Can you imagine a medical professional who doesn’t use their cell phone? Thinking back to pagers—you remember those, right? —and you know how vital instant communication is for a surgeon or an ER physician or nurse. Further taking into consideration healthcare personnel outside of the immediate emergency zone, such as hospital administrators or lab technicians, and you begin to see the massive landscape picture of communication activity going on in the medical field.
As it turns out, more than six years ago, 84 percent of practicing physicians reported using a smartphone in their practice, according to the Spruce Blog. That number is certainly higher now.
And of course, none of that crucial—no matter how dire and potentially heroic—communication negates the need for dutiful HIPAA compliance; nor does it excuse any instances of non-compliance. With increasingly seamless connectivity in today’s healthcare environment, every portal to a healthcare computing system—whether entered through a pager, cell phone, smartphone, tablet or laptop—has the potential to become a vulnerability that allows risk to enter the larger healthcare network.
All that mobile device activity could cause any number of compromises to Protected Health Information (PHI), or electronic PHI (ePHI) that healthcare systems cannot afford in terms of financial losses or a serious breach of trust with patients and stakeholders.
What Are the Primary HIPAA-Related Risks When Using a Cell Phone in the Healthcare Industry?
The U.S. Department of Health and Human Services (HHS), along with the Office for Civil Rights (OCR), administers HIPAA to ensure the privacy of all patients and any other parties who would be affected by a data breach.
The two governing bodies recognize that mobile devices are not as secure as in-house computers set up to work within an organization’s secure network. Additionally, the same security measures used in the office computing system and its employees’ workstations. This means that cell phones and other mobile devices aren’t equipped with protective technology like encryption, firewalls and antivirus software.
Additional risks for using a mobile device connected to a healthcare system’s resources include:
- Physical loss or theft of the device
- Transmitting data via text or email over an unsecured Wi-Fi network
- Using an outdated operating system
- Inadequate or lack of authentication
- Sharing mobile device with others and inadvertently exposing confidential data
Security Metrics shared some additional reasons that using smartphones and other mobile devices for healthcare matters is risky business:
- Mobile devices are easily stolen or lost due
- Many mobile users skip using a protective password for cell phone access
- Users tend to neglect encrypting emails sent or received on mobile devices
- A lack of BYOD policies and procedures to make sure everyone understands how to remain HIPAA compliant while in remote locations
What Are the Basic HIPAA Rules Regarding Mobile Devices?
Anyone associated with a healthcare system who uses mobile technology to receive, transmit or store any amount or type of PHI must have certain security options in place and must remain HIPAA compliant.
While there is no official HIPAA rule—even under the HIPAA Security Rule—assigned for cell phone usage, many healthcare organizations apply the general overarching HIPAA framework used throughout their in-house computing network to their mobile users’ devices. This ad hoc approach to compliance relies on the core elements of HIPAA in a remote setting.
Whether users are on their mobile network or an unsecured Wi-Fi, adhering to the rules laid out by HIPAA will help keep PHI safe under a variety of conditions.
5 Ways to Make Sure Your Staff Stays HIPAA Compliant While Performing Necessary Communications While On-the-Go
Although there is no official set of rules for HIPAA compliance, organizations like the National Institute of Standards and Technology (NIST), the National Cybersecurity Center of Excellence (NCCoE) and others have come up with some solid advice and guidelines for implementing mobile security measures.
Take a few moments to learn about five ways to stay HIPAA compliant while giving your healthcare team the communications mobility they need:
1. Include Mobile Devices in Risk Assessments.
As you regularly enlist the services of a trusted auditing firm to conduct an assessment of potential risks and vulnerabilities to the Confidentiality, Integrity and Availability of all ePHI that your organization collects, stores, processes or transmits.
2. Enable and Enforce Passcode Protection.
Make sure that each mobile user understands that it is his or her responsibility to properly protect their device and its contents from any prying eyes. In the case of loss or theft of the device, any ePHI on the device instantly becomes compromised in the hands of someone other than the owner of the cell phone if it is a BYOD, or the user of the cell phone if it is work-issued.
3. Advise Mobile Users to Store Data Safely with the Right Apps.
The HHS and OCR have launched a portal that features a list of health application developers to help mobile users to choose apps wisely. For instance, physicians storing patient contact information on their smartphone should only choose secure information apps.
4. Deter Staff from Using Unsecured Wi-Fi Networks.
It is always tempting to hop onto a free Wi-Fi network when out for coffee or lunch. However, those networks are incredibly risky for anyone to use when accessing even their own banking information; much less physicians checking their office email. Set up a remote access technology solution so you can provide a fully secure and encrypted connection between the mobile device and ePHI.
5. Provide Extensive Policies, Procedures and Training.
Working with busy physicians and emergency room nurses may prove challenging when it comes to making sure they read an extensive policies and procedures manual—never mind the struggles getting them to attend mobile HIPAA training sessions—but it is essential to your HIPAA compliance to do so.
Are You and Your Mobile Healthcare Staff HIPAA Compliant?
There are many additional ways to make sure you are keeping PHI secure and staying fully HIPAA compliant. Our HIPAA compliance team at I.S. Partners, LLC. has all the latest information on HIPAA requirements that you can apply to your mobile phone usage among your staff and anyone else associated with your healthcare organization.
We would love to talk to you about even more tips on tightening up your cell phone security for your own peace of mind, as well as doing so in order to comply with HIPAA. Launch a chat session, send us a message, or call us at (215) 675-1400 so can discuss all the ways we can help you protect your business.