HIPAA COMPLIANCE: Securing Electronic Communications

Posted on September 18, 2025 by Dr. David Edward Marcinko MBA MEd CMP™

By Carol Miller RN MBA

***

***

New-Wave Technology

To help hospitals and health systems comply with Health Insurance Portability and Accountability Act regulations, best practices are emerging for securing all electronic communication – cloud, wireless, and texting –  of protected health information.  These new technologies will continually be evolving with hospitals, providers and patients move to new means of communication.  Below is a description of how each are impacted by HIPAA.

Cloud Solutions.  Cloud solutions are becoming a needed commodity in treating patients today but also present a risk to privacy and security violation.  Despite the advantages of cloud computing, organizations are often hesitant to use it because of concerns about security and compliance. Specifically, they fear potential unauthorized access to patient data and the accompanying liability and reputation damage resulting from the need to report HIPAA breaches. While these concerns are understandable, a review of data on HIPAA breaches published by the HHS shows that these concerns are misplaced.  In fact, by using a cloud-based service with an appropriate security and compliance infrastructure, a facility can significantly reduce its compliance risk.

Because HIPAA compliance involves stringent privacy and security protections for electronic health information (PHI), many cloud providers are balking at signing new Business-Associate agreements. Most cloud-technology providers, such as Box and Dropbox, do not include the built-in privacy protections that guarantee HIPAA compliance. Because many cloud storage companies store plaintext data on their servers, PHI is especially vulnerable to breaches and compliance violations.

HIPAA CLOUD: https://medicalexecutivepost.com/2016/11/22/hipaa-cloud-solutions/

Mobility Solutions.  The recent launches of Apple Health and Google Fit have stirred a lot of interest in health application development.  It is important that hospitals and providers understand the laws around PHI and HIPAA compliance for any healthcare-focused mobile application or software.  While not all healthcare applications fall under HIPAA rules, those that collect, store, or share personally identifiable health information with covered entities (such as hospitals and providers) must be HIPAA-compliant. 

For years, hospitals have wanted to bring computers into exam rooms, waiting rooms, and treatment rooms to eliminate hard-to-read patient charts, making sure everyone treating the patient was seeing the same information, assuring that everything was recorded as it occurred, and enabling doctors, nurses, and technicians to stay connected to vital information and services wherever they were throughout the hospital.  Many hospitals have adopted Computer on Wheels (COWs) or tablets but many of these were hard to use, had poor touchscreen interface and did not last long on a battery.  Ipads seem to be the logical replacement as long as the iPad can comply with HIPAA rules.

HIPAA was written nearly 30 years ago, before mobile health applications were ever envisioned.  Because of this, some areas of the law make it hard to determine which applications must be HIPAA- compliant and which are exempt.  Considering the numerous ways security breaches can occur with a mobile device, it is not wonder that HHS is very leery about how PHI is handled on smartphones, wearables, and portable devices.

If the applications are going to send or share health data to a hospital, doctor or other covered entity, it MUST be HIPAA-compliant.  Adhering to the Privacy and Security Rules of HIPAA is essential, especially considering the dangers that come with handling protected health data on a device.  Examples include:

  • Phones, tablets, and wearables can be easily stolen and lost, meaning PHI could be compromised
  • Social media and email are easily accessible by the device, making it easy for users to post information that breaches HIPAA privacy laws.
  • Push notifications and other user communications can violate HIPAA laws if they contain PHI
  • Users may intentionally or unintentionally share personally identifiable information, even if the application’s intended use doesn’t account for it
  • Not all users take advanage of the password-protected screen-lock feature, making data visible and accessible to anyone who comes in contact with the device
  • Devices like the iPhone do not include physical keyboards, so users are more likely to use basic passwords that are not as safe as complex options.

This protected health information can include everything from medical records and images to scheduled appointment dates.  Regardless of the device, it is important to take all the steps possible to comply with HIPAA guidelines.

MOBILE HIPAA: https://medicalexecutivepost.com/2016/02/06/mobile-hipaa-solutions-for-hospital-health-systems/

Texting. Text (or SMS) messaging has become nearly ubiquitous on mobile devices. According to one survey, approximately 72 percent of mobile phone users send text messages. Clinical care is not immune from the trend, and in fact physicians appear to be embracing texting on par with the general population. Another survey found that 73 percent of physicians text other physicians about work. 

(Source:  Journal of AHIMA, “HIPAA Compliance for Clinician Texting”, by Adam Green, April 2012)

Texting can offer providers numerous advantages for clinical care. It may be the fastest and most efficient means of sending information in a given situation, especially with factors such as background noise, spotty wireless network coverage, lack of access to a desktop or laptop, and a flood of e-mails clogging inboxes. Further, texting is device neutral—it will work on personal or provider-supplied devices of all shapes and sizes. Because of these advantages, physicians may utilize texting to communicate clinical information, whether authorized to do so or not.

