Are Pagers HIPAA Compliant?

Many healthcare providers are asking the question “are pagers HIPAA-compliant?” The simple answer to the question is no, pagers are not HIPAA-compliant, but they can be used without violating HIPAA Rules, but only if electronic Protected Health Information (ePHI) is not transmitted via pagers, or that data is encrypted.

Unfortunately, just like unencrypted emails and SMS text messages, information sent via pager can be intercepted, and there are rarely controls in place to ensure that any ePHI sent is only seen by the intended recipient. Pagers are therefore a HIPAA violation waiting to happen, and healthcare providers should start looking for an alternative, if they have not done so already.

The problem is that in order for ePHI to be sent securely, the data must be encrypted. Some pagers do actually support encryption. Simple Network Paging Protocol (SNPP) does not prevent encryption from being used, in fact, some suppliers of pagers even advertise their products as being HIPAA-compliant because data can be encrypted.

However, while data can be encrypted, pagers do not support end to end encryption. The data is encrypted while it is sent over the internet, but there are no controls to ensure that the recipient of the data is the person to whom the message has been sent.

Furthermore, encryption has not been addressed for ePHI sent via analog radio transmission, and as a result, it is possible for messages to be intercepted or for eavesdroppers to access data that is sent via pagers. In fact, eavesdropping on messages sent by pager is not a complicated task. Information on how to do this is freely available on the internet. Some websites even offer step by step instructions on how to construct a pager scanner. Pagers therefore do not offer the level of protection for transmitted ePHI that is required by HIPAA.

So what can healthcare providers and other HIPAA-covered entities do? It is not possible to totally replace pagers quickly. Alternatives must be sourced, budgets allocated, and new equipment purchased. Training must also be provided to the staff on how to use the new technology, and this all takes time.

The answer is to start looking at a replacement for pagers now, and in the meantime, implement some short term solutions to ensure data is kept secure. That means implementing SNPP with encryption in the short term, and if possible, ensure that the devices can be remotely wiped. In the event of loss or theft, data can be erased to avoid a patient privacy violation.

One of the best replacements for pagers is a secure SMS solution. Secure SMS messages can be easily set up on Android and Apple devices, and for any organization with a BYOD scheme in place, this is probably the most secure and cost effective solution. Secure SMS services offer full end to end encryption, protecting transmitted data and ensuring that only the intended recipient can receive the message. Since mobile phone owners are used to sending SMS messages, little training is required.

Author: NetSec Editor