and healthcare systems by a seemingly innocent means of communication: Messages sent on your smartphone.

Of course, using standard text messaging or a consumer app (like iMessage, WhatsApp, etc.) is easy, familiar, and convenient—making it an understandable, but very risky, choice for patient-care related communications.

A study in the Journal of Hospital Medicine found that over half of hospital-based clinicians receive text messages at least once a day for patient-care related communications. Our most recent mobility survey revealed 23% of healthcare professionals have challenges with staff using consumer messaging apps (like iMessage, WhatsApp, etc.) for patient care coordination. Now that’s spooky.

Though mobile devices provide instant communication and access to information, it doesn’t come without risks. Recently, the University of Texas MD Anderson Cancer Center was hit with a $4.3 million HIPAA fine, a ghastly reminder of the risks of ignoring unencrypted communication devices.

Securing your mobile devices to protect patient health information (PHI) can be extremely difficult. Yet, it’s completely necessary to protect you, your organization, and your patients.

Ask yourself these four questions to understand if your smartphone is putting your or your organization at risk:

1. Are these messages encrypted?

Standard text messages are sent without encryption. The two most common protocols are simple mail transfer protocol (SMTP) and short message service (SMS). SMTP is the same protocol used for email, and was designed for ease of use, not security. Unauthorized access, spam, and phishing, are all risks. While SMS messages are more secure, they are still sent over unencrypted platforms and experience security lapses.

2. Can I lock my texting application separately?

If the messages on your mobile device can be accessed without using a password, your messages are far less protected with a higher chance of unauthorized access. Unfortunately, your phone can be lost or stolen at any moment, leaving you with no control over the PHI stored on your device.

3. Can my clinical messages be remotely wiped?

It’s often not possible to remotely remove all messages related to patient care using a standard mobile device. Secure messaging apps give your IT team the ability to remotely remove all in-app messages if the device is lost or stolen. This guards PHI while preserving personal data on the phone in the event it can be recovered.
The final, overall question to consider is:

4. Are my messages that contain PHI encrypted from the time they leave my fingers until the recipient’s app is unlocked and decrypts them?

It’s a tough bar to hit. On the bright side, secure messaging adoption is growing. In 2017, our mobility survey showed 52% of hospitals use a secure messaging solution. That number rose to 56% in 2019, with 57% reporting they are currently evaluating a solution.

See the full results of our 2019 mobile communications in healthcare survey in our free report.

You can refer to this handy table to determine how to make your messages containing PHI secure (and safe from a HIPAA violation).


Standard mobile devices


Encrypted message transport Most often SMTP or SMS transport with no encryption Entities must “consider the use of encryption for transmitting ePHI”
Ability to lock application and require password to get messages Unable to set password for access to the phone and access to messages Entities must “implement technical policies and procedures that allow only authorized persons to access Protected Health Information”
Ability to wipe all messages remotely in case of loss/theft, without wiping the whole device Not possible to separate PHI from personal information the device’s owner may wish to keep Entities must maintain “reasonable and appropriate administrative, technical, and physical safeguards” to protect PHI

To fully comply with PHI privacy regulations, it’s also helpful to fully understand HIPAA and Joint Commission Guidelines, explore how to establish security protocols, and develop security awareness training for your staff. If you’re interested in learning more, check out our blog post on secure messaging compliance.