HIPAA Alert: Contacts, Calendar Events and Tasks may contain ePHI!

February 3rd, 2014

When health care organizations review their operations to see where electronic protected health information (ePHI) is being saved, transmitted, and viewed, a great deal of time is spent on the obvious candidates: email, chat, stored files, and health records, etc.

Many overlook the fact that ePHI can be embedded in Contacts, Calendars, and Tasks.  Consider for example:

  • Contacts: A medical office’s address book of patients which contains not only their names, but also notes about what types of services they use, etc.  This constitutes ePHI — personally identifiable information about the health history of the patients.
  • Calendars: A nurse uses an iPad to track the appointments of a doctor or the busy/free schedule for a specific room.  Included in the schedule are the names of the people who have appointments, with whom, and a brief note about the purpose.  This is ePHI.
  • Tasks: A doctor uses a to-do list to remember all of the things that s/he must do each day.  The doctor may note such things as “order test X for patient Y” or “seek a referral for patient Y about condition Z”.  This is ePHI.

One could construct any number of examples of personal health data being stored in calendar appointments, task lists, and address books.

This presents a potential breach, as many staff  use insecure or non-HIPAA compliant services to manage this kind of information.  Consider for example: regular Google Calendars, Apple’s Mobile Me Synchronization or Exchange Servers that are not specially configured, etc.  All of these are “right out” for storing and synchronizing this type of data!

Even if you have a service like Google Apps that can be “HIPAA compliant”, it is not at all clear that they ensure that alerts, reminders, and other things that generate email messages from Calendars and To Do lists are themselves properly protected for HIPAA.  You may assume they are … you may very well be wrong.  E.g. Google Apps with “HIPAA Compliance” does not by default include any kind of email encryption … so it is compliant as long as you do not send email.  They don’t really tell you that, they assume you know.  The same goes with many other things.

Health care organizations need to use a HIPAA-compliant service for storage of and management of contact, calendar, and task data … just as they do for email data.  This includes “over the air” synchronization of this data with mobile devices.

LuxSci’s WebAides and Mobile Sync services provide collaborative contact, calendar, and task management tools (as well as other collaboration tools such as file storage and password storage) and includes secure access via our Web Portal and secure synchronization with any modern mobile device — iPhone, iPad, Android, Blackberry, etc.  All of these services are automatically locked down to be HIPAA compliant and thus can be used by any health care provider to ensure the privacy of this data and to enable an organization to go on “as usual”, but with HIPAA compliant security.