Remember pagers? Those little devices about the size of a pack of playing cards that used to be cool to wear on your belt back in the 80s? You could get short messages on them, usually telling you to call a number, and which then set in motion the search for (cue the Wayback Machine) a pay phone.
You might think mobile phones killed off pagers. They nearly have, but doctors and hospitals still use them. Why? There are a number of reasons, actually. Pager signals penetrate buildings better than cellular phone signals do. Pager signals can travel much longer distances. Pagers don’t store data like phones do. Pages won’t be missed the way a text message on a phone might if the phone is being used. Text messaging on mobile phones is not secure, so it is not HIPAA-compliant.
So pagers must be safe, right? Apparently not. Companies have learned the hard way that pager messages are (a) not encrypted, and (b) easy to intercept with parts you can buy at Radio Shack.
Because pager messages are short, the risk of messages containing patient protected health information (PHI) is limited. It does happen though, and if those messages are intercepted the hospital or other provider may be forced to report a data breach to the Office of Civil Rights (OCR) of the Department of Health & Human Services. The OCR enforces HIPAA and HITECH, and they could see this as a problem deserving of an enforcement action.
Healthcare companies need to be aware of this issue. Solutions such as encrypted pagers are available. Before implementing a technological fix though doctors and hospital staff should be made aware of the problem and encouraged to avoid including patient PHI in pager messages whenever possible.
If a company takes steps such as these and a breach nevertheless happens, documented efforts to address the problem could limit or prevent any fines from being assessed by the OCR. The OCR wants to see a culture of compliance with the data security and privacy rules on the part of covered healthcare entities and business associates. If a company can show that it is trying to address the problem the OCR may just give them a break.