Understanding mobile app HIPAA compliance

According to a 2015 Statista study, approximately 81 percent of doctors use their smartphones for professional purposes.

And the results of another study revealed that 64 percent percent of doctors surveyed use text messaging to send and receive patient data among colleagues, such as patient diagnoses, test results, and medical advice.

There’s no question that mobile devices are incredibly useful to today’s healthcare organizations, especially when it comes to simplifying tasks and making processes more efficient.

However, the uptick in mobile device usage in the healthcare space is not without its risks. With thousands and thousands of devices like smartphones, tablets, and laptops now requiring access to a healthcare network, HIPAA compliance and security have become some of the biggest issues for today’s health IT professionals.

Unfortunately, if organizations do not meet requirements for mobile app HIPAA compliance, hefty HIPAA fines can follow, and, even worse, patient data can be stolen.

Factoring in Mobile to Keep Patient Health Data Safe

The federal government put HIPAA in place in 1996 to ensure we have rights over our private health information, regardless of whether it is in paper or digital format. However, many people’s understanding of HIPAA compliance is limited to the original HIPAA Privacy Rule, which primarily focuses on how healthcare organizations may use and disclose protected health information (PHI).

HIPAA Compliant Messaging main objective is to protect patient privacy. Its regulations require healthcare organizations and healthcare providers to adopt a specific set of standards to protect patients and keep data secure.

Unfortunately, a surprising number of providers today using mobile devices do not insist on appropriate privacy protections to secure patient data. And even if an organization’s mobile devices are believed to be safe, there is significant potential for devices’ users to breach HIPAA rules. Without proper controls, devices can be compromised, and ePHI stored on them accessed by cybercriminals.

So, what can healthcare teams do to protect employees’ mobile devices and the personal patient information stored on them?

HIPAA offers some basic steps that organizations can take to protect healthcare information when using a mobile device. Below, we include several highlights from HIPAA’s information. It is essential to understand that if your organization is currently utilizing a HIPAA compliant service, incorporating these extra layers of security can be extremely advantageous when dealing with healthcare information on any mobile device:

• Check all devices’ encryption technologies, antivirus protection and firewall to confirm they are functioning the right way and are up-to-date.
• Protect all mobile devices with a password or authentication requirement.
• Enable timeout features on your devices so that they log users out after a period of inactivity.
• Disable file-sharing options.
• Understand that text messages are not HIPAA-compliant. To make texting safe, you must make it compliant with privacy laws, including activating data encryption and developing a well-thought-out text message usage policy organization-wide.
• Always investigate mobile apps before you install them. They should be from trusted sources. Check that your mobile patient portal, practice management tool, or customer relationship management (CRM) software’s mobile app is HIPAA-ready. You can find recommendations for mobile customer and patient tools at TechnologyAdvice.com.
• Use a two-part login process, like both a password and a security question.

Additionally, if a team member’s employment with your healthcare organization terminates, follow the proper steps for erasing medical information before disposing of any mobile device.

It is also recommended to use caution when it comes to employee Internet usage. For example, if your staff members access insecure websites, they run a significant risk of exposing sensitive data transmitted from their device. With this in mind, make it a priority to train employees properly to avoid visiting insecure websites or Wi-Fi networks. You also can implement antivirus protection and a VPN on every employee’s phone to secure Wi-Fi communication.

Finally, it’s important to realize that the web browser itself on an employee’s phone could also be a source of vulnerabilities, and, in some cases, can lead to browser attacks, especially on Android devices. Ensure that your team members have the most current version of whatever web browser they use to avoid issues.

Protecting Patient Data is Your Organization’s Responsibility

Regardless of the kind of technology a healthcare organization uses to help provide care, they are obligated to protect PHI. If a tablet or mobile phone is used to access, transmit, receive or store information, it must have specific security precautions in place to ensure the data cannot be altered or destroyed. Also, controls must be put in place to allow any mobile device to be audited.  

As long as the appropriate security controls are put in place, the increasing use of mobile devices in the healthcare space has significant potential to improve productivity, boost efficiency, and contribute to enhanced patient outcomes.

The key is to ensure that any mobile devices you use in the process do not put patient privacy at risk or give cyber criminals easy access into your network.