HIPAA Compliance in the Smartphone Age

Widespread use of mobile devices is rapidly changing how industries do business and, therefore, what they must do to ensure compliance with the law. The health care industry is no exception. As the use of portable devices to practice medicine rapidly increases, health providers must ensure adherence to HIPAA guidelines.

HIPAA and the personal-device challenge

Smaller practices typically implement a bring-your-own-device (“BYOD”) policy that allows physicians to use their own devices, rather than practice-provided devices. Physicians use those devices for a myriad of purposes, from taking pictures of a patient’s condition to obtain a consultation, to communicating with patients about their medical care.

Regardless of the purpose for using portable devices, any device used to create, receive, maintain, or transmit patients’ protected health information (“PHI”) is subject to the Health Insurance Portability and Accountability Act of 1996 and its subsequent amendments. HIPAA imposes certain requirements on practices to safeguard their patients’ PHI. Practices, physicians and staff, must understand the implications of these requirements for the use of portable devices with regard to PHI.

5 keys to HIPAA compliance

Below are five key areas you should consider when developing a BYOD policy for your practice.

1. Access

To the extent that physicians maintain PHI or mobile applications (“apps”) containing PHI on their portable devices, the practice must require safeguards to prevent unauthorized individuals from accessing such PHI.

• Device access: At a minimum, all providers who use portable devices to store or access PHI must password-protect the device with a password that an unauthorized user cannot easily ascertain.
• App sign-in: Providers should not set apps that contain PHI to automatic login. They should require an additional password or access key (e.g., fingerprint). They should not share the password with anyone, including family, friends, and co-workers.
• Idle-state protection: Providers should set the device and applications to automatically logout or lock if left idle for a period of time.
• Remote device control: The physician and/or practice should have the capability to remotely “wipe” the device if it is ever lost or stolen.

2. Use of Mobile Apps

Beyond access, mobile apps that maintain PHI present additional challenges. It is important to understand the security measures applicable to these apps. For instance:

• Is the information on the app encrypted?
• Where is the information stored?
• Does the app developer have access to this information?
• Does the app developer maintain any rights to this information?

Your practice needs to have answers to these questions before a physician decides whether to use an app. The physician should only use an app if s/he can ensure that the app will safely store the information and that only the physician owns and can access the data.

Best practice: Include in your BYOD policy a list of apps the practice has already adequately screened for physicians’ use.

3. Email

From a HIPAA-standpoint, communication through a secure patient portal is always preferable to communication by email. That said, some patients choose not to access the patient portal and wish to communicate via email. Physicians may also find it easier to consult with other physicians via email. In such instances, you must consider the security of the email communications.

Best practice: Provide physicians with a secure practice email account for purposes of exchanging PHI. Work with your IT staff or provider to encrypt this account to ensure the PHI is securely stored in the account and cannot be retrieved by unauthorized individuals. In addition, the email account should have the ability to send encrypted email messages to ensure that no one can intercept the PHI in transmission.

• If physicians wish to communicate with patients by email or patients specifically request email communications, the physicians should obtain written consent from the patient to have such communications.
• This consent should request the patient’s email address and explain the security concerns involved in the use of email, especially if the physician’s and/or the patient’s email account is not secure (i.e. encrypted). A secure (i.e. encrypted) email account is preferable; however, even a secure email account could be accessed by an unauthorized individual with the patient’s password.     
• In all instances of email communication, you should only use the email address on file for the patient. Send only the minimum amount of information necessary to fulfill the purposes of the communication.

4. Device Return/Disuse

If a physician returns, exchanges or sells the portable device used to access or transmit PHI, s/he should completely reset the device to factory settings before doing so, thereby eliminating any access to PHI.

• This should occur even if the physician plans to give the device to a family member, friend, or co-worker.  
• If the physician fails to reset the device, s/he and/or the practice should be able to remotely “wipe” the contents of the device.

Best practice: Any device the physician discards altogether should be destroyed in a manner that prevents any unauthorized user from accessing its hard drive contents. For this purpose, the Office for Civil Rights (“OCR”) recommends destruction methods including disintegration, pulverization, melting, incineration and shredding.

5. Text Messaging

Although not recommended, there may be cases when physicians choose to communicate PHI via text messages. In such instances, s/he should use a secure text-messaging app that encrypts the messages and requires an additional login key.

• S/he should keep in mind the precautions for apps in general and confirm that the text-messaging app does not grant the developer any access or right to the information transmitted by the app.
• Similar to email, send only the minimum amount of information necessary for the purposes of the communication.

Conclusion

The BYOD policy should be one of many aspects you include in your practice’s comprehensive HIPAA compliance plan. This compliance plan should be developed to ensure that the practice is adequately addressing the privacy and security risks or vulnerabilities applicable to PHI created, received, maintained or transmitted by the practice. 

Over time, the practice may become aware of additional vulnerabilities through patient complaints or internal risk assessments. The practice should periodically review and revise the HIPAA compliance plan, including the BYOD policy,  to address these newly discovered privacy or security vulnerabilities. The practice should also conduct periodic training for all physicians and staff to ensure that they are aware of HIPAA’s requirements and the practice policies, developed as part of the HIPAA compliance plan, to comply with these requirements.

By ensuring compliance through the development, maintenance, and periodic review and revision of a comprehensive HIPAA compliance plan, your practice can mitigate the risk of a HIPAA breach, patient complaint and/or a negative audit result. By doing so, practices will avoid OCR scrutiny, overly burdensome corrective action plans and fines that could extend into the millions.