With the recent issuance of the long-awaited final rule by the Department of Health and Human Services ("HHS"), the protection of patient information has been a hot topic among the health care industry the past few months. The recently-published rule, which has a compliance date of September 23, 2013, significantly expands certain obligations for health care providers and their business associates under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").
In light of the expanded rules, the move to electronic medical records, and the prevalent use of mobile devices, developing policies and procedures to secure patient information on your I-phone, I-pad, Blackberry, etc., has become increasingly important. The first step for any provider is deciding whether or not you will allow the use of mobile devices within your practice for accessing, receiving, transmitting, or storing patient health information. In making such determination, you should thoroughly review the risks (e.g., increased risk of theft of patient information) and benefits (e.g., convenience) associated with using mobile devices for such purposes.
However, with the transition to electronic medical records and a growing trend towards communication via e-mail, it may be difficult not to use mobile devices, at least to some extent, within your practice.
If your practice allows patient information to be stored, accessed, transmitted, etc. on a mobile device, policies and procedures addressing such use and the limits of such use should be established. In drafting such policies and procedures, consider the following:
Passwords. Requiring a password or other user authentication method to unlock mobile devices can prevent unauthorized users from accessing patient information stored on your mobile device. Passwords should be "strong" (at least 6 characters and a combination of letters and numbers), changed periodically (at least once every six (6) months), and kept confidential. In addition, set mobile devices to log-out and lock after a certain number of minutes of inactivity (e.g., three (3) minutes).
Encryption. Encrypting data is not only important to prevent hacking and unauthorized access, but it can also prevent you from having to report a breach of unsecured protected health information to patients and the government. Encrypted data is considered "secure" and therefore does not fall under the definition of unsecured protected health information for which HIPAA breach notification (both to patients and to the government) is required. Since we are starting to see penalties imposed on providers as a result of reported HIPAA breaches, it is prudent to take any steps you can to minimize the occurrence of a reportable breach. Encryption becomes even more important when you are transmitting data over a public Wi-Fi network, which is easier for savvy individuals to intercept and hack.
Remote Wiping and/or Disabling. Remote wiping and disabling allows you to remotely erase any data stored on mobile devices or to remotely lock mobile devices. This is an extremely valuable tool in preventing an inappropriate use and/or disclosure of patient information (or mitigating the harm from such use and/or disclosure) if a mobile device is lost or stolen.
Physically Secure Mobile Devices. Although common sense, locking the screen and physically securing mobile devices can go a long way in protecting patient information. When not physically with you, lock the device in a drawer or other secure place (rather than leaving it sitting out on a desk). Do not let others use mobile devices that contain patient information.
Delete, Delete, Delete. As required by the HIPAA Security Rule, you must delete all patient information from a mobile device before discarding it or giving it to someone else for re-use. Methods of deletion include completely clearing the device, purging the data, or physically destroying the device. IT professionals can assist with thoroughly wiping clean mobile devices before they are discarded.
Device Ownership. Consider who actually owns the mobile device, the individual provider or the practice. If the former, policies and procedures should be in place for terminating access to patient information from the device in the event the provider is no longer working with the practice and no longer has reason to access the information. If the latter, policies and procedures should be in place to ensure that the device is returned on the last day of employment and that the information stored on the device is not inappropriately copied by the terminated employee.
As technology evolves and HIPAA rules are more vigorously enforced, failing to implement policies and procedures to address mobile devices can result in your practice facing civil monetary penalties. Take time to consider the risks and benefits associated with using mobile devices within your practice and to tailor your HIPAA Compliance Plans to address the use of mobile devices. Additional information regarding securing patient information on mobile devices is available from the Office of the National Coordinator for Health Information Technology at http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security.
Kelli Fleming is a partner at Burr & Forman LLP who works exclusively within the firm's Health Care Practice Group.