All forms of communication involve some level of risk. Text messaging merely represents a different set of risks that, like other communication technologies, needs to be managed appropriately to ensure both privacy and security of the information exchanged.

Text messages may reside on a mobile device indefinitely, where the information can be exposed to unauthorized third parties due to theft, loss, or recycling of the device. Text messages often can be accessed without any level of authentication, meaning that anyone who has access to the mobile phone may have access to all text messages on the device without the need to enter a password.

Texts also are generally not subject to central monitoring by the IT department. Although text messages communicated wirelessly are usually encrypted by the carrier, interception and decryption of such messages can be done with inexpensive equipment and freely available software (although a substantial level of sophistication is needed.  If text messages are used to make decisions about patient care, then they may be subject to the rights of access and amendment. There is a risk of noncompliance with the privacy rule if the covered entity cannot provide patients with access to or amend such text messages.

According to 2012 data from CTIA–The Wireless Association, U.S. citizens alone exchange nearly 200 billion text messages every month. So it’s not surprising that an increasing number of clinicians are using text messaging to exchange clinical information, along with a wide range of other modes — smartphones, pagers, computerized physician order entry, emails, etc. Electronic communication is certainly faster, can be more efficient, enhances clinical collaboration and enables clinicians to focus on patient care. But with these benefits comes an increased risk of security breaches.

HIPAA TEXTING: https://medicalexecutivepost.com/2016/11/22/hipaa-cloud-solutions/

(Source:  Clarifying the Confusion about HIPAA – Compliant Texting, by Megan Hardiman and Terry Edwards, May 2013)

Unfortunately, vendor hype about the Health Insurance Portability and Accountability Act is causing many hospitals and health systems to implement stop-gap measures that address part — but not all — of a problem. To identify all vulnerabilities, health care leaders need to consider not only text messaging, but all mechanisms by which protected health information in electronic form is transmitted — as well as the security of those mechanisms.

Mobile device-to-mobile device SMS text messages are generally not secure because they lack encryption.  The sender does not know with certainty that his or her message is indeed received by the intended recipient.  In addition, telecommunications vendor/wireless carrier may store the text messages.  Recent HHS guidance indicates text messaging, as a means of communicating PHI, can be permissible under HIPAA depending in large part on the adequacy of the controls used.  A hospital or provider may be approved for texting after performing a risk analysis or implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices.

A study reported in Computer World in May 2013 by the Ponemon Institute with 577 healthcare and It professional in facilities that ranged from fewer than 100 beds to over 500 beds stated that fifty-one percent of the respondents felt HIPAA compliance requirements can be a barrier to providing effective patient care.  Specifically HIPAA reduces time available for patient care (85% of the respondents), makes access to electronic patient information difficult (79% of the respondents) and restricts the use of electronic mobile communications (56% of the respondents).  The study stated “respondents agreed that the deficient communications tools currently in use decrease productivity and limit the time doctors have to spend with patients. “ They also stated “they recognized the value of implementing smartphones, text messaging and other modern forms of communications, but cited overly restrictive security policies as a primary reason why these technologies were not used.”  Clinicians in the survey stated that only 45% of each workday is spent with patients; the remaining 55% is spent communicating and collaborating with other clinicians and using the electronic medical record and other clinical IT systems. 

Several other statements made were:

  • Because of the need for security, hospitals and other healthcare organizations continue to use older, outdate technology such as pagers, email and facsimile machines.  The use of older technology can also delay patient discharges – now taking an average of 102 minutes.
  • The Ponemon Institute estimated that the lengthy discharge process costs the U.S. hospital industry more than $3.189 billion a year in lost revenue, with another $5 billion lost through decrease doctor productivity and use of outdated technology.  Secure text messaging could cut discharge time by 50 minutes.   

(Source:  Computer World, “HIPAA rules, outdate tech cost U.S. hospitals $3.38 B a year”, by Lucas Mearian, May, 2013)

Several suggestions offered for these preferred mobile devises are:  1) ensure encryption and access to individuals who need to have access; 2) use secure texting applications; and 3) even consider alerting employees with warnings before they send an email or share files that lets them know they are liable for the information sent.

COMMENTS APPRECIATED

EDUCATION: Books

Refer, Like and Subscribe

***

***

Filed under: iMBA, Inc. | Tagged: , , , , , , , , , , , , , , , , , , , , | Leave a comment »