Welcome to Just Answer! Thank you for giving me the opportunity to assist you! I will do my best to help!
Lane is not online now, so I hope that you don't mind if I answer. I am a CPA with 30+ years' experience and we audit several doctors. I also spent 15 years as a volunteer firefighter, and became very aware of HIPPA and all its extreme requirements. My wife is currently fighting cancer, stage 4, and due to HIIPA her many doctors spend more time trying to be HIIPA compliant than they spend treating her. I have seen first hand how this law can really hamstring doctors who are just trying to treat patients.
First of all, your doctor is correct in that she cannot use a cell phone in most cases because it is not on a secure network. There are some (very few) apps that are HIIPA compliant, but for the most part cell phones are not secure enough for HIIPA. So if she get a HIIPA compliant app, then she can use her cell phone. Otherwise she is in violation.
She is not correct in that a patient sign-in list is not compliant. HIIPA does allow some minor disclosure, and a sign-in sheet is allowed as long as the patient's medical information is not on the sheet. If it is simply the patient's name, this is legal. Furthermore, a nurse is allowed to call patient names for appointments out loud and not be in violation of HIIPA. For example, the nurse is allowed to say "Mr Jones? Mr Jones, the doctor will see you now" without being in violation.
Gmail (standard), Yahoo mail and other emails, including Facebook, are not considered compliant because they do not have "at rest" encryption for stored data, and they do not have active encryption. In rough terms, the data stored in the "cloud" is not encrypted enough to be compliant.
However, Gmail does have an app that is HIIPA compliant. Google has Business Associate Agreements that provide the required encryption and other safeguards to make their email HIIPA compliant. You can read more about it at https://www.virtru.com/blog/gmail-hipaa-compliance-need-know/.
Violation of the HIIPA guidelines do result in penalties, ranging from $100 to $50,000, but they are NOT per word. They are per incident, which usually means per email. If the noncompliance is due to an oversight, the penalties are usually $100 to $1,000 per incident, which could mean per email, or per complaint. On the other end of the spectrum, wilful neglect is a flat $50,000 penalty, so if they are not compliant and know that they are not in compliance, and chose to do nothing about it, they get hit with a $50k penalty.
I hope that you have found my answers helpful. IF you have any more, please feel free to ask and I will be happy to answer.
Thanks! Have a great week!