For clinics that permit BYOD use, requiring providers to use a secure channel for transmitting ePHI is the next best option. For organizations that permit providers to use unsecure email services, it is recommended that providers be trained not to transmit ePHI and personnel should be restricted from forwarding emails or documents containing ePHI to their personal accounts. Where patients ask that providers communicate via unsecure email (containing ePHI), it is wise to obtain consent that puts the patient on notice about the risks associated with this communication. Texting ePHI creates even more risk because the network channels over which data are transmitted are not automatically encrypted as they traverse carriers’ wireless channels en route to their destination. This likely means that unless a group buys third-party software that scrambles the text before it is sent (and unscrambles it upon arrival), the data will be in the open during transmission and subject to interception. For groups that do not scramble texts during transmission— but have providers who insist on using texts to consult with colleagues—an alternative approach is to train providers to send a text asking their colleagues to check their secure email, where the ePHI can be transmitted with more confidence. Storing data A big downside of mobile devices is that their compact size makes them easy to lose. Furthermore, cutting-edge devices like iPads and other tablets are attractive targets for thieves. There have been numerous enforcement actions where laptops and other devices containing ePHI have been stolen or lost. There are very simple steps that can be taken to secure ePHI on these devices that are nonetheless overlooked by providers. For example, prohibiting employees from storing ePHI on personal devices, such as mobile devices or USB drives, limits risks that ePHI will fall into the wrong hands. Likewise, establishing minimum requirements
for passwords (that require a combination of characters) and requiring that passwords be changed every 30 days or so will reduce the likelihood of improper access to ePHI. Most mobile devices include functionality that permits locking
satisfied depends on how the software is integrated into the practice and used by personnel at the organization. What happens when it’s time to upgrade? Since mobile devices are
Texting ePHI creates even more risk because the network channels over which data are transmitted are not automatically encrypted. the device—or even wiping its memory entirely—after several unsuccessful attempts to obtain access. In addition, many mobile devices have built-in encryption capabilities for data at rest or allow for downloading applications that encrypt data residing on the phone or tablet. While enterprise-sponsored devices make adherence to these steps easier for management, groups that permit BYOD can still require employees to have these functions operational as a condition of using the device for on-the-job duties. Third-party applications Downloadable applications for mobile devices can help providers in a variety of ways, including facilitating patients’ online access to their health records, monitoring patient adherence to treatment recommendations, creating new ways of managing a group’s calendar and appointment schedules, and even assisting providers in diagnostic decision-making. Groups that desire to use these tools will need to vet their compliance with HIPAA requirements, including whether the application vendor meets the definition of “business associate” and, if so, whether it is willing to sign a business associate agreement (BAA) with the group. For example, providers have been sanctioned in the past for placing ePHI on electronic calendars maintained by third parties that refused to sign BAAs. Further, providers should be wary of vendors who tout their “HIPAA compliant” software. While applications can be designed in ways that aid groups in complying with the law, whether HIPAA guidelines are
relatively inexpensive, and are constantly being improved with new capabilities, it is not uncommon for groups to upgrade their devices every few years, or in groups that permit BYOD, for providers to regularly upgrade their own devices. Upon such upgrades, the Security Rule requires that the replaced device, whether it is recycled, returned, sold, etc., has its memory wiped clean to scrub any ePHI that may remain on the device. Fortunately, many mobile devices can be configured to permit
remote wiping or set to trigger self-wiping after a number of incorrect authentication attempts. Next steps While there is no question that mobile devices offer great potential for improvements in efficiency and quality of care, mobile devices present additional Security Rule compliance risks to groups. One of the most important things a group can do to demonstrate its commitment to HIPAA compliance is having a clear and robust risk analysis and corresponding risk management policy that shows how the organization has taken steps to address the unique risks posed by mobile devices. Timothy Johnson, JD, and Jesse Berg, JD, are attorneys at Gray Plant Mooty in Minneapolis. Timothy specializes in representing health care organizations and has significant experience in HIPAA privacy requirements. Jesse regularly counsels health care organizations on HIPAA and state privacy and confidentiality matters.
Quality Transcription, Inc. Setting the standards for excellence
Quality Transcription (located in Minnesota) maintains a professional office environment, thus the confidentiality of your work is strictly maintained. We provide medical transcription services on a contract or overload basis. Our equipment is state of the art with 24 hour dictation lines and nationwide accessibility. We are experts in our field. We deliver on time. We have experienced staff. We monitor the quality of our work. We provide services tailored to your needs and will do whatever it takes to get the job done.
Quality Transcription, Inc. 8960 Springbrook Drive, Suite 110 Coon Rapids, MN 55433 Telephone 763-785-1115 Toll Free 800-785-1387 Fax 763-785-1179 e-mail info@qualitytranscription.com Website www.qualitytranscription.com
February 2014 Minnesota Physician
21