PRSonally Speaking

Monday, April 21, 2014

HIPAA compliance and smartphone communications
by Ash Patel, MD
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 like most legislation affecting healthcare is extremely complicated. Electronic information identifying patients is protected by HIPAA as well as provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act. On September 23 2013 the HIPAA Omnibus final rule) became effective, which extended HIPAA requirements to Business Associates (BA) of Covered Entities ( . These changes to HIPAA mean that service providers are required to follow HIPAA regulations to legally handle PHI. One of the many challenges facing the modern plastic surgeon is how to insure that the vast array of digital patient information remains confidential, and protected from unauthorized access.
Like many of our colleagues, on a daily basis I take photographs with my digital camera, send text messages to residents about patients (which also may contain photos), send emails about patients, and access the electronic medical record.

At my institution we use a HIPAA compliant smartphone app for messaging, and this got me thinking about whether other technologies in common use are HIPAA compliant.
Apple Facetime
A letter in PRS (March 2012 - Volume 129 - Issue 3 - p 562e-563e<>) highlighted the use of Facetime as a mode of video consultation. Whilst Apple states that Facetime calls are encrypted (, this encryption does not satisfy HIPAA requirements because Apple hold the encryption key, and the data is transmitted through their servers. Under the regulations, Apple is classified as a 3rd party with access to EPHI, and therefore would have to sign a Business Associate Agreement (BAA) to meet compliance. As Apple do not sign BAAs for this purpose, Facetime cannot be considered HIPAA compliant.

Dropbox is not HIPAA compliant. As part of the HIPAA security rule technical controls, the ability to audit who has accessed electronic protected health information (ePHI) is required. Dropbox does not have any audit controls in place to allow a review of who accessed information that is stored on Dropbox.  Without auditing, it is not possible to determine which individuals accessed ePHI. Additionally, file metadata ( is visible to Dropbox, which doesn't meet HIPAA requirements.
Google Apps for Business

In February 2014, Google announced that their cloud based platform (Gmail, calendar, Drive) would be HIPAA friendly, and that they would support BAAs. However, it's important to remember that the BAA refers only to the business version of these commonly used services. The free individual user versions do not offer the same audit and security capabilities.
So why is this important? HIPAA violations, including losing a smartphone, camera or flash drive can be a costly mistake, even if inadvertent. (