Get certified in HIPAA for just $29.95.
To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video
HIPAA law covers PHI in electronic format. This includes all social media platforms such as, Facebook, Twitter, Snapchat, and Instagram. Never under any circumstance disclose patient's name or treatment on any social media platform. You can personally be liable financially and criminally for disclosing PHI on social media. Mobile devices include smartphones and tablets and also laptops. These can be used to share PHI if appropriate safeguards are in place. This means you have to use an encrypted texting platform or chat. You cannot simply just text a doctor, nurse, or an IT provider because standard text platforms have limited encryption, they are not compliant, and the text is stored in their cloud. Now let’s talk about Email. Is Gmail, Hotmail, AOL, Yahoo or your local IT provider’s email compliant? The answer is no because all email through these free platforms are subject to automated processing. Your patient’s data and your email will be scanned for targeted advertising by these companies. Also, Google will not sign a business associate agreement for the use of their gmail platform. You must use a paid service like Google G suite or Microsoft Office 365 as they will sign a BAA. Faxes are an approved and compliant means to send PHI. However, you must be mindful and always use a cover sheet before sending PHI through a fax machine or an efax. If you send PHI in error, you must contact the receiver and notify them to destroy the information. Likewise, if you receive PHI in error, you must notify the sender and destroy the information as well.
In this lesson, we'll be covering HIPAA law as it applies to social media, mobile devices, email, and faxes. And at the end of the lesson, we'll provide you with a brief Word about guidelines for properly disposing of protected health information, or PHI.
HIPAA law covers all PHI in electronic formats (also known as ePHI). This includes the following social media platforms:
Pro Tip #1: While we as a society find it absolutely necessary to share everything on social media these days – including contrary opinions and meals we're about to consume – never under any circumstance should you disclose patient information, like names and treatments, on any social media platform.
Remember, though we're sure you know better, common sense is not all that common, which is why these things need to be said. And why we have to also note that if you do any of the above, you could be personally liable financially and criminally for disclosing any protected health information on social media platforms.
Mobile devices include but are not limited to:
Pro Tip #2: While disclosing PHI on social media is always a no-no, mobile devices can be used to share protected health information IF appropriate safeguards are in place. What does IF mean?
In short, we're referring to encryption. If you are sharing PHI on mobile devices, you have to use an encrypted texting or chatting platform. You cannot simply just pick up your phone and text PHI to a doctor, nurse, health plan, insurance company, etc.
Why can't you do this? Because standard texting platforms:
Standard email platforms are also not compliant according to HIPAA, and these include:
All emails sent through the above free platforms are subject to automated processing. Your email and sensitive patient data will be scanned for targeted advertising when using those platforms.
Pro Tip #3: It's important to note that while Google has chosen to not sign a business associate agreement (BAA) when using their Gmail platform, their paid service – G Suite – has signed BAAs. Other paid email platforms may also be acceptable, like Microsoft Office 365. The key is the provider's willingness to sign a business associate agreement.
Faxes are an approved and HIPAA compliant means of sending PHI. However, you still need to be mindful when doing so. This means always using a cover sheet before sending a fax that contains protected health information.
What if you send a fax containing PHI in error?
If this happens, you need to contact the receiver and notify them to destroy the fax. Likewise, if you receive a fax containing PHI in error, you must notify the sender and also destroy the information.
Disposing of PHI is of the utmost importance, particularly in our modern digital world where deleted tweets aren't really ever gone. The following PHI disposal guidelines should ensure that you and your organization remain HIPAA compliant.
It depends whom you ask. This is unfortunately a complicated answer, and one for which you will find differing opinions if you search the web. Apple is not willing to sign Business Associate Agreements with Covered Entities. However, if Apple's Facetime service can be considered a conduit under the Conduit Exception Rule, then a BAA is not strictly required as long as the service is used in a HIPAA compliant manner. Whether or not Facetime is considered a conduit is what is hotly debated. The US Department of Veteran Affairs has authorized Facetime for use internally for telemedicine and thereby gives its stamp of approval. Nonetheless, there are other peer-to-peer video services who are willing to sign BAAs, so our recommendation would be to use one of those services instead.
Yes, Zoom is HIPAA compliant. In order to use Zoom in a HIPAA compliant manner, the covered entity must enter into a business associate agreement with Zoom prior to using the platform. You can learn more and request a BAA on the Zoom for Healthcare website.
Please be aware that it is possible to violate HIPAA Rules while using Zoom. Users must be properly trained on their responsibilities regarding patient privacy and permitted sharing of PHI only with authorized individuals. It is the covered entity's responsibility to ensure Zoom is used in a HIPAA compliant manner and that staff are all adequately trained.