Test your HIPAA Awareness!

Test  your HIPAA Awareness!

Posted August 27, 2025

Case: A psychiatrist is using his iPhone to provide telehealth services to Medi-Cal and Medicare patients, offering 15-minute diagnostic impressions and 10-minute medication management sessions. One patient shared, “He doesn’t even know me because I’ve never met him in person, and the longest appointment I’ve had was only 10 minutes. I want a psychiatrist I can meet face-to-face.”

Is this a HIPAA violation?

  1. No, telehealth is approved.
  2. Yes.
  3. No. But Center for Medicare and Medicaid Services violation.

‎‎

Is using a Smartphone (IPhone) while driving to conduct patient-doctor business a HIPAA violation?

1. Summary of Complaint

  • Psychiatrist conducted sessions in non-private setting (inside a moving vehicle), using a regular iPhone without HIPAA-secure safeguards.
  • Patient’s Protected Health Information (PHI) could be overheard or intercepted.
  • No reasonable safeguards implemented.

2. HIPAA Rules Violated

  • 45 C.F.R. §164.530(c) – Administrative Safeguards: providers must implement reasonable measures to protect PHI.
  • Privacy Rule – requires confidentiality of patient communications.
  • Security Rule – requires secure transmission of ePHI.

3. Use of an iPhone for Telehealth (Technology Standard)

Psychiatrists , RN, clinicians, and medical service providers must use a HIPAA-compliant telehealth platform (secure, encrypted, with a Business Associate Agreement if third-party software is used).

No medical service provider can legally rely on their regular iPhone unless it runs a HIPAA-compliant, encrypted telehealth application.

· The psychiatrist must use a secure, HIPAA-compliant communication system and be able to conduct the service without distraction. A moving car is not considered a clinically appropriate environment.

Legal Requirement for Business Associate Agreement

HIPAA mandates that covered entities (health care providers, health plans, and clearinghouses) must obtain a written contract with their business associates—third parties that create, receive, maintain, or transmit protected health information (PHI) – that means all electronic devises like smartphones, tablets, iPad, computers, and software platforms used for communication with patients.

  • Code: 45 C.F.R. § 164.502(e)(1) requires a BAA before PHI can be disclosed to a business associate.
  • Why important: Without a valid BAA, the covered entity is in violation of HIPAA and can face civil and criminal penalties.

CMS allows exceptions to the in‑person requirement if:

  • The patient and practitioner agree, based on clinical judgment, that the risks or burdens of in‑person care outweigh the benefits.
  • The reason must be clearly documented in the patient's medical record
  • Location of provider: CMS does not prohibit the clinician from being outside a medical office. Providers may furnish telehealth “from any site” (including their home or other location).
  • BUT: The provider must use a secure, HIPAA-compliant communication system and be able to conduct the service without distraction. A moving car is not considered a clinically appropriate environment.

Bottom Line

  • Medical Board complaint → focuses on clinical negligence & professional conduct.
  • HHS Office of Civil Rights complaint → focuses on HIPAA privacy/security violations.
  • Answer : Yes, it can be a HIPAA violation.

Dlh-enterprises5150.com

Keeping YOU on Track

.

Let's Connect.