Skip Navigation LinksHome > Blogs > PRSonally Speaking > HIPAA compliance and smartphone communications
PRSonally Speaking
Monday, April 21, 2014
HIPAA compliance and smartphone communications
 
by Ash Patel, MD
 
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 like most legislation affecting healthcare is extremely complicated. Electronic information identifying patients is protected by HIPAA as well as provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act. On September 23 2013 the HIPAA Omnibus final rule) http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/) became effective, which extended HIPAA requirements to Business Associates (BA) of Covered Entities (http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html) . These changes to HIPAA mean that service providers are required to follow HIPAA regulations to legally handle PHI. One of the many challenges facing the modern plastic surgeon is how to insure that the vast array of digital patient information remains confidential, and protected from unauthorized access.
 
Like many of our colleagues, on a daily basis I take photographs with my digital camera, send text messages to residents about patients (which also may contain photos), send emails about patients, and access the electronic medical record.

At my institution we use a HIPAA compliant smartphone app for messaging, and this got me thinking about whether other technologies in common use are HIPAA compliant.
 
Apple Facetime
 
A letter in PRS (March 2012 - Volume 129 - Issue 3 - p 562e-563e<http://journals.lww.com/plasreconsurg/toc/2012/03000>) highlighted the use of Facetime as a mode of video consultation. Whilst Apple states that Facetime calls are encrypted (https://www.apple.com/iphone/business/it/security.html), this encryption does not satisfy HIPAA requirements because Apple hold the encryption key, and the data is transmitted through their servers. Under the regulations, Apple is classified as a 3rd party with access to EPHI, and therefore would have to sign a Business Associate Agreement (BAA) to meet compliance. As Apple do not sign BAAs for this purpose, Facetime cannot be considered HIPAA compliant.

Dropbox
 
Dropbox is not HIPAA compliant. As part of the HIPAA security rule technical controls, the ability to audit who has accessed electronic protected health information (ePHI) is required. Dropbox does not have any audit controls in place to allow a review of who accessed information that is stored on Dropbox.  Without auditing, it is not possible to determine which individuals accessed ePHI. Additionally, file metadata (http://en.wikipedia.org/wiki/Metadata) is visible to Dropbox, which doesn't meet HIPAA requirements.
 
Google Apps for Business

In February 2014, Google announced that their cloud based platform (Gmail, calendar, Drive) would be HIPAA friendly, and that they would support BAAs. However, it's important to remember that the BAA refers only to the business version of these commonly used services. The free individual user versions do not offer the same audit and security capabilities.
 
So why is this important? HIPAA violations, including losing a smartphone, camera or flash drive can be a costly mistake, even if inadvertent. (http://www.ama-assn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page).
 
About the Blog

Plastic and Reconstructive Surgery

PRSonally Speaking is the official blog of Plastic and Reconstructive Surgery, the journal of the American Society of Plastic Surgeons. Visit our blog for exclusive previews of and discussions on hot topics in plastic surgery as well as insider-tips on open access content. PRSonally Speaking is now powered by frequent contributions from the American Society of Plastic Surgeons’ Young Plastic Surgeons Forum (YPS); these practicing plastic surgeons provide the personal side of the plastic surgery story, from daily challenges to unique insights. PRSonally Speaking is home to lively, civil debate on hot topics and great discussions pertaining to our field. So, bookmark us, subscribe to the RSS feed and join in the on-going conversation with Plastic and Reconstructive Surgery. This is your Journal; have fun, be respectful, get engaged and interact with the PRS community.

The views and recommendations of guest contributors do not necessarily indicate official endorsements or opinions of the Journal, PRS, or the ASPS. All views are those of the authors and the authors alone.

Contributors

Anureet K. Bajaj, MD is a practicing plastic surgeon in Oklahoma City. She completed residency and fellowship in 2004, had a brief stint in academia at the University of Cincinnati, and then chose to join her father (Paramjit Bajaj MD, also a practicing plastic surgeon) in private practice in OKC, where she focuses on breast reconstruction and general cosmetic surgeries.

Devra B. Becker, MD, FACS, is an Assistant Professor of Plastic Surgery in the Department of Plastic Surgery at University Hospitals/Case Western Reserve University School of Medicine in Cleveland, Ohio. She completed Plastic Surgery residency at Washington University School of Medicine in St. Louis, and completed fellowships with Daniel Marchac and with Bahman Guyuron. She currently has a primarily reconstructive practice.

Henry C. Hsia, MD, FACS is at Robert Wood Johnson Medical School of Rutgers University in New Brunswick, New Jersey and also holds an appointment at Princeton University.  When he’s not working hard trying to be a good father and husband, he runs a practice focused on reconstructive surgery and wound care as well as a research lab focused on wound biology and regenerative medicine.

Stephanie K. Rowen, MD is a senior physician at The Permanente Medical Group in San Jose, California.  She joined TPMG upon finishing residency and a hand surgery fellowship in 2005.  She has a primarily reconstructive practice, about 50% hand surgery.  Outside of work she enjoys participating in triathlons and spending time with her family.

Jon Ver Halen, MD is currently an Assistant Professor in the Department of Plastic Surgeryat the University of Tennessee Health Science Center, in Memphis. He also acts as Program Director for the plastic surgery residency. His practice focuses on oncologic reconstruction.

Tech Talk Bloggers

Adrian Murphy is a plastic surgery trainee in London, England. He studied medicine in Dublin, Ireland and has trained in Ireland, Boston, MA and the United Kingdom. He is a self-confessed geek and gadget aficionado.

Ash Patel, MD is Assistant Professor of Plastic Surgery and Associate Program Director at Albany Medical College, in Albany NY. His practice is primarily reconstructive.