When President Obama came into office, there was quite an uproar about whether he'd continue to be able to use a smartphone for his communications. Eventually, a lab was established where experts worked for months to create a secure smartphone for the president to use and he's now often seen typing away on his device -- called "Blackberry One."

Of course, the president's security needs are a little greater than the average person's. But with 67% of nurses using their smartphones to support clinical communications and workflow, many BYOD issues are arising for institutions, and many medical providers are using smartphones for telemedicine and other uses. So, many people have wondered:

If the president wasn't cleared to use an off-the-shelf iPhone, Android, or Blackberry, is any smartphone actually HIPAA secure for medical uses?

However, logging into an app like iClickCare on your smartphone, Android, or iPhone is actually HIPAA secure. You're absolutely HIPAA safe and protecting PHI (protected health information), including patient data, pictures and videos of the patient, and collaborations with other medical professionals, if: 

1. Data is NOT stored locally on the device
2. The company that makes the app promises HIPAA compliance and does rigorous and constant checking of that HIPAA compliance.

So, yes -- use technology to care for your patients. Just be smart about using the right technology for the right use.

Curious what everyone means when they talk about Hybrid Store and Forward Telemedicine as the best way to collaborate in a HIPAA safe way? Get our free guide here: 

Athletic Trainers are skillful folks who often work in in-between spaces: they're not a coach but they guide athletes; they're not physicians but they provide crucial medical care; they're not professors but they work in universities.

So when it comes to Patient Health Information (PHI), and the management of that information, Athletic Trainers have also existed in an in-between spot. These professionals are left with confusion as to whether HIPAA -- and its fearsome set of regulations and punishments -- apply to them. Can they email a picture of a patient's ankle to an Orthopedist? How do they need to save patient information at the right level of security? With whom -- The patient's family? The coach? A doctor? The patient's professor? -- can they share patient medical information?

It is certainly understandable that an Athletic Trainer might be confused, because this is a rapidly evolving field and set of rules with a knot of confusing laws. A college or university may be considered a "covered entity" or hybrid - with a health center being a covered entity and an academic department, not. "Covered entities", of course, do need to comply with HIPAA… but Athletic Trainers are not billing the patient, so it's possible that there is a loophole there.

Despite the confusion, some legal precedent is beginning to make it clear that Athletic Trainers must be aware of, and for the most part, adhere to HIPAA.

As summarized in HIPAA Solutions' Compliance Alert, "Court rulings, along with recent updates to Federal and state regulations reveal that, in fact, HIPAA has a broad reach in relation to health information associated with students."

In particular, another ruling, drills down into the exact HIPAA status of Athletic Trainers themselves: "a Federal District Court applied both HIPAA and FERPA to Penn State University, concluding that both statutes apply to athletic trainers."

Given the legal precedent and ramifications of not complying, here are our 3 tips for Athletic Trainers on staying in compliance with HIPAA:

• Protect PHI. Especially given the legal precedent above, it's clear that PHI must be protected by Athletic trainers. That means protecting it from people that aren't allowed to access it, making sure it's stored securely, and making sure it's shared securely.
• Consult an attorney if in doubt. Because there are some grey areas here, you'll certainly need to make the best decision you can, but don’t ignore it. Get the information that exists and then decide what makes sense in your unique situation. 
• Stop using email to send pictures. When any PHI is sent by electronic means, it is protected under HIPAA. Email isn't HIPAA-secure, so if you want to collaborate with other providers, you'd need to use a telemedicine platofrm like ClickCare that promises HIPAA compliance. 

As Athletic Trainers, how has HIPAA come into your practice? What precautions do you take? Share your experiences in the comments below.

And if you're curious how telemedicine can help you come into HIPAA compliance as an Athletic Trainer, get our free quick guide here:

Image courtesy of pennstatelive on Flickr, used under Creative Commons rights.

(Reviewed and updated May 18, 2016)

Recently, we've shared our suggestions on how to share patient files securely and the best ways to take medical photos. From those posts, an additional question came up from our readers who are using technology but still trying to stay HIPAA secure...

How do I send medical photos securely over the internet?

Good question! Many of the tactics for staying HIPAA-safe while sending medical photos over the internet came up in our recent posts, but there are a couple of specific things to keep in mind.

