Mobile Devices and HIPAA ComplianceGreg Garner
It’s important to make sure your mobile devices are HIPAA compliant. As technology continues to become an integral part of the healthcare environment, it is common for healthcare professionals to communicate with their colleagues via text message or mobile device. Many facilities and practitioners use tablets and other software to transfer and record patient information, but this poses great risks in staying within HIPAA guidelines.
Guidelines for Establishing Effective Protocols
When determining your current compliance protocols on mobile devices, there must be specific questions answered to make sure all areas are covered. These questions should include:
- Owners of the devices
- Whether or not the devices are registered with the facility
- Whether or not any PHI noted on a mobile device is uploaded and backed up on the server
- Whether or not the devices can be wiped, both on premises and remotely
- Whether or not a VPN (Virtual Privacy Network) is used to exchange information
- Whether or not all policies and procedures address the use of mobile devices
- Whether or not there is a separate mobile device usage policy in place
- Whether or not the company utilizes a BYOD (bring your own device) system
- Whether or not the staff is properly trained on the mobile device policy
When analyzing these protocols, these questions should provide insight into any changes that need to be made, or if additional protocols should be implemented. It is important to make sure all mobile device use pertaining to the patients and the healthcare facility be under a strict monitoring schedule.
Implementing Security Measures for Mobile Device Use
There are a number of security measures that will assist in securing PHI on mobile devices:
- Use of encrypted passwords that change every month, or an alternative secure user authentication process.
- Implementation of an automatic screen lock feature that will time-out after a certain period of time.
- Remote disabling.
- Remote wipe features.
- Disabling of any file-shared applications and software.
- Using firewalls.
- Using security software.
- Custom encryption.
- Corporate permission when attempting to download applications.
- Wi-Fi navigation controls with encryption.
- Deletion of PHI before transferring the device to someone else, or getting rid of the device.
All of these security measures must be enforced and included as a part of the training process for employees. Your organization should always have best practices in effect and fully documented to meet compliance with HIPAA rules.
How to Develop a Mobile Device Policy
Staying compliant takes a concerted effort from the entire management team. Policies must be developed, implemented and consistently reviewed. Here are a few steps:
- Make concrete decisions
Deciding how the devices will be used plays a major role in your strategy. Each option, whether for access, retrieval, storage or for creation of PHI should be carefully outlined with all the risks involved. Common issues that should be addressed include lost or stolen devices, downloads, use from unauthorized users and the use of unsecured networks.
- Determine accessibility
Once you have identified the risks of using mobile devices, carefully assess whether or not it would be a good idea to implement their usage. It is important to factor in devices that are company owned, and whether or not employees will use their own devices, which will pose great risks to PHI. Carefully analyze what information will be accessible, retrievable, transmitted and stored when using a mobile device, how the HIPAA rules will be applied, and what types of devices will be used on the system.
- Identify a viable strategy
The strategy you develop should include all security safeguards and solutions to maintain privacy. Your strategy should be evaluated at every benchmark.
Proper documentation must be in place for an effective implementation. This documentation should include the development of a management system, a BYOD system, all restrictions that should be in effect, any security settings, what can be stored on the device, protocols for misuse, a deactivation and recovery process, and training of all professionals.
Training is one of the most important components of any policy implementation. All employees should be fully aware of any risks attached to using a mobile device, the HIPAA guidelines for protecting PHI, how to fully secure their device and any health information on the device, and procedures for avoiding any mistakes. The trainings should be separate components to ensure every employee fully understands, in addition to receiving these policies in writing. Every team member is obligated to ensure the organization stays in compliance.
Although mobile devices are very useful, there are many opportunties for breaches and attacks to occur. The risk is very high within the healthcare environment, and making sure all risks can be avoided is key. Being proactive in ensuring your company is HIPAA compliant will keep you protected from any enforcement procedures that can occur as a result of non-compliance. The safety of PHI is very important. Having high standards and effective protocols in place while using technology can make a significant difference.