Q&A: Clinical staff using personal devices
Q: I work for a small rural hospital, and we have a lot of budget limitations for technology upgrades. Can we allow clinical staff to use their personal cell phones and mobile devices to communicate with patients? If so, how can we keep our calls, email, and text messages HIPAA compliant?
A: HIPAA does not prevent the use of personally owned devices for clinical and business purposes. HIPAA does require steps be taken to ensure PHI is secure, though. That means a mobile-device-use or bring-your-own-device (BYOD) policy needs to be adopted and communicated to the workforce, and that policy must require encryption when personally owned devices are used for clinical and business purposes. That alone is not sufficient, though. It is important to find a mobile device management solution that enforces encryption, supports the remote wipe of lost or stolen devices, and supports the enforcement of technical security measures on the devices, such as anti-malware.
It is not a good idea to permit physicians or any member of the workforce to use personal email to communicate with patients. Personal email is often not secure, and you as the hospital would have no access to any communications between physicians and patients conducted over personal email. The use of secure company email is required.
As far as communicating with patients, all transmissions need to be encrypted to avoid breaches of PHI. The OCR has emphasized the importance of encryption for several years. A number of civil penalties and monetary settlements have been the result of OCR investigations into the breach of unsecure electronic PHI. There is an encryption exception: If a patient requests PHI be sent unencrypted, the physician needs to communicate the risks of sending PHI unencrypted and receive a response from the patient, preferably in writing, that the patient understands and accepts the risk. This needs to occur prior to sending unencrypted email to that patient.
Editor’s note: Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.