Data Privacy Concerns at Tulsa Health Department: A Case Study

A Tulsa resident, Michelle Carey, raised data privacy concerns following her visit to the Tulsa Health Department (THD), where her sensitive information was processed on an employee's personal phone. While renewing her SoonerCare insurance, Carey noticed that details such as her birth date, home address, and Social Security number were handled on a private device, leading to security worries.

Dependent on state assistance due to health reasons, Carey questioned the practice of using personal devices for state business. The employee acknowledged this, mentioning a $30 monthly compensation. This scenario led Carey to worry about potential data breaches if the phone were lost or compromised.

In addressing these concerns, THD highlighted their commitment to data security and privacy standards. Since 2020, they have used RingCentral, a VoIP platform compliant with the Health Insurance Portability and Accountability Act (HIPAA), integrating multi-factor authentication and role-based access to protect Protected Health Information (PHI). THD reassures that all operations on personal devices occur within the secure application, with no native data storage. Annual HIPAA compliance training is mandated for staff, emphasizing robust data security protocols.

Furthermore, employees may receive stipends to use personal phones, subject to strict adherence to security measures. Non-compliance can lead to disciplinary action, including termination. Carey suggested providing state-owned phones for work to enhance personal data protection.