Communicating with patients via mobile devices, such as a Blackberry or iPhone, has become a fast-growing trend among health care providers. A recent survey of almost 3,800 physicians revealed that an estimated 83% of them own at least one mobile device, and one in four use both smartphones and tablet computers in their medical practice.
According to The Risk of Regulated Data on Mobile Devices & in the Cloud, an insightful study explaining and documenting the risks of mobile device use, many organizations don’t take the necessary steps to protect patient information on their mobile devices, as well as data stored in the cloud.
Most organizations don’t understand how much protected health information (PHI) and other regulated data is actually stored on their mobile devices. In fact, 54% of respondents have had an average of five data-breach incidents, which involved the loss or theft of a mobile device that contained PHI.
Due to their small size and portability, mobile devices are particularly vulnerable to loss and theft, and the most common form of security breach is the theft of mobile devices. Recently, a survey of 600 U.S. hospital executives, physician organizations, and health insurers found that theft accounted for 66% of the data breaches reported over the past two years.
Mobile devices offer health care providers a convenient, more user-friendly way of communicating with their patients and accessing health records; and covered entities have quickly adopted the use of mobile devices for the exchange of electronic PHI (ePHI). However, this should be of concern because the HIPAA Security Rule specifies that covered entities are “accountable for the actions of their workforce.”
Using mobile devices to access ePHI raises risks to health care providers, such as:
- Encryption: When data stored on personal mobile devices isn’t encrypted, it can be viewed and shared by anyone who has access to the mobile device.
- Authentication: Typically, mobile device users don’t enter a password or provide biometric identification to access information that’s stored on their device. This lack of authentication on mobile devices is dangerous because any user is can access ePHI stored on the device.
- Wi-Fi Connection: Using public or unsecure Wi-Fi or cellular networks to send or receive information could easily expose ePHI, unless mobile device users connect to a secure website prior to transmitting data, or connect using a VPN (Virtual Private Networking); which encrypts data sent and received on the mobile device.
While the HIPAA Security Rule allows health care providers and covered entities to communicate electronically with patients, the law still requires them to “apply reasonable safeguards when doing so.”
Health care providers and their employees must understand that the Security Rule “requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
If you’re unsure about the data stored on your employee’s tablets, laptops, and smartphones; it’s going to be significantly harder to protect ePHI. A good recommendation is to encrypt all of these mobile devices.
Encryption is easy and inexpensive to implement, and it’s a safe harbor under the HIPAA Security Rule; it allows organizations to avoid the required breach notification in the event of a security breach.
Organizations must also perform a Risk Analysis, in order to determine the likelihood of various risks, and what additional security measures need to be implemented to ensure ePHI remains protected.
Your healthcare practice must have a technology company that meets HIPAA compliance standards. Ensure you have a technology partner who can take care of all your HIPAA consulting needs. We are here to help you.