When sending medical photos on the internet, don't make these HIPAA mistakes:

• Texting from your phone. As with texting patient information, you can't text photos unless you use a secure service. Merely texting from your smartphone definitely won't do the trick when it comes to HIPAA, even if it's just a patient photo (without their record.) 
• Saving photos on your camera roll. Few people realize that the camera roll on your smartphone is not HIPAA-secure. ClickCare uses a HIPAA-secure camera roll for that very reason.
• Sending photos via email. Email isn't HIPAA-secure, even "secure" email. If you're looking for the kind of sharing that email and photos can give you, consider doing medical collaboration with a hybrid store-and-forward telemedicine platform, which can let you share photos while not running afoul of HIPAA. 
• Leaving them on your data card. A final thing to be careful of is the data card in your digital camera. If you store your data card in a place where people can get to it, or you're sharing your camera with other people, that data card is not HIPAA secure. The system we recommend is to erase the data card as soon as you've uploaded your photo to the secure sharing platform you're using. 
• Saving them on your hard drive. As safe as it may seem, in most contexts it is not HIPAA-compliant to leave patient photos on your computer's hard drive. So use the same protocol as with a data card -- erase the photos as soon as they're uploaded to your telemedicine platform. Did you know your copier also has a hard drive - the old way may not be so safe either!

For an in-depth look at HIPAA mistakes you might not know about, get our guide:

Image courtesy of ben_grey on flickr.com, used under Creative Commons rights.

Increasingly, taking photos is a part of our lives. We snap photos when we're out at dinner or on a trip. And we certainly want to take a picture when we see an interesting case or need to remember or share something about a patient.

With the significant fines and punishments for HIPAA violations, however, medical photography on your iphone or smartphone brings up a several HIPAA compliance and security issues:

• If your phone gets lost, all photos on your camera roll are insecure
• Once a photo is on your phone, it is tempting to email or text it, both of which are in conflict with HIPAA.
• Photos on your camera roll may be susceptible to access by apps that are not HIPAA compliant.

So what is a person to do? It seems ridiculous to choose not to use technology in service of patient care. Here is the good news: you can and should use your iPhone or other smartphone for medical photography. In fact, we think that medical photography is a simple, powerful way to improve how we care for patients and make our lives as providers a little easier.

So here is a checklist to make sure that your medical photos are secure and useful:

• Understand HIPAA. You don't need to drive yourself crazy, but a little understanding of the fines and penalties goes a long way 
• Never put patient photos into your regular camera roll. Sometimes smartphone apps (with the exception of iClickCare) pull from your camera roll-- even sharing pictures without your knowledge. And even if that doesn't happen, your camera roll only has one layer of security -- the login password on your smartphone. So when dealing with patient photos, we recommend using a secure app like iClickCare that doesn't ever save photos to your camera roll. You'll know your pictures are safe, and used only for your purposes. 
• Use some overall security strategies so you don't have to worry. When your technology is more secure overall, your photos are more secure, too. 
• Don't email photos. Email is never a secure way to collaborate. 
• Use apps that are explicitly HIPAA-secure. When you do collaborate, only use collaboration platforms that explicitly promise HIPAA security.

Security issues aside, we all want our medical photos to be a little bit better. Get the first chapter of our book on iphone photography for free:

We've heard from many of our dentist colleagues that there is increasing pressure to be HIPAA-compliant. Some dentists are choosing to hope for the best and keep using email to communicate about patients. Others are spending upwards of $100,000 to hire HIPAA consultants.

Forget secure email, that is not the answer to keeping you safe. You need to bring your entire office into compliance with HIPAA. 

Here is a brief summary and a tool for how to start the process immediately and quickly, without expensive and slow consultants. You will eventually need more, but this is a start. As you read this, please be aware that we are not lawyers, we do not represent the government, and that this post is merely a place to start. Because our iClickCare Hybrid Store-and-Forward collaboration service was developed from the onset with HIPAA in mind, we want to share some time-saving experience with you. At the end of this post is a link which will bring you to a more complete framework and a tool which reduces 492 compliance questions to only 32. 

Why should you care and comply with HIPAA, HITECH and the Omnibus Reconciliation 2013 Rule? Increasingly, understanding and adapting to these laws is the only way to care for our patients -- and protect ourselves.

An important deadline is coming up. By 9/23/13, healthcare providers need to come into compliance with the final HIPAA rule. Because our iClickCare hybrid store and forward collaboration system was developed with HIPAA in mind, we want to share some time-saving experience with you. This week, we're covering 3 aspects of the deadline. Monday was overall background; Wednesday was about steps to get in compliance; Today we're discussing HIPAA and telemedicine.

As we wrap up our week of posts addressing the final HIPAA rule deadline, we wanted help you understand how telemedicine fits in with the world of HIPAA.

So, a roundup of our most popoular posts on telemedicine and HIPAA: 

• HIPAA violations and penalties. Your colleagues may be emailing about patients, but they're not doing it without risk. Just because you're ignoring the rules, doesn't mean they don't exist. 
• What if you lose your phone? Telemedicine security and HIPAA for the forgetful folks.
• 3 ways to keep patient communication safe from HIPAA. It can be equally easy to communicate with patients in ways that are HIPAA-safe -- it just takes a little knowledge and planning.
• A review of the HIPAA Omnibus Rule. Some key points to keep in mind, whether in relation to telemedicine, or just as you come into compliance this week. 
• Repeat after us: email is not HIPAA-secure. That's why we invented ClickCare, after all. But if you're going to be emailing, use this guide to work out the settings. 

