In our technologically sophisticated society, private information is more vulnerable than ever before. At the same time, physicians increasingly use some type of mobile device to access health care data. This raises a number of security and privacy concerns.
Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), known as the Administrative Simplification (AS) provisions, created national standards for electronic health care transactions. Title II covers a lot of ground, but two aspects are particularly relevant to mobile security:
The Privacy Rule. This concerns the use and disclosure of Protected Health Information (PHI) held by “covered entities.” According to the rule, covered entities include insurers, medical service providers, and various health care clearinghouses and employer-sponsored health plans, as well as their business associates.
The Security Rule. Unlike the Privacy Rule, which applies to all PHI (both paper and electronic), the Security Rule applies specifically to electronic PHI. It describes three types of security safeguards: administrative, physical and technical.
Mobile devices usually transmit and receive PHI via public Wi-Fi and email applications or through unsecure mobile networks, which place PHI at risk of interception. In addition, most mobile devices now can take and store photographs — but photos may violate patient privacy, thus raising compliance concerns. Phones in particular, and often tablets, don’t store data — instead, they use some sort of cloud storage.
The primary concern is how a doctor accesses patient information. If a physician uses a smartphone, tablet or laptop to access an Electronic Health Record (EHR), he or she generally is in compliance with HIPAA security and network security. But if the physician saves EHR data or photos to a computer, tablet or phone, and those devices are stolen or lost, he or she might be liable for the HIPAA breach. Liability can be costly — though, if the PHI isn’t identifiable, it’s probably nothing to worry about.
Data pulled via browsers is generally encrypted, especially through an EHR portal. But physician-to-patient emails outside the portal can be a problem, because the Internet service provider might not be secure — thus, the email communication might fail to meet HIPAA standards.
The three standards of the HIPAA Security Rules are: confidentiality, integrity and access. Access typically refers to passwords. Physicians need to fully evaluate which staff members require access and provide training in security protocols.
Part of physical and technological security involves encrypting patient data. It also involves setting up monitor protection to prevent people who shouldn’t have PHI access from reading information off a computer screen — for example, over the shoulder of someone with access.
For most practices, it’s a good idea to document each device’s purpose and limit access to it. The next step is to determine how each device should be programmed to make it compliant. Doing so may require hiring a HIPAA compliance expert in addition to an information technology expert.
Physician offices also need to develop policies regarding staff use of cell phones — especially now that almost all smartphones have cameras. The policies should answer such questions as: How and where can employees use their phones? One suggestion is to instruct staff members to keep their cell phones in the break room and out of patient treatment rooms.
For instance, a staffer might take a photograph of something in the office with a recognizable patient in the background and post it on social media. That could be a HIPAA breach, with financial and legal consequences for the practice.
For more information and further recommendations regarding protecting and securing PHI, visit https://www.healthit.gov, which offers many useful suggestions. It also provides physician best practices for mobile devices and EHR.
Contact Kathy Walsh at kwalsh@cohencpa.com for more information.