Using mobile devices such as smart-phones and tablets to communicate with patients has become common. This growing dependency on mobile devices translates into increased vulnerabilities unless associated security risks are aggressively managed. Lost or stolen devices continue to result in more than two-thirds of the breaches involving electronic Protected Health Information (ePHI) in violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Wireless communication using mobile devices also poses risks. According to Dr. Cornelia Dorfschmid, experienced HIPAA compliance consultant, these types of breaches “underscore the importance of going beyond ‘baseline’ security reviews and annual risk assessments and require targeted and more rapid response strategies, including concurrent monitoring and encryption and remote management, for HIPAA compliance related to mobile devices. Individuals with mobile devices commonly fail to: (a) institute strong passwords to access information; (b) encrypt stored data; and (c) use Wi-Fi and public networks in a secure manner and thereby risk exposing ePHI.”
The HIPAA Privacy and Security Rules permit doctors, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, pharmacies, and other healthcare providers to use electronic transfers of PHI, such as email or text messages, to communicate with patients about their health status, so long as appropriate safeguards are in place, or in the case of unencrypted messaging, the patient has been advised of the risks and still consents to receive PHI in this manner. Medical schools provide residents with tablets to use as textbooks and to round on patients. All this has led to increased potential for HIPAA Security Rule violations that can result in civil monetary penalties of up to $50,000 per violation, and a maximum penalty of $1.5 million for all violations of an identical provision during a calendar year.
Following the passage of HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, the HIPAA Security Rule specifically requires both covered entities and their business associates to conduct periodic risk assessments of the potential HIPAA risks and vulnerabilities to ePHI maintained on all of their systems, including mobile devices. The HIPAA Security Rule further mandates that reasonable safeguards be applied to such devices, including appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI stored on such devices. This raises questions and concerns regarding mobile device security and how best to comply with the HIPAA Security Rule. According to HHS, the HIPAA Security Rule outlines national standards designed to protect individuals’ ePHI that is “created, received, used, or maintained” by a covered entity or business associate. The HHS Office of Civil Rights (OCR) and Office of the National Coordinator (ONC) for Health Information Technology have posted tips on ways to safeguard ePHI when using mobile devices such as laptops, tablets and smart phones in a section entitled, “Your Mobile Device and Health Information Privacy and Security.”
15 Tips for “HIPAA Proofing” Mobile Devices
- Provide management, accountability, and oversight structure to ensure proper safeguards and policies and procedures are in place.
- Establish mobile device management (MDM) policies, protocols, processes and procedures to both protect ePHI in a mobile device environment, as well as address a security breach.
- Keep an inventory of personal mobile devices authorized for use by healthcare professionals to access and transmit ePHI, and establish rules for such use.
- Perform a periodic outside independent security risk assessment to assess: (a) if personal mobile devices are being used to exchange ePHI; (b) which ones are being used on internal networks; (c) what information is being accessed, received, stored and transmitted; and (d) whether proper authentication, encryption and physical protections are in place to secure the exchange of ePHI; and (e) that users have been properly trained on security procedures.
- Use a device key, password, or other user authentication to verify the identity of a user, process, or device.
- Install and/or enable encryption where ePHI is stored and sent by mobile devices.
- Install or enable firewalls, and regularly update security software such as anti-malicious software (also called malware).
- Install or activate remote wiping and/or disabling.
- Ensure those with mobile devices understand that they must keep devices under personal control or in locked offices or lockers when not in use.
- Install radio frequency identification (“RFID”) tags on mobile devices to help locate a lost or stolen mobile device.
- Establish remote shutdown to prevent data breaches by remotely locking/wiping mobile devices.
- Ensure to disable and not install or use file-sharing applications on devices used for ePHI transmission.
- Establish an electronic process to ensure the ePHI is not destroyed or altered by an unauthorized third party.
- Ensure the education of staff on the processes and procedures to use when using mobile devices to access ePHI and educate clinicians on the risks of data breaches.
- Delete all stored ePHI before reusing or discarding a device.
For more information, Dr. Dorfschmid is available at [email protected]Subscribe to blog