What Type Services Are We Talking About?
Everyone knows that normal, unencrypted email is not secure and shouldn’t be used to transmit PHI. However, there are many other services that claim to be secure, but should not be used for PHI. Some examples (by far not a complete list):
• Cloud storage (Google Drive, OneDrive, DropBox, iCloud)
• Note taking (EverNote)
• Online backup programs (Carbonite)
• Communication (Skype, iMessage, WhatsApp)
“Secure” vs “HIPAA Secure”
One of the primary issues is the use of the word “secure.” Most services are labeled as secure. That means that the service encrypts the data as it is transmitted and that you have to login to it to access the information. It technically is secure – but only from the outside world. HIPAA requires that data be protected at a much higher level. There are essentially two ways that a service can be used in a HIPAA compliant manner:
1) Use a HIPAA compliant version of the product. This option is available for many services, but is rarely free. Examples include Office 365 and Google Apps – but not just the standard versions. You have to choose the versions that are specifically labeled as HIPAA compliant. An indicator you are on the right track is the service offering a Business Associate Agreement (BAA), which is a HIPAA requirement for entities that house PHI data that is technically viewable by their own employees. HIPAA compliant versions of services also have audit tools for comprehensive logging of access to data and other tools to assist in maintaining compliance.
2) For data storage services (like cloud storage), you can store PHI but only if it is encrypted with a HIPAA compliant encryption routine and only you, or others in your organization, can access the data. For example, you could store a file with PHI on your free cloud storage account as long as the file is encrypted with AES256 – a type of encryption that is considered strong enough to protect data sufficiently. If you do not have a BAA with the service, it is your responsibility to ensure the data is encrypted strongly enough that employees of such a service cannot view the data.
Real-World Examples
Let’s review some example situations where PHI is not adequately protected. Many of these are things people do every day without realizing that they are putting data at risk. Again, for “regular” businesses, this wouldn’t be a problem – but it is problematic in healthcare when dealing with PHI:
You save an unencrypted Word document containing PHI to your free Google Drive account
Not only is the storage of that PHI in an unencrypted form on the free (non-HIPAA compliant) version of the service a problem, but also the fact that it might auto synchronize to other devices, such as laptops, phones, and more. If those devices aren’t encrypted, they now contain unencrypted PHI and the data is at risk if a device is lost or stolen.
You take a picture of a hospital note with your iPhone which is set to auto upload your pictures to iCloud.
Most people don’t even think about this scenario. They set their phone to auto upload their pictures because most phones are used in the dual role of personal and business. You don’t want PHI to be sent since the storage service is not HIPAA compliant.
You record notes about a patient in EverNote.
In order to make your notes available everywhere, these popular note programs sync to a central server owned by the note company. As with other services, unless you subscribe to a specific HIPAA compliant version, PHI is not properly protected.
You use your online calendar to store PHI.
The convenience of a centralized calendar is inarguable and might seem like a great way to track upcoming surgeries with patient details. But, unless the calendar is part of a HIPAA complaint offering (such as Office 365), then it should not be used to store PHI.
You backed up all your medical data with the free version of a cloud backup program.
If the backup program isn’t HIPAA compliant, or if it does not allow you to specify an encryption key (usually accompanied by a large warning that if you lose the key, no one will be able to recover your data), then your data is not properly protected.
How Do You Gain Control of Your Data?
As you can probably see, there are a multitude of ways that your data can be outside of a HIPAA protected zone and you wouldn’t even realize it. So what is a non-technical person supposed to do to gain control of this both at a personal and organizational level? Enterprise operations have entire IT departments devoted to managing this type of thing, but small to mid-size offices are on their own to make sure everyone in the organization stays compliant – a sizable task given the proliferation of easy, accessible services and the Bring Your Own Device (BYOD) movement.
Educate Everyone Who Has Access to PHI
It is imperative that everyone who works with PHI understand the importance of keeping it protected. The main cause of data being at risk is simply because people don’t know the difference between the “secure” and “HIPAA secure.” Do not take anything for granted when developing education.
Ban Certain Apps and Services
Prohibit co-workers from using services that are not HIPAA compliant. If you aren’t sure co-workers will know when it is appropriate to use a non-HIPAA compliant service, then don’t take a chance – keep them from being able to accidentally put data at risk. For the ultimate protection, have an IT consultant help you lock down devices to prevent anyone being able to access non-compliant programs.
Secure and Encrypt Devices That Are Taken Offsite
Most devices, including laptops, tablets, and even phones, now have the ability for full-device encryption. These technologies make it virtually impossible for a stolen device to have its data accessed by anyone without a passcode or key. If the device offers a locator service and/or a remote wipe capability, make sure to enable it. Most are not enabled by default.
Provide a HIPAA Compliant Option
While not free, signing up for a HIPAA compliant version of a service gives co-workers an option they know is acceptable on which to store PHI. Having an “approved” option means they are less likely to go looking for a readily available “unapproved” solution.
Change How You Look at Technology
Up until the last few years, it was fairly easy to keep data inside a protected network. Smartphones, tablets, file sharing services, and social media have vastly decreased the complexity required to share information, but blurred the lines of what is secure enough to use to store or share PHI. Take control of your data now – look at the organization as a whole, including all employees and all services used. The healthcare industry doesn’t have the luxury of using every new piece of technology that becomes available without some close scrutiny. Ongoing compliance requires the diligent research of products and services prior to their introduction to your organization to ensure it meets the requirements of our industry – and the PHI your organization is responsible for stays protected.
Ryan McGinty is the President / CEO at OCERIS, Inc.
