5 Ways Using Your Phone at Work Might Violate HIPAA

Reduced levels of productivity and distraction aren’t the only personnel issues that can arise when nurse practitioners use their phones at work. Because smartphones are essentially handheld computers, the stored information is just as susceptible to being hacked as your laptop. This means that if you use your mobile device in your NP practice without precaution, a patient’s protected health information can be easily accessed and transmitted, quickly putting you in violation of HIPAA and your integrity at risk.

Being HIPAA compliant is certainly an organizational effort and as such many healthcare employers have rules and regulations in place concerning its employees’ phone use at work. While nurse practitioners have a responsibility to adhere to their employer’s policies, as providers it’s also important to take extra measures to ensure we’re safeguarding sensitive patient information on our phones both on and off the clock.

Here’s a look at how using your phone for work could be getting you into trouble and what you can do to keep your practice and patients safe.

Discussing a patient with another provider via text or email

Communicating with other members of your healthcare team via text or email is certainly much easier than calling or trying to track one another down in the hallways of the hospital. But if the nature of your discussion is concerning a patient, it’s imperative that the content of your messages don’t include any protected health information (PHI), especially when you’re not using an encryption software or application. The US Department of Health and Human Services defines PHI as any information about the patient that is or will be in their medical record, conversations between providers and the healthcare team about the patient’s care or treatment, information about the patient that would be in their health insurer’s computer system, the patient’s billing information and most other health related information about the patient.  

Because PHI is so easy to inadvertently discuss, encrypting text messages and emails is the best way to ensure that your conversation about a patient remains private and protected. Not encrypting messages is like sending a postcard; assume that anyone and everyone can read your message. Using an encryption software or app prevents third-parties from being able to crack the code of private conversations involving patients.

Texting patient care orders

Texting patient care orders is a violation of the Center for Medicare & Medicaid Services’ Conditions of Participation (CoPs) and Conditions for Coverage (CfCs), and may also violate HIPPA. Because texting patient care orders is prohibited regardless of whether or not you use encryption software, you should avoid doing this on your smartphone altogether. Instead, CMS recommends using computerized provider order entry as the preferred method for communicating patient care orders but verbal and handwritten orders are also a safe and acceptable means as well.  

Posting to social media

Social media has a way of tempting you into sharing anything and everything (the good, the bad and the ugly) and the convenient access to social media apps makes all the more easier to do. While you may be tempted to share the highs and lows of your day, any information contained in a social media post that relates to the past, present, or future physical or mental health of a patient, or that provides enough information to identify an individual is in violation of HIPAA.

The best safeguard is to avoid discussing patients or cases on your personal social media account altogether. If you do choose to talk about your practice as an NP, never identify patients by name, post or publish information that could lead to the identification of the patient or that that falls under PHI. Even if you’ve taken all the necessary precautions to ensure that the patient cannot identified, do not refer to the patient in a derogatory way no matter what. Speaking negatively about a patient on social media calls into question your professionalism as a nurse practitioner amongst your followers and could come back to haunt you in that any malpractice claims are ever made against you by this patient.

Taking photos of patients

There may be times in your practice where you’ve had to take a photo or video of a patient for legitimate purposes such as to obtain another provider’s opinion on the diagnosis or treatment of the patient’s condition, to use for teaching or research purposes, or as documentation to be put in the patient’s medical record; and having a camera at our fingertips makes it extremely convenient when we need to take a picture for these purposes but anytime you take a photo of a patient, there is a risk that the photo may include PHI. PHI in terms of photographs of patients includes any portion of the patient’s face, tattoos, the patient’s name or initials, birth date, social security number, address, date of service or medical record.

Whatever the need for it may be, before taking the photo you should always obtain the patient’s consent as well as advise them as specifically as possible as to what the image will be used for. It’s also important to inform your patient that they have the right to decline and also have the right to withdraw their consent at any time. If they give consent, photograph as little of the body as possible without including any patient identifiers.

In the case of taking or sharing a photo of their x-rays, endoscopic images, or images of specimens or tissues taken during an operation, make the images fully anonymous and omit any patient identifying details when sharing the photo. There are many grey areas when it comes to clinical photography so as a rule of thumb, once you have obtained consent from the patient, you then have a responsibility to record, store, present, publish and distribute the photo records responsibly with the interest of the patient being of the utmost importance. Remember to use encryption if you’re sending it to another provider using your device.

Using an unsecured WiFi connection

Using a free WiFi connection is certainly convenient but unfortunately they’re often not secure or encrypted which leaves any information or data transmitted over the server vulnerable to being snooped on. If you’re on a public WiFi that doesn’t have a secure connection but you need to access your work email or send a text message to a colleague about a patient, the best option is to (again) use an encryption software or app or use your mobile network connection instead. Even if you’re just reading messages about patients and not responding though, the PHI could still be exposed, so it’s safest to avoid using unsecured internet connections altogether.

The best way to protect yourself from violating HIPAA and exposing your patient’s protected information is to avoid communicating any PHI from your phone altogether. In case you do discuss PHI from your phone, make it your personal policy to use encryption services for messages. There are also HIPAA compliant apps that you can use to ensure extra protection against security breaches.