The medical community has embraced the use of portable devices in health care settings—smartphones, tables, and laptops—both for personal and business uses. This convenience, however, comes with a major caveat—by using portable tech, staff may be violating the Health Insurance Portability and Accountability Act (HIPAA).
Healthcare compliance pro Jim Sheldon-Dean explores the use of portable devices in healthcare settings in his live webinar for Audio Educator, “Managing Mobile Devices in Healthcare: Secure Mobile Information Under HIPAA.” You can use new technology to communicate with and serve patients—you just have to know the risks and rules, Sheldon-Dean explains. That includes heeding regulatory requirements, security issues, and the National Institute of Standards and Technology guidance on electronic health record data.
The Perks—and Perils—to Going High-Tech
Mobile tech in health care is not just convenient, asserted Healthcare Global, it is revolutionizing care and transforming the patient-provider relationship.
Mobile tech in health care is not a First World issue, noted The Guardian—mobile tech is particularly useful in Third World settings, where inexpensive units can diagnose ailments, predict outcomes, and even track stock. For example, technology by Last Mile Health is hosted on common Android phones and can be used for patient interaction data, diagnosis, and access to reference materials.
But in the U.S., at least, using mobile devices may run afoul of HIPAA regulations, HIPAA Journal explained:
“Unfortunately, while mobile healthcare devices are convenient, they are not without their risks. With hundreds or thousands of mobile devices now requiring access to a healthcare network, it is no surprise that mobile data security and HIPAA compliance have become two of the biggest concerns for CIOs, CISOs, Compliance Officers and health IT professionals. Even if mobile devices are secured, there is considerable potential for the users of those devices to violate HIPAA rules or company policies.”
How big is the risk? HIPAA Journal found that more than 80 percent of physicians use their own smartphones for professional work. Healthcare data breaches involving mobile devices exposed more than 100 million healthcare records in an eight-month period in 2015 alone.
11 Best Practices for HIPAA Mobile Device Security
HIPAA and mobile tech may seemingly be at odds, but understanding privacy rules and establishing sound policies and procedures for the use of mobile tech in healthcare settings can help organizations identify how tech can be used, assess the risks, and safeguard patient information, explained Becker’s Hospital Review.
According to Becker’s, healthcare institutions using technological devices should:
- Use a device key, password, or user identification
- Install or enable encryption
- Install and activate remote wiping and/or remote disabling
- Disable and do not install or use file-sharing apps
- Keep software up to date
- Research mobile apps before downloading
- Use adequate security to send or receive health information over public wi-fi networks.
Security Metrics recommends several additional steps:
- Follow basic mobile security practices, such as never connecting to unsecured wi-fi and connecting to electronic health records via a virtual private network or two-factor authentication
- Enable lengthier passcodes—shoot for eight characters, not just four
- Always update software and applications
- Conduct frequent training
“A lot of the risk depends on how your mobile environment is set up and how your employees can access sensitive data,” Security Metrics explained. “Unless you have policies in place regarding mobile devices, your employees are likely accessing sensitive information in an insecure manner.”
While both sites recommend encryption, Health IT Security notes that encryption is actually not required under HIPAA.
“Encryption is an ‘addressable’ aspect,” the site noted, “meaning that organizations can determine if encryption is necessary for their operations and then what type of encryption to use.”
According to Sheldon-Dean, mobile technologies promise sweeping changes to the healthcare field, but using them requires safe, informed practices and solid training.
