HIPAA and HITECH compliance while using Blackberry mobile services

When you use blackberry mobile devices to send and receive email that may contain electronic Protected Health Information (ePHI), you must abide by the HIPAA and HITECH laws. While using Blackberry devices, you can read ePHI-containing email over POP or IMAP as long as your email provider supports secure, SSL-enabled POP and IMAP connections, and can ensure that the Blackberry will not be permitted to make insecure connections to POP or IMAP services for youHowever, sending emails is not recommended as all email sent from a Blackberry device goes to the Blackberry server and then out over the Internet from there. The Blackberry servers that send the email messages may send them insecurely over the Internet — there is no way to ensure transport email encryption for messages sent from a Blackberry device.

When you setup a Blackberry for reading email from a POP or IMAP account, the Blackberry does not actually give you the choices of POP or IMAP or of security or no security.  All you can do is enter your server name.  Then, Blackberry tries to auto-detect how you can connect and auto-configures itself.

The best way to configure your Blackberry and to ensure that only the secure service that you want is chosen (and stays chosen) is to turn off the other options, if possible. I.e. if you would like to use Secure IMAP, then turn off POP altogether and turn off insecure IMAP.  The result is that Blackberry can only pick the service that you need, and cannot “accidentally” choose something else.

With the new HITECH provisions of HIPAA, any entity covered by HIPAA that does business with another organization who will have access to or control the flow of ePHI for the HIPAA-covered entity, should have a HIPAA Business Associate Agreement (BAA) with that business partner.  Among other things, this BAA would require the business partner to themselves meet the administrative, technical, and physical safeguards required by HIPAA and to take responsibility for the security of any ePHI in their possession.