The usage of cell phones, tablets and laptops have increased across the board. Along with this usage, the amount of identity theft has increased, also. This raises a number of security and privacy concerns.

Following the Rules

Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), known as the Administrative Simplification (AS) provisions, created national standards for electronic health care transactions. Title II covers a lot of ground, but two aspects are particularly relevant to mobile security:

1. The Privacy Rule
   This concerns the use and disclosure of Protected Health Information (PHI) held by “covered entities.” According to the rule, covered entities include insurers, medical service providers and various health care clearinghouses and employer-sponsored health plans, as well as their business associates.
2. The Security Rule
   Unlike the Privacy Rule, which applies to all PHI (both paper and electronic), the Security Rule applies specifically to electronic PHI. It describes three types of security safeguards: administrative, physical and technical.

Understanding HIPAA and Mobile Devices

Mobile devices usually transmit and receive PHI via public Wi-Fi and e-mail applications or through unsecured mobile networks, which place PHI at risk of interception. In addition, most mobile devices now can take and store photographs; however, photos may violate patient privacy, thus raising compliance concerns. Phones in particular, and tablets often, do not store data; instead, they use some sort of cloud storage.

The primary concern is how a doctor accesses patient information. If a physician uses a smartphone, tablet or laptop to access an Electronic Health Record (EHR), he or she generally is in compliance with HIPAA security and network security. However, if the physician saves EHR data or photos to a computer, tablet or phone, and those devices are stolen or lost, he or she might be liable for the HIPAA breach. Liability can be costly.

Data pulled via browsers is generally encrypted, especially through an EHR portal. However, physician-to-patient e-mails outside the portal can be a problem, because the Internet service provider might not be secure — thus, the e-mail communication might fail to meet HIPAA standards.

Taking Basic Security Precautions

The three standards of the HIPAA Security Rules are: Confidentiality, integrity; and access. Access typically refers to passwords. Physicians need to fully evaluate which staff members require access and provide training in security protocols.

Part of physical and technological security involves encrypting patient data. It also involves setting up monitor protection to prevent people who should not have PHI access from reading information off a computer screen — for example, over the shoulder of someone with access. Files should not be left open when not in use or while the computer is unattended.

For most practices, it is a good idea to document each device’s purpose and limit access to it. The next step is to determine how each device should be programmed to make it compliant. Doing so may require hiring a HIPAA compliance expert in addition to an IT expert.

Physician offices also need to develop policies regarding staff use of cell phones, especially now that almost all smartphones have cameras. The policies should answer such questions as, “How and where can employees use their phones?” One suggestion: Instruct staff members to keep their cell phones in the break room and out of patient treatment rooms.

For instance, a staffer might take a photograph of something in the office with a recognizable patient in the background and post it on social media. That could be a HIPAA breach, with financial and legal consequences for the practice. Basic office rules and regulations will assist in transitioning to the HIPAA compliance standards. Individuals need to be conscious to the consequences and be held accountable for their actions.

Discovering More Recommendations

For more information and further recommendations on how to protect and secure patient health information, visit https://www.healthit.gov. This website offers many useful suggestions and also provides physicians best practices on mobile devices and electronic health records.

For more information, contact Amanda Gutierrez at [email protected], or call her at 312.670. 7444. Visit ORBA.com to learn more about our Health Care Group.