Healthcare providers are among the long list of service providers that have embraced the mobile technology revolution. Some healthcare providers are supplying mobile healthcare devices to their staff, and others have introduced the Bring Your Own Device (BYOD) program that allows their staff to bring their devices and use them at work. Whichever the case, mobile technology enables staff to work remotely, which presents several benefits to healthcare providers.
Risks Associated
with Use of Mobile Devices for PHI
While there’s no
denying that mobile technology has revolutionized how people work, healthcare
providers cannot turn a blind eye on the risks that come with the use of mobile
devices. Owing to their small size and portability, mobile devices are at a
greater risk of being stolen or lost compared to their immobile/fixed
counterparts.
In the unfortunate
event that a mobile device containing unsecured electronic protected health
information (ePHI) is lost or stolen, there’s an increased risk of a data
breach that can trigger HIPAA breach notification obligations for a
HIPPA-covered entity and/or their business associates.
HIPAA Standards for
Securing ePHI Data Secure on Mobile Devices
The HIPAA in 1996 mandated
the Secretary of the U.S. Department of Health and Human Services to come up
with regulations that would protect the security and privacy of certain health
information in the year 1996. In compliance with this requirement, HHS
published the HIPAA Security Rule and the HIPAA Privacy Rule.
The HIPAA Privacy
Rule establishes national standards for the protection of individually
identifiable health information that can be linked to a particular person. The
HIPAA Security Rule, on the other hand, establishes national standards for
protecting ePHI, particularly how it’s transmitted, maintained, or stored.
For your healthcare
facility to be HIPAA-compliant, you must fulfill specific requirements. For the most part, you must ensure that
physical, administration, and technical safeguards are put in place and adhered
to, as follows:
Technical
Safeguards
Require User Authentication
User authentication
is the process of verifying the identity of a user before accessing a mobile
device and the information stored in it. One of the ways to secure ePHI is to
ensure that mobile devices are configured to require user passwords, passcodes,
or personal identification number (PIN) to gain access. Doing so can help to
prevent unauthorized users from gaining access to devices, which can help to
restrict access to ePHI.
Enable Encryption
It’s vital that you
buy and install an encryption tool for mobile devices that are used to access
ePHI. In the event that any of the devices is stolen or lost, encryption makes
it impossible to read the information stored on the device. With some devices,
it is recommended to enable encryption on device backups as well.
Update Your Security
Software Regularly
Hackers usually
take advantage of vulnerabilities in common applications such as browsers and
operating systems. To keep your network safe, it’s vital that you keep your
security software and operating systems up to date. By doing so, you’ll also
prevent unauthorized access to ePHI on or through your mobile devices.
You must implement facility access controls to limit access to facilities where ePHI is stored.
You must implement policies that restrict the use of workstations.
You must implement policies and procedures o manage how ePHI is removed from mobile devices after a user leaves the organization.
You must maintain an inventory of all hardware before its relocated, and a retrievable precise copy of ePHI must be made before the move.
Administrative Safeguards
You must conduct risk assessments to establish ways in which breaches of ePHI can occur.
You must introduce a risk management policy to ensure employees comply with HIPAA regulations.
You must train employees to raise awareness of the policies and procedures governing ePHI.
You must develop a contingency plan that can be rolled out in case of an emergency.
You must restrict 3rd-party access to ePHI.
You must report any security incidents once they occur.
Besides adhering to
the above HIPAA requirements for compliance, there are various other best
practices for keeping ePHI data secure on mobile devices. They include:
Install and activate remote disabling and/or remote wiping to ensure that all ePHI is removed from the device in case it is stolen or lost.
Avoid using file-sharing applications and make use of MDM software that helps to containerize ePHI and prevents data copy.
Research mobile applications thoroughly before downloading.
Avoid using public Wi-Fi network when sending and receiving ePHI and only use a Virtual Private Network instead.
The implementation
of mobile devices will undoubtedly add a lot of value to your organization on
the condition that the proper balance between usability and security is
achieved. Taking the right measures to keep ePHI data secure shouldn’t be a
matter of meeting compliance only. It should also be a matter of safeguarding
the integrity of your patients and your organization at large.
By Carol Amick, manager of healthcare services, CompliancePoint.
Carol Amick
According to the United States Department of Health and Human Services, approximately 70 percent of organizations are not HIPAA Compliant. The Health Insurance Portability and Accountability Act, known as HIPAA mandates industry wide standards for healthcare information and electronic billing, and requires protection as well as confidential handling of protected health information.
According to HIPAA rules, any company that deals with protected information must have a physical network and process security measures that are followed to ensure compliance. It may be safe to say that many organizations are still perplexed about HIPAA audits, enforcements and compliance. As a result, the number of organizations that fail to meet compliance each year remain the majority. To begin understanding compliance, healthcare organizations would be wise to consider three key recommendations.
Analyze the past, to avoid making the same mistake twice
It is important for hospitals and healthcare facilities to look at some of the common mistakes that are repeatedly noted in HIPAA security reviews. HIPAA states that out of all the reviews completed, there are a number of frequent compliance violations and issues that are found each year. This includes impermissible uses and disclosures of protected health information, lack of safeguards to protect health information, lack of patient access to their personal health information, lack of administrative safeguards on electronic protected health information, and use or disclosure of more than the minimum protected health information. Protecting valuable data by analyzing past mistakes is an important step in the compliance process.
Perform a risk assessment and GAP analysis
One preventative measure in assessing an organization’s compliance with HIPAA is a risk analysis and a GAP analysis. The confusion and lack of understanding around the two examinations has been common among healthcare professionals in the marketplace for some time. Not understanding the differences can be detrimental to an organization, and puts them at a significantly higher risk. According to HHS and OCR guidelines, all healthcare organizations must specifically conduct a risk analysis to be deemed within HIPAA compliance.
A HIPAA GAP analysis can be used to measure the organizations information security standing against HIPAA, which is part of HHS audit protocol. Comparing the organization’s current practices to the HHS OCR audit protocol will identify the strengths and weakness of the security program. From there, the organization can determine whether they have reasonable and appropriate administrative, physical and technical safeguards in place to protect patient health. Performance of the GAP analysis also allows the organization to develop an audit response toolkit, which includes the data and documentation that would be able to support compliance with the HIPAA regulations to regulatory agencies.
A relentless parade of fronts from communication to banking, shopping seems to be unfolded, all thanks to the emerging technology. But somehow healthcare used to stay behind because many of you believed it was too complicated to be fixed. Well, that’s just not true! Now, more than ever, technology has not just succeeded in improving the consumer experience but also has removed the unnecessary cost from the entire healthcare system.
In order to maintain standards of care and improved outcomes for patients, hospitals and medical centers, technology is providing ever-smarter ways like never before. Enacted by the U.S. Congress in 1996, HIPAA was introduced because of the increasing need to address growing technological changes and problems. According to the HIPAA Privacy rule, saving, accessing and sharing of medical and personal information is prohibited. Moreover, it specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically (ePHI — electronic protected health information).
Apart from this, there are a few primary components one needs to be concerned with:
Privacy rules emphasize on what qualifies as PHI (protected health information) and who is mainly responsible for ensuring that nothing would get disclosed improperly. It includes covered entities ranging from health plans to health care clearinghouse, health care providers who have the right to transmit any health information electronically regarding the Department of Health and Human Services (HHS). Other than covered entities, privacy rules even encompass of business associates (anyone who stores, collects, maintains, or transmits protected information on behalf of a covered entity).
On the other hand, security rules relate specifically to electronic information and set guidelines for how to secure PHI. Administrative, physical and technical are the three main categories in which it is broken down. As the name implies, administrative revolves around access control and training, physical safeguards are for actual devices, and technical relates to the data itself.
HIPAA Breach Notification Rule is basically a set of standards that covered entities and business associates must follow in the event of a data breach containing PHI and ePHI. This rule, in particular, emphasizes on two kinds of breaches; minor breaches and meaningful breaches. As a result, organizations are required to report all type of breaches, regardless of size to HHS OCR, but the specific protocols for reporting change depending on the type of breach.
Omnibus Rule: This rule was enacted in order to apply HIPAA to business associates, in addition to covered entities. According to the rule, business associates must be HIPAA compliant.
