HIPAA, Electronic Communication, and Mobile Devices

HIPAA allows health care providers to communicate electronically, such as through email or fax, providing that reasonable safeguards are used. What is reasonable depends on the type of mode of communication used. Ultimately, the patient can object electronic communications and request alternative forms of communications, providing the patient's requests are reasonable. You should also use security and safeguards when using mobile devices to store or communicate ePHI.

Email: The security rule does not prohibit using unencrypted email to send PHI. However, reasonable safeguards should always be applied. Examples of reasonable safeguards include, but are not limited to:

  • Limiting the amount or type of information disclosed through the unencrypted e-mail.
  • Checking the email address for accuracy before sending.
  • Sending an email alert to the patient for address confirmation prior to sending the message.

Mobile Devices: Mobile Devices can also be used for the purposes of treatment and patient communication, providing that proper safeguards are used to secure PHI. HHS has suggested the following as examples of typical safeguards for mobile devices:

  • Use a password or other user authentication
  • Install and enable encryption
  • Install and activate remote wiping and/or remote disabling
  • Disable and do not install or use file sharing applications
  • Install and enable a firewall
  • Install and enable security software
  • Keep your security software up to date
  • Research mobile applications (apps) before downloading
  • Maintain physical control
  • Use adequate security to send or receive health information over public Wi-Fi networks
  • Delete all stored health information before discarding or reusing the mobile device

The type of safeguards that your practice needs will depend on your devices, modes of communications, vendors and many other factors. HHS has provided the following guidances to help secure electronic communication and mobile devices:

The AOA recommends that its members consult legal and privacy compliance experts to ensure that their electronic communications and mobile devices comply with all federal, state and local laws.

AOA Resources

HHS Resources: