LuxSci

HIPAA Alert: Contacts, Calendar Events and Tasks may contain ePHI!

February 3, 2014 • By Erik Kangas • In Business Solutions, Collaboration

When health care organizations review their operations to see where electronic protected health information (ePHI) is being saved, transmitted, and viewed, a great deal of time is spent on the obvious candidates: email, chat, stored files, and health records, etc.

Many overlook the fact that ePHI can be embedded in Contacts, Calendars, and Tasks.  Consider for example:

  • Contacts: A medical office’s address book of patients which contains not only their names, but also notes about what types of services they use, etc.  This constitutes ePHI — personally identifiable information about the health history of the patients.
  • Calendars: A nurse uses an iPad to track the appointments of a doctor or the busy/free schedule for a specific room.  Included in the schedule are the names of the people who have appointments, with whom, and a brief note about the purpose.  This is ePHI.
  • Tasks: A doctor uses a to-do list to remember all of the things that s/he must do each day.  The doctor may note such things as “order test X for patient Y” or “seek a referral for patient Y about condition Z”.  This is ePHI.

One could construct any number of examples of personal health data being stored in calendar appointments, task lists, and address books.

This presents a potential breach, as many staff  use insecure or non-HIPAA compliant services to manage this kind of information.  Consider for example: regular Google Calendars, Apple’s Mobile Me Synchronization or Exchange Servers that are not specially configured, etc.  All of these are “right out” for storing and synchronizing this type of data!

Even if you have a service like Google Apps that can be “HIPAA compliant”, it is not at all clear that they ensure that alerts, reminders, and other things that generate email messages from Calendars and To Do lists are themselves properly protected for HIPAA.  You may assume they are … you may very well be wrong.  E.g. Google Apps with “HIPAA Compliance” does not by default include any kind of email encryption … so it is compliant as long as you do not send email.  They don’t really tell you that, they assume you know.  The same goes with many other things.

Health care organizations need to use a HIPAA-compliant service for storage of and management of contact, calendar, and task data … just as they do for email data.  This includes “over the air” synchronization of this data with mobile devices.

LuxSci’s WebAides and Mobile Sync services provide collaborative contact, calendar, and task management tools (as well as other collaboration tools such as file storage and password storage) and includes secure access via our Web Portal and secure synchronization with any modern mobile device — iPhone, iPad, Android, Blackberry, etc.  All of these services are automatically locked down to be HIPAA compliant and thus can be used by any health care provider to ensure the privacy of this data and to enable an organization to go on “as usual”, but with HIPAA compliant security.

Erik Kangas

About Erik Kangas

With 30 years engaged in to both academic research and software architecture, Erik Kangas is the founder and Chief Technology Officer of LuxSci, playing a core role in building the company into the market leader for HIPAA compliant, secure healthcare communications solutions that it is today. An international lecturer on messaging security, Erik also advises and consults on email technology strategies and best practices, secure architectures, and HIPAA compliance. Erik holds undergraduate degrees in physics and mathematics from Case Western Reserve University, and a doctoral degree in computational biophysics from MIT.

Follow: LinkedIn