Potentially, yes. A dental practice risks a breach of patient confidentiality whenever it sends unsecured electronic protected health information over an open network. A dental practice must also consider the risks associated with storing ePHI on a device that can be lost or stolen.
Sending unsecured images and text over a cellular network is a violation of HIPAA Security Rule requirements for transmission security if the dental practice has not:
- De-identified the information; OR
- Done a risk analysis of its transmission security, AND
- Implemented appropriate safeguards; OR
- Has not obtained written authorization from the individual to send the information in an unsecured manner. CAUTION: written authorization must include the individual’s acknowledgement of any risk to their privacy. The Acknowledgement of Receipt of Notice of Privacy Practices form signed by new patients does not grant authorization for sending unsecured ePHI.
So the answer is "maybe." To avoid a breach a dental practice must be mindful of the following:
- What the dental practice is sending?
- How it is being sent?
- What safeguards are in place, and are the safeguards reasonable, based on a current risk analysis?
- If the information is not being sent in a secure manner, has the patient authorized and instructed this transmission in full knowledge of risks?
The dental practice must employ appropriate safeguards for data “in motion” where appropriate. Some examples of transmission methodologies that might work include, but are not limited to:
- A secured payer web portal that permits uploading of images by trusted users
- An encrypted email service
- A health care image sharing app that employs sufficiently strong transmission encryption
- A Direct Trust validated Health Information Service Provider
Another, far greater risk is the threat of loss or theft of the cell phone itself, especially if it stores images on its memory card that are not encrypted.
Lost or stolen unsecured devices are a major cause of large breaches affecting thousands of individuals. In turn these breaches result in complaints and expensive, highly publicized settlements and sometimes levied federal civil monetary penalties. No dental practice wants this.
Using personal phones without appropriate security features is extremely risky and could be ruinous if lost or stolen. As such, it is HIGHLY inadvisable to use a non-dedicated, unsecured cell phone or unsecured app that does not also encrypt images stored on the cell phone’s memory card or in the phone’s cloud-based storage. If a secured phone is lost or stolen, the encryption can still provide safe harbor against breach notification requirements, provided it conforms to methodologies named in the HITECH Breach Notification Rule’s Safe Harbor provisions.
If a secured, encrypted phone or app is used in your dental practice, make sure the encryption algorithm and strength have been independently tested and validated for conformance with HHS Guidance.