SPECIAL FOCUS: DATA security AND privacy
T
Mobile devices in health care delivery
he use of mobile devices such as smartphones and tablets by health care providers is here to stay. The compact size, expansive storage capacity, multiple options for rapid communication and increasing availability of powerful clinical tools downloadable as applications make devices a valuable aid for providers in delivering care. However, the use of mobile devices creates unique risks and raises the stakes for HIPAA compliance.
A great tool, but at what price? By Timothy Johnson, JD, and Jesse Berg, JD
(PHI) under HIPAA. For a group that elects to use mobile devices in care delivery, the
The trade-off For each of the benefits mobile devices offer for care delivery, there are corresponding risks that providers must evaluate. For example, while text messaging and quality cameras available on smartphones give physicians a great option for obtaining instant consults with colleagues in other locations, a patient photograph sent to the wrong recipient creates a real risk of a breach of the patient’s protected health information
driven by your
The risks associated with emailing or texting ePHI are obvious. Most of us, at one time or another, have sent an email to the wrong person. most important question to answer is whether providers and other personnel will be required to use employer-provided or
vision
At RJM Construction, we use insightful planning, a collaborative spirit and financial responsibility to help bring your vision to life.
GENERAL CONTRACTING CONSTRUCTION MANAGEMENT DESIGN/BUILD PRE-CONSTRUCTION
20
“enterprise-sponsored” devices or whether the employer will allow a “bring your own device”
Minnesota Physician February 2014
952-837-8600 RJMConstruction.com
(BYOD) approach. When employers control the type of mobile device used along with the software and applications loaded on the device, the benefits associated with enterprise-sponsored devices are obvious. The centralization and control afforded by this approach means management can ensure adherence to such requirements as passwords, routine backups, limitations on whether data can be stored on the device and, if so, the duration of storage, data destruction, as well as encryption of data at rest and in transit. For those physician groups that allow a BYOD approach, their inability to achieve this level of centralized control requires the group to take alternative measures to ensure the group’s compliance with the HIPAA security requirements. Mobile devices under the HIPAA Security Rule As part of their obligation to comply with HIPAA, groups—as well as their “business associates”—will need to ensure that the groups’ use of mobile devices complies with the requirements of the HIPAA Security Rule. Although the Security Rule has been on the books since 2005, there recently has been an increased emphasis on enforcement by the HHS Office for Civil Rights (OCR).
Under the Security Rule, covered entities and business associates must meet a number of safeguards that are intended to protect the integrity, confidentiality and availability of electronic PHI (ePHI). For instance, prior to allowing their providers to use medical devices, groups must first conduct a risk analysis that assesses what kinds of risks and vulnerabilities to ePHI are posed by the devices, and then adopt measures to reduce those risks to a reasonable and appropriate level. The Rule is intended to be “scalable,” which means that groups have some flexibility to select safeguards that are appropriate for the group based on factors such as cost, size of the organization, and its technical capabilities. What this means is that the safeguards adopted by a large group with multiple locations and hundreds of employed providers are likely to be more extensive than those implemented by smaller rural groups. The Security Rule has dozens of principles that providers must address. The remainder of this article will discuss how devices fit within several of the Security Rule’s key principles. Electronic communications The risks associated with emailing or texting ePHI are obvious. Most of us, at one time or another, have sent an email to the wrong person, perhaps as a result of the “auto-fill” or “reply all” functions. The safest approach for electronic transmission is via a virtual private network, sponsored and managed by the group, coupled with enterprise-sponsored devices. Locking down both points of access and encrypting channels by which information flows makes it much less likely that ePHI will be accessed improperly. Another advantage of encryption (assuming it is done at levels of security specified by OCR) is that ePHI then becomes “not unsecured,” which means that if an email is sent to the wrong recipient, the provider does not have to treat the error as a “breach” potentially requiring notification to patients, regulators, and the media.