Experts: Treat Cell Phones Like Any Other Device with Protected Health Information

Dom Nicastro, for HealthLeaders Media , December 29, 2009

The U.S. Supreme Court's involvement next year on a privacy case regarding text-messaging on work cell phones in the public sector could have implications for private companies like hospitals, experts told HealthLeaders Media.

The case involves text messages sent by members of a California police department—some of which were sexual in nature, according to The Tennessean—and whether or not the employees should have had a "reasonable expectation of privacy" through work cell phone use.

HIPAA privacy and security officers juggle compliance headaches each day because of text-messaging on work phones. Experts told HealthLeaders Media the California case serves as a good reminder for covered entities to treat cell phones and texting as they would any other device that includes protected health information (PHI):

  • Use appropriate safeguards to avoid breaches
  • Know HIPAA's privacy and security rule
  • Consider a policy that prohibits personal text messages on work phones
  • Be clear that work devices alone do not guarantee the user's privacy

"If text messaging is allowed, it will need to be encrypted and only be sent and received by people with a 'need to know' and within minimum necessary guidelines," says John C. Parmigiani, president, John C. Parmigiani & Associates, LLC, in Ellicott City, MD.

Organizations must have "comprehensive, feasible, and well-written information on security and privacy policies, along with regular training and ongoing awareness communications," says Rebecca Herold, CISM, CISSP, CISA, CIPP, FLMI, an information privacy, security and compliance consultant, author and instructor for out of Rebecca Herold & Associates, LLC, in Des Moines, IA.

"Even though this case is specific to government agencies," Herold adds, "the ruling will likely still be used as an example for all types of organizations with regard to what personnel can reasonably expect with regard to privacy of electronic communications, not only on equipment and systems owned by the organization, but also for non-company-owned equipment that is used for business purposes."

Herold says compliance boils down to a hospital's policy and training programs.

"Hospitals should ensure their policies cover the use of organization-owned computing equipment for non-work purposes, along with using non-organization-owned equipment used for business purposes," Herold says, "and ensure their training and ongoing awareness communications effectively educate their personnel about the requirements and their responsibilities."

Texting is "fairly common" between physicians when communicating about a patient, says Chris Apgar, CISSP, president, Apgar & Associates, LLC, in Portland, OR.

Apgar says he likens text messages sent from company-owned phones to e-mail messages sent via the company's e-mail system.

"In both cases, the employer [covered entity or not] owns the device and, as it has been determined in the past with e-mail, I believe the same legal principle will hold true with text messages—the employer 'owns' the text messages, whether they are work related or not," Apgar says. "The moral of the story is if an employee wishes to send a personal text, he or she should use his or her own mobile device and then, like Web messaging, the text message becomes 'personal property' of the employee or the sender."

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Comments are moderated. Please be patient.




FREE e-Newsletters Join the Council Subscribe to HL magazine


100 Winners Circle Suite 300
Brentwood, TN 37027


About | Advertise | Terms of Use | Privacy Policy | Reprints/Permissions | Contact
© HealthLeaders Media 2015 a division of BLR All rights reserved.