(Editor's note: This column addresses specific questions related to implementation of the Health Insurance Portability and Accountability Act (HIPAA). If you have questions, please send them to Sheryl Jackson, Hospital Home Health, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: firstname.lastname@example.org.)
Question: Does instant messaging provide extra security concerns under HIPAA?
Instant messaging does raise some additional concerns, says Robert W. Markette Jr., an Indianapolis attorney. Recently an agent with the United States Secret Service was fired for using his messaging device to work on sensitive information, he says. "He was fired because his wireless provider's server was hacked while the sensitive files were stored on it, resulting in a disclosure of sensitive investigation information."
Instant messaging raises a similar issue for home health providers, because the instant messaging server maintains messages and connection information, Markette says. "This creates a very real risk of electronic personal health information [EPHI] being disclosed while stored on the instant messaging provider's server," he says.
The home health agency very likely does not know the extent of security on that server and also is unaware of the risk to the information on that server, Markette says. "In light of a number of recent rather public cases of servers being compromised by hackers, home health agencies should carefully consider the security implications of sharing EPHI through instant messaging via a third-party server," he recommends.
Unauthorized access to stored messages is not the only threat to information when instant messaging is involved, says Markette. Hackers have been able to obtain instant messaging user logs and use them to send messages, he says. "This could result in an individual exchanging messages with someone they thought to be a client or colleague who is authorized to receive the EPHI, but who is not," he says.
For these reasons, instant messaging is widely considered to be unsecure, Markette says. "Because it is considered unsecure, it is probably not a good idea to use it to communicate EPHI, especially since there are many other means to communicate with your employees such as cellular phones, e-mail, and pagers," he says. "These means are often just as fast as instant messaging and are often far more secure."