With technology advancing so quickly over the past several years, it is easy to use our cell phones, Ipads or other devices while on the go to send patient information back and forth. Although simple and easy to use, it may not be HIPAA compliant. If you were audited, would you be?

HIPAA and Emails

Sending Protected Health Information (PHI) by email exposes the PHI to two risks:

  1. The email could be sent to the wrong person, usually because of a typing mistake or selecting the wrong name in an auto-fill list.
  2. The email could be captured electronically en route.


Requirements for emailing: Strong security: According to Section 164.314(a) of HIPAA, it is the responsibility of the health care provider to ensure that everyone involved in handling such confidential and personally-identifying information complies with the safeguards established by the HIPAA laws. Most providers meet this requirement by adding extra security around email like secure email, scanning outbound emails for sensitive data, and having a good handle on who is allowed to access email.

Consent:The HIPAA Omnibus Final Rule released March 18, 2013 states that clients are allowed to authorize communications via email, but to do so the client must be informed of the risks relating to sending protected health information via email before they sign the authorization. Most firms have a consent form that clients must fill out before email can be used.

Business Associate Agreement:
Many health care providers use a third party (like Gmail, Microsoft, or their IT company) for email. These firms are referred to by HIPAA as “Business Associates.” These Business Associates are required to sign an agreement that states they will protect a patient’s confidential information with the same high standards required of the health care provider.

HIPPA and the Use of Portable Devices

Mobile device users transmitting and receiving PHI via public Wi-Fi or email applications on mobile devices are using nonsecure mobile networks, putting PHI at risk of interception. Most mobile devices can take and store photographs, which can be a compliance concern if the pictures violate their privacy. Also, with any mobile device that is relatively small in size, providers must be concerned about misplacement and/or theft resulting in the unintended loss of PHI.

Mobile devices also pose unique storage challenges for providers since individual users can dictate where information is stored that providers cannot monitor and control. Cloud storage is popular among mobile device users, and users storing PHI in clouds may be putting the cloud provider at risk if a HIPAA business associate agreement is not signed.To minimize PHI storage liability, most providers now require cloud storage capabilities to be turned off on company-issued mobile devices. However, the major challenge is still managing employees’ and business associates’ personal mobile devices.


People should not download an app and just assume it is HIPAA compliant—the majority of health-related apps are not. HIPAA does apply to apps that deal with PHI and/or allow providers and patients to communicate with each other. Only use Apps that offer a signable HIPAA business associate agreement.


Regular texting is not a compliant way to share PHI- Only texting done through specific data platform called secure texting is HIPAA compliant. “secure texting” – a process in which encrypted messages are transmitted from a secure server which stores all sensitive data locally, and which prevents the cell phone network that carries the message from keeping a copy.  There are a variety of of HIPAA compliant texting applications that include HIPAA business associate agreements. Your records should be stored cloud based-produced by large, reputable developers (i.e. Google) who likely factor in HIPAA regulations during the development phase.

Telemental health-

Each state has its own rules and regulations regarding this newer platform for mental health services Included are things like necessity, and initial physical visit, etc. But beyond this there are other rules:

Your platform must be HIPAA compliant, not just encrypted. NEVER use Skype—

You would need to use companies that are HIPAA compliant that offer telehealth video services. And have a HIPAA business agreement that if there was a breach that company would be responsible.

No one can just jump on their ipad and do a telepsych/ telemental health session :

The provider has to be licensed/certified to do telehealth.

The facility must have a Certificate for Telemental health,

Most states have specific technical requirements such as monitor size (no ipads, cell phones etc) Bandwidth,  and so on.


The best ways to protect mobile devices from breaches is to have them password protected and encrypt them in accordance with HIPAA’s technical standards. Under the Security Rule, if a mobile device’s encryption meets HIPAA standards and is lost or stolen, then there is no breach and the patient(s) do not have to be notified. Another way to protect mobile devices is to install a remote wiping/disabling program into them. A remote wiping/disabling program allows users to quickly clear and disable a lost or stolen mobile device, which can possibly prevent or reduce the magnitude breaches.

As you see with every new convenience there can be potential problems. Technology makes things easier and faster, and allows more capable storage & transfer of patient’s records including their diagnosis and insurance information. But because of the convenience of technology providers need to be aware of protecting their patients privacy. Our portal allows for HIPAA compliant storage of insurance billing information and transfer of records.

Leave a Reply