HIPAA Cautions: The Problem with Personal Devices in Medical Practices

Personal devices, such as iPhones, Androids and tablets, are basically extensions of ourselves these days, with most of us syncing our professional and personal email accounts and regularly using such apps as text, iMessage and Hangouts. But all that connectivity and convenience come with great risk, according to a veteran compliance officer.

“I understand cell phones are important, and most people have them superglued to their persons. But 10–15 years ago, smartphones were unheard of—and we survived,” says Sean M. Weiss, partner and vice president of compliance for Doctors Management, a healthcare consultancy in Knoxville, Tenn. “It can seem totally innocent, but people just don’t realize how damaging having patient information on your phone can be.”

Mr. Weiss and his team specialize in audit and appeal representation and provide consultative compliance services to medical practices as small as one provider to health systems with thousands. He’s seen his share of mistakes. He’s also witnessed the devastation a violation of the Health Insurance Portability and Accountability Act HIPAA can have on a medical practice.

One recent, “egregious” example involved a nurse at a subspecialist’s office. Sensitive information, including the patient’s name, date of birth and medical record number, was relayed via text message between the front desk and triage nurse. When the nurse got home, she left her phone on the kitchen counter, and her daughter read her mom’s text message. The daughter recognized the patient name and determined the patient was the mother of a girl at school whom she didn’t like. The daughter took a screenshot of the texts and posted it to Facebook with unflattering words.

“Talk about a perfect storm,” Mr. Weiss says, noting that the Office of Civil Rights (OCR) levied a $250,000 fine. “But the medical practice had no policies in place to regulate mobile devices and communications. It was a pure violation. … On top of that, the patient is suing the practice.”

To protect a rheumatology practice, Mr. Weiss suggests:

• Ensure your current compliance program has policies in place that speak to usage of personal devices in the workplace;
• Do not allow staff to have or use a personal email account on a work computer;
• If you don’t have an effective compliance program in place, consider a gap analysis. “That is how you know whether you have a problem or not,” he says;
• Do not allow personal devices at work, because they are “a vulnerability medical practices should not be willing to assume;” and
• Practice leaders need to set the example. If you don’t follow your own rules, “how can you expect your staff to respect and follow the rules?”

“If you are working around patients in a medical practice, you shouldn’t have a personal smartphone or mobile device around you, at all,” Mr. Weiss says. “It just removes the temptation to do something stupid. … Use your in-office instant messenger or send a secure email when you are conveying private, protected health information.”

Richard Quinn is a freelance writer in New Jersey.