Now, what: 
We've created a tool that reduces the 492 official HIPAA compliance questions to only 32, while still meeting the HIPAA standards. You will eventually need more work in this area, but this is a start. Of course, be aware that we are not lawyers, you shouldn't take action on information in this post alone, and we do not represent the government.

Click below for a quick-and-easy version of an assessment to help you come into HIPAA compliance. 

An important deadline is coming up. By 9/23/13, healthcare providers need to come into compliance with the final HIPAA rule. Because our iClickCare hybrid store and forward collaboration system was developed with HIPAA in mind, we want to share some time-saving experience with you. This week, we're covering 3 aspects of the deadline. Monday was overall background; Today we're talking about steps to get in compliance; Friday we're discussing HIPAA and telemedicine.

Why should you care and comply with HIPAA, HITECH and the Omnibus Reconciliation 2013 bill? 

1. You are a health care professional.
2. It’s the law (read: you'll pay if you don't "care.") 

The Office of Civil Rights of the Department of Health and Human Services summarized the 500+ pages of the Omnibus Rule as including the following final modifications:

• Make Business Associates of Covered Entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements.
• Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
• Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
• Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices.
• Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to information by family members or others.
• Increased and tiered civil money penalty structure provided by the HITECH Act.
• Replacement of the breach notification rule's "harm" threshold with a more objective standard. [Our note: Previously, a breach had to reported if there was a “risk of harm." The Omnibus Rule requires any breach to be reported.]
• Prohibition of most health plans using or disclosing genetic information for underwriting purposes.

In service of becoming compliant, a risk assessment of your practice is required. There are five safeguards that need to be assessed:

• Administrative
• Physical
• Technical
• Organizational
• Policy and Procedures and Documentation Requirements

Now, what: 
This assessment can be done by you but the findings of the assessment and the plan of action must be documented and the assessments need to be ongoing. We've created a tool that reduces the 492 compliance questions to only 32, while still meeting the HIPAA standards. You will eventually need more work in this area, but this is a start. Of course, be aware that we are not lawyers, you shouldn't take action on information in this post alone, and we do not represent the government.

Click below for a quick-and-easy version of the assessment and come into HIPAA compliance. 

An important deadline is coming up. By 9/23/13, healthcare providers need to come into compliance with the final HIPAA rule. Because our iClickCare hybrid store and forward collaboration system was developed with HIPAA in mind, we want to share some time-saving experience with you. This week, we're covering 3 aspects of the deadline. Today is overall background; Wednesday we're talking about steps to get in compliance; Friday we're discussing HIPAA and telemedicine.

Healthcare providers have a way of focusing on the "now." There's always another patient to see -- and future deadlines can slip. Plus, truth be told, we get tired of the endless regulatory hoops to jump through.

That said, it's crucial to understand our regulatory context, and the time to avoid expensive and difficult violations penalties is now. After the background below, jump to the button at the end of the post to start the assessment process immediately and quickly, without expensive consultants. 

Some background on this September 23rd HIPAA deadline: 

HIPAA
In the mid-90s, the internet bubble was expanding and the world wide web was born. Amid all that connection, concerns about privacy and insurance arose, and in 1996, HIPAA was passed: the Health Information Portability and Accountability Act. In exchange for the ability to transfer, access to continuing health insurance, and healthcare fraud monitoring, the act mandates processes to protect health information. It controls more than digital electronic information, however: it controls paper charts, locks on doors and conversations as well.

HITECH
HITECH is the acronym for Health Information Technology of Economic and Clinical Health Act. It is part of the American Recovery and Reinvestment Act of 2009 and stipulates that healthcare providers be offered financial incentives for demonstrating meaningful use of electronic health records. It also provides for penalties for not using them and increases fines and jail terms for disclosure of health information.

The 9/23 Deadline
Since the passing of HIPAA in 1996, rules and revisions have been added to clarify and add to the regulations. Most recently, in January of this year, the HIPAA "final rule" -- the 2013 Omnibus -- was released. Part of that release was a mandate that all healthcare providers covered under HIPAA must come into compliance -- typically involving an assessment. There are 492 questions that comprise the rule's components, though-- a daunting asessment for any practice.

The quick and easy way
We've created a tool that reduces the 492 compliance questions to only 32, while still meeting the HIPAA standards. You will eventually need more work in this area, but this is a start. Of course, be aware that we are not lawyers, you shouldn't take action on information in this post alone, and we do not represent the government.

Click below for a quick-and-easy version of the assessment and come into HIPAA compliance.