Imagine you are a compliance officer for an average size medical practice. Recently, your practice has transitioned to a cloud-based electronic health record (EHR) platform. The medical providers are happy for the ease of access from mobile devices including laptops, tablets, and smartphones. You have been assigned to come up with policy and procedures regarding mobile devices. Recently in the news, multiple incidents have been reported involving theft of mobile devices resulting in health information breaches. What should you do?
Part 3 of our multi-part HIPAA article series will take a closer look at common questions organization's encounter regarding mobile devices:
- What should your mobile device policy cover?
- What procedures should be in place to ensure patient health information is adequately safeguarded?
- Should your organization issue mobile devices or allow providers to use their own mobile devices?
One of the most important considerations when implementing policies and procedures, such as a policy regarding mobile devices, is to determine what HIPAA requires. Most of us know what HIPAA is to some extent; however, there are some who don't understand what their HIPAA policy requirements are within their organization. Under HIPAA, "a covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule." Additionally, "a covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (ePHI)."
An organization transitioning to a cloud based EHR and providing access to patient health information from mobile devices is a change that affects the security of ePHI and would require your organization to implement a new "reasonable and appropriate" policy and procedures; or update an existing policy already in place. Either way, it is important for this to be documented; and most importantly, all employees must be trained on your new or updated policy and procedures.
Mobile Device Security is Critical
If you remember, last week we provided an example of a non-treating provider who had his unencrypted cell phone containing patients' treatment information stolen from his car. Thefts such as this are common. In fact, according to a recent survey by Bitglass "68 percent of healthcare security breaches were due to the theft of mobile devices or files; 48 percent of data lost was on a laptop, desktop computer, or mobile device; only 23 percent of the breaches resulted from hacking not connected directly to the loss or theft of the mobile device."
What does this data tell us? Securing your mobile devices is critical because there is a significant potential risk for theft and/or unauthorized access of your mobile device. Moreover, stolen medical information is extremely valuable on the black market with medical identity theft having an estimated $20,000 payout for medical identity thieves.
Your mobile device policy and procedures should require adequate security measures
In a recent presentation, Illiana L. Peters, the senior advisor for HIPAA Compliance and Enforcement at the HHS Office for Civil Rights (OCR) reinforced OCR's position on encryption. She said organizations are required to address encryption especially with mobile device and in the event of a breach an organization would have a difficult time to prove an alternative measure that meets the NIST encryption standard was in place.
Because of the OCR's position on encryption your policy should clearly state that if the mobile device accesses, stores or uses protected health information (PHI) or personally identifiable information (PII) or other confidential data, you must use encryption.
In addition to encryption, mobile device authentication should be a requirement in your mobile device policy and procedures. Mobile devices should require user authentication such as a password or a device key. For example, some devices can be set up to require a fingerprint or a PIN that prevents unauthorized individuals from accessing your devices.
Your policy should also address how and when mobile devices may access, store or use PHI or PII. For example, your policy should clearly state that access to PHI or PII is only allowed from a secured network and not from a network that allows open access without user authentication. Public open access Wi-Fi networks provide an easy way for unauthorized users to intercept information.
If you allow users to use their own devices implement a BYOD policy
The use of mobile devices, cell phones, smart phones and tablets has become commonplace within our culture and workplace. Heath care providers understand that employees often utilize their personal mobile devices (Personal Devices) in the workplace. However, bringing Personal Devices into the workplace raises several health, safety and privacy concerns.
Because of this, we added a sample Bring Your Own Device (BYOD) Policy and User Agreement to our forms section.
The policy is designed to provide guidelines for the use of personal mobile devices in the workplace, and to ensure the confidentiality of PHI. If your organization grants your employees the privilege of purchasing and using smart phones and tablets of their choosing at work for their convenience, your organization should reserve the right to revoke this privilege if users do not abide by your organization's policies and procedures.
The sample policy we have provided is intended to protect the security and integrity of your data and technology infrastructure. We highly recommend any organization who allows users to use their own personal mobile devices, cell phones, smart phones and tablets, to implement a BYOD policy. Be sure your BYOD policy explains:
- Acceptable use of mobile devices, cell phones, smart phones, and tablets;
- approved devices and how they are supported;
- if your organization provides/does not provide reimbursement for personal devices;
- security requirements; and,
- potential risks, liabilities and disclaimers involved with using personal mobile devices.
Finally, your BYOD should require user acknowledgement and agreement by providing the employee's name, the approved BYOD device, the services the device is allowed to use, the software that is installed on the device, and signed, thereby acknowledging and agreeing to the BYOD, with the employee's signature.
With both mobile device usage and mobile device thefts on the rise, it is more important than ever before for organization's to consider implementing a mobile devices policy and procedures. Requiring encryption and user authentication as security measures are two excellent ways to safeguard information that your mobile device may be access, store or use. A "reasonable and appropriate" mobile device policy and its procedures is critical for both organizations who provide mobile devices and/or organizations who allow users to bring their own devices the difference being an organization that allows users to bring their own devices should require a BYOD policy. If you haven't already, we highly recommend you conduct a thorough risk assessment before moving forward with mobile devices and review or develop your corresponding policies and procedures.
If you have any questions or concerns about HIPAA policies and procedures and mobile devices, a BYOD policy, or have any other questions, please feel free to comment below, send us an email at [email protected], or reach us toll-free at 855-427-0427.