Feb
10
Physicians fined for using smart phones?
By
I am trying to find cases of physicians being fined for using smart phones for receiving information from an answering service.
My docs are not happy when they were told they cannot receive information in this format as the messages were not encrypted.
Please let me know if you have any information I can present to my physicians.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!
Click here
It’s doubtful that you will find anything about that – I’ve never heard of a physician (or anyone) being fined for using a smart phone for receiving information from an answering service. Encryption is addressable vs. required under the security rule. Maybe you will find something at the state level though…what state are you in?
thanks for the info…I’m in Arizona
I agree with Meg. The fines are not delved out according to the device where Protected Health Information is used, stored or transmitted to/from. Unless state laws are more stringent, the doctors may use the smartphone to obtain information to better serve patients. A couple of things to consider: it is required to perform an annual risk analysis and in that assessment you should be able to list all places you have PHI and how it is protected. IF your organization allows the usage of smartphones then think about what types of information is on the phones. If the doctors lost their phones, what assurance do you have that the person who found it could not identify the information and use it inapropriately? Perhaps management is trying to mitigate the risks of having a breach scenario. If you choose to use the smartphones without encryption you could de-identify the information but you need to do that according the guidelines set forth from HHS which includes taking out names of patients. It can get complicated but from enforcement activity I have seen, if you do not encrypt then it is best not to use the device. Remember that there are plenty of smart bad people out there just waiting for an opportunity!
I take a different approach and that is to establish a process to encrypt the phones.
APPLE PRODUCTS: Data protection is a feature available for devices that offer hardware encryption, including iPhone 3GS and later, all iPad models, and iPod touch (3rd generation and later). This article outlines how to enable and verify data protection.
http://support.apple.com/kb/HT4175
BLACKBERRY PRODUCTS: Information about standard blackberry encryption:
http://docs.blackberry.com/en/admin/deliverables/12873/Standard_BlackBerry_message_encryption_193608_11.jsp
Usually answering services are for when the physician’s office is closed or a similar situation if that is what I am reading the original question is.
I think it would help or even be considered as a good practice for answering services to be limited on what they should send to the physician via their smart phones.
They can send messages containing the patient name, phone number to be reached at and then a short reason message such as “medication issue”, “test result issue” or “health issue” in the message so the physician will know what it is about.
This helps avoid any PHI being revealed in error in any way whether it is someone looking at the phone or if the device gets lost or stolen. Plus any message received from a service and it has been returned or completed should be deleted from the inbox of that device.
I know with our ever changing healthcare technology world there are many challenges we face and PHI should be a #1 for all of us because I wouldn’t want my physician discussing my health on his smart phone or any other cell phone where the public can hear my name or anything else at that time. It will be tough getting everything changed to fix the needs but our patients come first.
HIPAA clearly states the following:
Ensure the “CIA” (confidentiality, integrity and availability) of all protected health information (PHI & ePHI) that the covered entity creates, receives, maintains, or transmits.
While it doesn’t say “you must encrypt,” by not doing so you are leaving yourself and your facility open to potential legal issues if an incident arises. For instance if the physician loses his phone and an unauthorized individual finds it and sees the PHI residing on the phone.
Just my .02
I cretainly agree that the principle of CIA should alway be followed to be HIPPA complaint.