According to a 2015 Statista study, approximately 81 percent of doctors use their smartphones for professional purposes.
And the results of another study revealed that 64 percent percent of doctors surveyed use text messaging to send and receive patient data among colleagues, such as patient diagnoses, test results, and medical advice.
There’s no question that mobile devices are incredibly useful to today’s healthcare organizations, especially when it comes to simplifying tasks and making processes more efficient.
However, the uptick in mobile device usage in the healthcare space is not without its risks. With thousands and thousands of devices like smartphones, tablets, and laptops now requiring access to a healthcare network, HIPAA compliance and security have become some of the biggest issues for today’s health IT professionals.
Unfortunately, if organizations do not meet HIPAA requirements for mobile devices, hefty HIPAA fines can follow, and, even worse, patient data can be stolen.
Factoring in Mobile to Keep Patient Health Data Safe
The federal government put HIPAA in place in 1996 to ensure we have rights over our private health information, regardless of whether it is in paper or digital format. However, many people’s understanding of HIPAA compliance is limited to the original HIPAA Privacy Rule, which primarily focuses on how healthcare organizations may use and disclose protected health information (PHI).
HIPAA’s main objective is to protect patient privacy. Its regulations require healthcare organizations and healthcare providers to adopt a specific set of standards to protect patients and keep data secure.
Unfortunately, a surprising number of providers today using mobile devices do not insist on appropriate privacy protections to secure patient data. And even if an organization’s mobile devices are believed to be safe, there is significant potential for devices’ users to breach HIPAA rules. Without proper controls, devices can be compromised, and ePHI stored on them accessed by cybercriminals.
So, what can healthcare teams do to protect employees’ mobile devices and the personal patient information stored on them?
HIPAA offers some basic steps that organizations can take to protect healthcare information when using a mobile device. Below, we include several highlights from HIPAA’s information. It is essential to understand that if your organization is currently utilizing a HIPAA compliant service, incorporating these extra layers of security can be extremely advantageous when dealing with healthcare information on any mobile device:
Check all devices’ encryption technologies, antivirus protection and firewall to confirm they are functioning the right way and are up-to-date.
Protect all mobile devices with a password or authentication requirement.
Enable timeout features on your devices so that they log users out after a period of inactivity.
Disable file-sharing options.
Understand that text messages are not HIPAA-compliant. To make texting safe, you must make it compliant with privacy laws, including activating data encryption and developing a well-thought-out text message usage policy organization-wide.
Always investigate mobile apps before you install them. They should be from trusted sources. Check that your mobile patient portal, practice management tool, or customer relationship management (CRM) software’s mobile app is HIPAA-ready. You can find recommendations for mobile customer and patient tools at TechnologyAdvice.com.
Use a two-part login process, like both a password and a security question.
Additionally, if a team member’s employment with your healthcare organization terminates, follow the proper steps for erasing medical information before disposing of any mobile device.
It is also recommended to use caution when it comes to employee Internet usage. For example, if your staff members access insecure websites, they run a significant risk of exposing sensitive data transmitted from their device. With this in mind, make it a priority to train employees properly to avoid visiting insecure websites or Wi-Fi networks. You also can implement antivirus protection and a VPN on every employee’s phone to secure Wi-Fi communication.
Finally, it’s important to realize that the web browser itself on an employee’s phone could also be a source of vulnerabilities, and, in some cases, can lead to browser attacks, especially on Android devices. Ensure that your team members have the most current version of whatever web browser they use to avoid issues.
Protecting Patient Data is Your Organization’s Responsibility
Regardless of the kind of technology a healthcare organization uses to help provide care, they are obligated to protect PHI. If a tablet or mobile phone is used to access, transmit, receive or store information, it must have specific security precautions in place to ensure the data cannot be altered or destroyed. Also, controls must be put in place to allow any mobile device to be audited.
As long as the appropriate security controls are put in place, the increasing use of mobile devices in the healthcare space has significant potential to improve productivity, boost efficiency and contribute to enhanced patient outcomes.
The key is to ensure that any mobile devices you use in the process do not put patient privacy at risk or give cybercriminals easy access into your network.
Lisa C. Dunn is a writer for TechnologyAdvice and a freelance writer, copywriter and ghostwriter who develops high-quality content for businesses and non-profit organizations. For over 20 years, she has worked with numerous PR and digital marketing agencies, and her work has been featured in well-known publications including Forbes, VentureBeat, Mashable, Huffington Post, Wired, B2C, USA Today, among others.
More and more health organizations are implementing publicly-exposed web technologies containing Protected Health Information (PHI) which are subject to the laws of HIPAA. Common examples of such systems include Electronic Health Record (EHR), web portal, Patient Portal and mHealth solutions. When those systems become integrated, PHI must travel from one platform to the other – exposing the systems to considerable risks not just in transmission but the very nature that the systems are publicly-exposed. In these situations, ensuring that HIPAA regulations are met has become crucial.
Here are three things about HIPAA that you probably didn’t know:
1. There is no such thing as HIPAA certified hosting
While HIPAA compliant hosting is just a part of achieving HIPAA compliance, it is one of the more challenging aspects of HIPAA compliance. Software-as-a-Service (SaaS) applications and cloud hosting solutions are becoming the norm in healthcare. Both have lower upfront costs for healthcare organizations and require less maintenance. While many hosting providers and software vendors claim to provide HIPAA-certified solutions, the truth is that there is no such thing as a HIPAA certification – not for hosting companies, providers, or any other type of organization.
