ARTICLE
1 July 2016

Privacy Protections: Making Mobile Devices More Secure

O
ORBA

Contributor

ORBA logo
ORBA is a full-service accounting, tax and business consulting firm in downtown Chicago serving the needs of privately-held companies, individuals and not-for-profit organizations. ORBA’s Certified Public Accountants have experience with accounting and assurance, business advisory services, financial and estate planning, fraud investigation, tax, litigation, and mergers and acquisitions.
The usage of cell phones, tablets and laptops have increased across the board. Along with this usage, the amount of identity theft has increased, also.
United States Privacy

The usage of cell phones, tablets and laptops have increased across the board. Along with this usage, the amount of identity theft has increased, also. This raises a number of security and privacy concerns.

Following the Rules

Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), known as the Administrative Simplification (AS) provisions, created national standards for electronic health care transactions. Title II covers a lot of ground, but two aspects are particularly relevant to mobile security:

  1. The Privacy Rule
    This concerns the use and disclosure of Protected Health Information (PHI) held by "covered entities." According to the rule, covered entities include insurers, medical service providers and various health care clearinghouses and employer-sponsored health plans, as well as their business associates.
  2. The Security Rule
    Unlike the Privacy Rule, which applies to all PHI (both paper and electronic), the Security Rule applies specifically to electronic PHI. It describes three types of security safeguards: administrative, physical and technical.

Understanding HIPAA and Mobile Devices

Mobile devices usually transmit and receive PHI via public Wi-Fi and e-mail applications or through unsecure mobile networks, which place PHI at risk of interception. In addition, most mobile devices now can take and store photographs; however, photos may violate patient privacy, thus raising compliance concerns. Phones in particular, and tablets often, do not store data; instead, they use some sort of cloud storage.

The primary concern is how a doctor accesses patient information. If a physician uses a smartphone, tablet or laptop to access an Electronic Health Record (EHR), he or she generally is in compliance with HIPAA security and network security. However, if the physician saves EHR data or photos to a computer, tablet or phone, and those devices are stolen or lost, he or she might be liable for the HIPAA breach. Liability can be costly.

Data pulled via browsers is generally encrypted, especially through an EHR portal. However, physician-to-patient e-mails outside the portal can be a problem, because the Internet service provider might not be secure — thus, the e-mail communication might fail to meet HIPAA standards.

Taking Basic Security Precautions

The three standards of the HIPAA Security Rules are: confidentiality, integrity and access. Access typically refers to passwords. Physicians need to fully evaluate which staff members require access and provide training in security protocols.

Part of physical and technological security involves encrypting patient data. It also involves setting up monitor protection to prevent people who should not have PHI access from reading information off a computer screen — for example, over the shoulder of someone with access. Files should not be left open when not in use or while the computer is unattended.

For most practices, it is a good idea to document each device's purpose and limit access to it. The next step is to determine how each device should be programmed to make it compliant. Doing so may require hiring a HIPAA compliance expert in addition to an IT expert.

Physician offices also need to develop policies regarding staff use of cell phones, especially now that almost all smartphones have cameras. The policies should answer such questions as, "How and where can employees use their phones?" One suggestion: Instruct staff members to keep their cell phones in the break room and out of patient treatment rooms.

For instance, a staffer might take a photograph of something in the office with a recognizable patient in the background and post it on social media. That could be a HIPAA breach, with financial and legal consequences for the practice. Basic office rules and regulations will assist in transitioning to the HIPAA compliance standards. Individuals need to be conscious to the consequences and be held accountable for their actions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More