Posted August 27, 2025

‎

‎

Case: A psychiatrist is using his iPhone to provide telehealth services to Medi-Cal and Medicare patients, offering 15-minute diagnostic impressions and 10-minute medication management sessions. One patient shared, “He doesn’t even know me because I’ve never met him in person, and the longest appointment I’ve had was only 10 minutes. I want a psychiatrist I can meet face-to-face.”

‎

Is this a HIPAA violation?

1. No, telehealth is approved.
2. Yes.
3. No. But Center for Medicare and Medicaid Services violation.

‎‎

Is using a Smartphone (IPhone) while driving to conduct patient-doctor business a HIPAA violation?

‎

1. Summary of Complaint

• Psychiatrist conducted sessions in non-private setting (inside a moving vehicle), using a regular iPhone without HIPAA-secure safeguards.
• Patient’s Protected Health Information (PHI) could be overheard or intercepted.
• No reasonable safeguards implemented.

‎

2. HIPAA Rules Violated

• 45 C.F.R. §164.530(c) – Administrative Safeguards: providers must implement reasonable measures to protect PHI.
• Privacy Rule – requires confidentiality of patient communications.
• Security Rule – requires secure transmission of ePHI.

‎

3. Use of an iPhone for Telehealth (Technology Standard)

Psychiatrists , RN, clinicians, and medical service providers must use a HIPAA-compliant telehealth platform (secure, encrypted, with a Business Associate Agreement if third-party software is used).

No medical service provider can legally rely on their regular iPhone unless it runs a HIPAA-compliant, encrypted telehealth application.

· The psychiatrist must use a secure, HIPAA-compliant communication system and be able to conduct the service without distraction. A moving car is not considered a clinically appropriate environment.

‎

Legal Requirement for Business Associate Agreement

HIPAA mandates that covered entities (health care providers, health plans, and clearinghouses) must obtain a written contract with their business associates—third parties that create, receive, maintain, or transmit protected health information (PHI) – that means all electronic devises like smartphones, tablets, iPad, computers, and software platforms used for communication with patients.

• Code: 45 C.F.R. § 164.502(e)(1) requires a BAA before PHI can be disclosed to a business associate.
• Why important: Without a valid BAA, the covered entity is in violation of HIPAA and can face civil and criminal penalties.

‎

CMS allows exceptions to the in‑person requirement if:

• The patient and practitioner agree, based on clinical judgment, that the risks or burdens of in‑person care outweigh the benefits.
• The reason must be clearly documented in the patient's medical record
• Location of provider: CMS does not prohibit the clinician from being outside a medical office. Providers may furnish telehealth “from any site” (including their home or other location).
• BUT: The provider must use a secure, HIPAA-compliant communication system and be able to conduct the service without distraction. A moving car is not considered a clinically appropriate environment.

‎

Bottom Line

• Medical Board complaint → focuses on clinical negligence & professional conduct.
• HHS Office of Civil Rights complaint → focuses on HIPAA privacy/security violations.
• Answer : Yes, it can be a HIPAA violation.

‎

Dlh-enterprises5150.com