July 13th, 2010

Is Blackberry HIPAA Compliant? What You Need To Know

We are often approached by customers wanting to use their blackberry mobile devices to send and receive email that may contain electronic Protected Health Information (ePHI).  Such customers, when they must abide by the HIPAA and HITECH laws governing medical privacy, must comply with a long set of regulations that covers, among other things, how ePHI may be transmitted over the Internet.

This article deals with the security of sending and receiving email on a Blackberry configured for Internet email services (i.e. it does not apply to those connecting to an Blackberry Enterprise Server and Exchange).

The Short Answer: Blackberry and ePHI

Though extensive communications with Blackberry, AT&T, and other providers (most of whom were unable to provide answers to any questions pertaining to security or privacy, by the way), we have determined, in short, that:

  • Reading Email – OK: It is OK to use a Blackberry to read ePHI-containing email over POP or IMAP on your Blackberry as long as your email provider supports secure, SSL-enabled POP and IMAP connections, and can ensure that the Blackberry will not be permitted to make insecure connections to POP or IMAP services for you.   LuxSci’s HIPAA email accounts provide this functionality.
  • Sending Email – NOT OK: All email sent from a Blackberry device goes to the Blackberry server and then out over the Internet from there.  There is no way to configure a Blackberry to use your own outbound email (SMTP) server.  The Blackberry servers that send the email messages may send them insecurely over the Internet — there is no way to ensure transport email encryption for messages sent from a Blackberry device.  Therefore, ePHI-laden email messages should never be sent from a normal Blackberry device.

How a Blackberry Configures Itself for Internet Email Services

When you setup a Blackberry for reading email from a POP or IMAP account, the Blackberry does not actually give you the choices of POP or IMAP or of security or no security.  All you can do is enter your server name.  Then, Blackberry tries to auto-detect how you can connect and auto-configures itself.

What it does and in what order is not documented anywhere that we could find, but it seems that it may be checking things in the following order, and picking the first thing that works for it:

  • Secure IMAP
  • Secure POP
  • Insecure IMAP
  • Insecure POP

The best way to configure your Blackberry and to ensure that only the secure service that you want is chosen (and stays chosen) is to turn off the other options, if possible. I.e. if you would like to use Secure IMAP, then turn off POP altogether and turn off insecure IMAP.  The result is that Blackberry can only pick the service that you need, and cannot “accidentally” choose something else.

LuxSci, Blackberry, and HIPAA

HIPAA-compliant email accounts at LuxSci are automatically locked down to require forced secure connections to all services (POP and IMAP included), hence insecure connections are disallowed and not even possible. You may optionally use secure IMAP or POP with secure SMTP in standard ‘non-HIPAA-compliant accounts’ and have available the ability to enable forced secure connections for all users.

  1. You can use your Blackberry to read email in your HIPAA-compliant LuxSci email account and remain HIPAA compliant.
  2. You control whether email is sent from your Blackberry. Keep in mind that these email messages will never pass though LuxSci’s servers and we thus have no control over them.  If you were to send ePHI in an outbound email message from your Blackberry, it is likely that this action would violate the requirements of HIPAA — and you, the sender, are solely responsible for that potential violation.

LuxSci recommends that if you will be using your Blackberry for reading email that may contain ePHI, that you never use the same device for sending outbound email.  By choosing this safe course, you will never accidentally violate HIPAA and you limit your liability.

A Business Associate Agreement with Blackberry?

With the new HITECH provisions of HIPAA, any entity covered by HIPAA that does business with another organization who will have access to or control the flow of ePHI for the HIPAA-covered entity, should have a HIPAA Business Associate Agreement (BAA) with that business partner.  Among other things, this BAA would require the business partner to themselves meet the administrative, technical, and physical safeguards required by HIPAA and to take responsibility for the security of any ePHI in their possession.  LuxSci provides such agreements to HIPAA accounts.

A Blackberry reads email by pulling that message from your email provider (i.e. LuxSci) to Blackberry’s servers, and then pushing from there to your phone.  Similarly, when you send email, that email is sent from your phone to Blackberry’s servers and out to the Internet.  Any ePHI will be unencrypted in the Blackberry servers for some period of time with no record of what may be done with it there (i.e. backups, access via operations staff, etc.).  If your ePHI is traveling through Blackberry’s servers regularly, due to your business (service) relationship with them, it is arguable that you need to establish a BAA with Blackberry to ensure that they are HIPAA compliant with respect to your data (Blackberry does not offer a BAA.).  From the point of view of Blackberry, they provide secure transmission of your data and have only “incidental” access to any ePHI, and thus they don’t really need to be a Business Associate under HIPAA.

Who is right? The law is not yet clear on this point. It will surely be clarified over the coming years, under which conditions business partners or service providers need to be HIPAA compliant and sign BAAs with you.  In the mean time, as a HIPAA-covered entity yourself, you must determine if you wish to take the risk.  Either eliminate the use of Blackberrys for ePHI communications altogether, to be safe.  Or, take the liability of a HIPAA breach due to Blackberry’s servers or staff onto your organization if you choose to use them.

All other mobile phone devices, like iPhone, Android and Palm, connect directly to your email service provider for the sending and receiving of email (and offer the option to do this securely).  A HIPAA Business Associate Agreement with the cellular provider is not relevant here, just like there is no need to establish a HIPAA Business Associate Agreement with your ISP just because your secure Internet connections pass through their infrastructure.

What is the upshot?

A Blackberry is a popular mobile device.  You can use it with ePHI data and with a LuxSci HIPAA account if you:

  • Only check (read) your email
  • Never send any ePHI out from the Blackberry itself
  • Trust that Blackberry themselves will not have any issues that will lead to a HIPAA breach with respect to your email data

The alternative is to choose a mobile device that can:

  • Allow both the secure sending and receiving of email
  • Avoid the use of a “middle man” in the processing of your email

Additionally, you may be surprised to find that the email services available on many other mobile devices, like the iPhone,  Android and Palm, are much better than those offered with a Blackberry.  Blackberry works well if you are on Exchange with a Blackberry Enterprise Server (though we do not address how that applies to HIPAA here).  Outside of that environment, most other mobile devices offer better email services and email security.

Setting this ticket to wake on Thursday to finish contract adjustment and rebilling.


Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.