Recently, I was asked my opinion on whether Pagers were compliant to HIPAA. I actually had never thought about it but this person told me that ePHI may occassionally be sent over the paging system. This got me to thinking about the issue.
Here is what I see as the issues.
1. ePHI transmitted across the internet must be encrypted.
a. This would not include unsecured email. This would make sending someone an SMS or Page at [email protected] not accepatable.
b. The Simple Network Paging Protocol has encryption and is advertised on some carrier’s websites as HIPAA Compliant.
c. But, this encryption is not end-to-end it is only on the internet.
2. ePHI transmitted via analog radio transmission is not addressed at all.
a. ePHI is not encrypted on the analog transmission
b. There is a CAP Code must be implemented for the transmission to succeed.
c. Paging Eavesdropping is a possibility and could poses a confidentiality issue.
3. Paging eavesdropping is not hard to do. See this example
http://www.adafruit.com/blog/2009/05/12/how-to-make-a-cheap-pager-scanner/
So in my mind Pagers are not secure at all, but it is what it is and most likely won’t change.
Going forward, I would implement SNPP with Encryption as a band-aid. At least you will be covered over the internet.
You may also have the ability to remote wipe. So you may have some control in place.
Future
Start thinking about moving to Secure SMS on Mobile Phones both Android and iPhones.
This would provide a secure environment with end to end encryption. The apps are available and messaging could be done from a remote server/Application. This is really a futures thing for some folks, but I can see it happening very quickly.
BYOD Anyone?
1
Great points and information!!!
One thing though… JCAHO has said SMS text messaging can “never be secure.” The only truly secure messaging solution we see out there is miSecureMessages, an app for smartdevices.
It does not use SMS (unlike every other solution advertised as ‘secure’ ..they do use SMS).
Nothing stored on the device, No character limits, and immediate messaging with full real-time reporting…Among many other great features, some of which are new and not on the website yet.
I hope this information helps your readers in their endeavor for a truly secure communication solution. 🙂 Thank you!
You are exactly right. I believe that a wide majority of healthcare organizations may be using SMS to send PHI and may just not know that it is not compliant. Thanks for the post.