The Health Insurance Portability and Accountability Act is a set of rules and best practices. HIPAA makes little reference to technical specifications required for hardware, software or security, and it definitely doesn’t have a certifying government body.
It is possible, however, to be HIPAA compliant or seek certifications that encompass the laws of HIPAA or other laws with a similar scope of HIPAA. Examples of these include HITRUST and EHNAC or SOC 2 certifications. James Deck, CEO of Med Tech Solutions, a provider of HIPAA compliant cloud hosting services, explains that “EHNAC accreditation gives our customers the assurance that we are HIPAA compliant”. While these certifications or HIPAA audit services are a great practice for companies that specialize in hosting, they aren’t required for health organizations. James further explains that “Moving to the cloud doesn’t reduce your risk and the cloud alone isn’t necessarily HIPAA compliant. Hosting companies must provide a suite of services on top of their cloud hosting to achieve HIPAA compliance.” Companies can adhere to HIPAA regulations, put safeguards in place to ensure that policies are being met, and have the proper documentation to ensure compliance(e.g. a signed Business Associate Agreement)
2. Contact Us and Intake forms are permitted on websites
Website forms offer an easy and convenient way for patients to communicate with office staff – whether it is to schedule an appointment, complete an intake form, or to ask a general question. They are also one of the most vulnerable sections of any healthcare website because patient information is collected and inevitably transmitted online.
Despite the risks associated with contact and intake forms, they are allowed on medical websites as long as the necessary steps are taken to safeguard PHI (e.g. name, phone number and medical information), which is protected by HIPAA. What you need to do is make sure that your website properly deploys an SSL certificate. This encrypts information sent from the user’s browser to your web server. In addition to ensuring that the form is encrypted, you will want to make sure that the forms are transmitted, accessed and viewed by office staff in a secure way, like a HIPAA-compliant, encrypted email service. It is also recommended to provide a disclaimer and clear instructions for how the form should be used, essentially releasing the the healthcare organization from liability for the transmission of PHI through the form.
If you’re unsure about the security of your online forms, the best advice is to consult a HIPAA expert. They can check your website for compliance and provide best practices for medical website security. In the meantime, you may choose to add a disclaimer to your website asking patients not to enter health information in any form. Instead, they can call your office with specific medical questions, or you can direct them to your patient portal.
3. Emailing patients is okay, even if the email on their end is unencrypted
The first thing that you need to know about HIPAA and email communication with patients is that HIPAA provides very little specific guidelines about what is acceptable and what isn’t when it comes to electronic messaging. One important thing that we do know is that “the Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
Many providers think that using encrypted email is enough of a precaution; however, that is incorrect. Even though your hospital or practice encrypts its end of the email transport, there is no way to ensure that the communication is secure once it leaves your organization’s server. Still, this doesn’t mean that emailing patients is off the table.
Communicating with patients via email is perfectly acceptable as long as the patient requests to be contacted by email and is advised of the risks, ideally signing (or clicking) an opt-in agreement. Just make sure that you document the patient’s approval for your protection and are using a secure email system on your end.
Secure messaging, video conferencing and social media are all useful communication tools for physicians in light of the accelerating digitization of the healthcare industry. Social media outlets, in particular, are a seductive alternative to traditional communication channels, such as email and telephone, as they allow users to be connected at a moment’s notice.
Using services such as these can allow practices to strengthen the physician-patient relationship and can even lead to improved medication adherence and better treatment outcomes. In fact, according to a study conducted at an Australian university, people tend to value video feedback over written comments. For physicians, this means that sending patients home with video instructions for taking medications and following a care plan could have a higher payoff than traditional handouts.
Of course, the challenge is ensuring that the communication methods used meet HIPAA standards.
Social media data breaches, such as last year’s Snapchat leaks (although the photos and videos vanish after a chosen number of seconds, it turns out the company does store them), are rampant, and incidentally, tend to not be HIPAA compliant. Skype is also not HIPAA compliant and should not be used to communicate with patients.
For video conferencing and secure messaging, two companies that can be trusted with HIPAA compliance include Bridge Patient Portal and VSee, NASA’s official video-conferencing platform on the International Space Station. Both companies adhere to important HIPAA requirements including:
All audio/video communication is securely encrypted and transmitted from point-to-point such that even the company does not have access to any identifiable health information that may be communicated.
As required under the Business Associate Agreement, the company agrees to be responsible for keeping all patient information secure and to immediately report any breach of personal health information.
Protecting Your Medical Practice From Potential HIPAA Liability
The following seven recommendations can help you ensure HIPAA compliance:
Request audit, breach notification and other information from the software companies that you choose to work with.
Have patients sign HIPAA authorization and separate informed consent as part of intake procedures when using web-based platforms.
Develop specific procedures regarding use of video conferencing and messaging platforms (interrupted transmissions, backups, etc.).
Train workforce on the use of these platforms.
Exclude the use of these platforms for vulnerable populations (i.e., severely mentally ill, minors, those with protected conditions such as HIV).
Limit to certain clinical uses (i.e., only intake or follow up).
Use secure platforms with audit trail, breach notification and other capabilities.
If you take away one thing away today, remember to evaluate platforms by their approaches to encryption, the Business Associate Agreement, and audits and breaches.