Can mobile devices be used to transmit health information under HIPAA?
Mobile devices such as smartphones, tablets, and other portable devices have transformed the way people work and send information. Healthcare providers and HIPAA-covered entities are no exception and mobile devices can be found in almost every health facility. Sharing information via mobile data may carry extra risk if the security protecting the data is not strong enough to meet HIPAA requirements. If covered entities violate the HIPAA rules, they could face significant financial penalties.
Healthcare and Mobile Devices
Mobile devices offer a range of benefits for a relatively affordable price and, as such, are attractive to many organizations in the healthcare industry. In some cases, healthcare employees are even being encouraged to bring and use their personal devices at work as part of Bring Your Own Device (BYOD) programs. Certain entities have chosen to offer mobile devices to their staff for professional use as a way to better protect and control the information they deal with.
If a covered entity opts to introduce mobile device use to facilitate their services, HIPAA regulations require that steps be taken to secure any sensitive information saved, sent, or accessed by the device.
Mobile Devices could lead to an explosion of HIPAA violations
The convenience that mobile devices offer is only equaled by the increased risk they create. Healthcare networks must now cater for a much greater number of devices accessing information and this has raised concerns among CIOs, CISOs, Compliance Officers, and IT professionals over the protective measures in place to safeguard mobile data and to ensure HIPAA compliance.
While data and devices may be protected, users may still inadvertently or purposefully violate internal policies or HIPAA regulations. If sufficient checks are not in place, electronic Protected Health Information (ePHI) available on the device could be accessed or disclosed. These devices also represent a significant target for cybercriminals, who may use them as a gateway to healthcare networks.
Currently, mobile devices used in the healthcare industry are not adequately protected and are often connected to open or public Wi-Fi hotspots. They create a considerable risk of loss or theft of information. Mobile data protections must be meticulously examined and any issues found should be dealt with to avoid HIPAA violations and their associated penalties.
Basic HIPAA Compliance for Mobile Devices
HIPAA rules largely exist to safeguard patient privacy. In order to do so, covered entities must accept and introduce some basic controls to protect data and patients.
Comprehensive protection for mobile data is mandatory, as is HIPAA compliance: inability to conform to HIPAA standards or violations of HIPAA rules can lead to hefty fines. Financial penalties of up to $1.5 million can be imposed by the Department of Health and Human Services’ Office for Civil Rights per violation category and per year that the violation has been left to exist. State Attorneys General and some federal agencies can also issue fines. A data breach can itself cost a huge amount of money as it can require significant resources to respond to the crisis.
Risk Assessments and the HIPAA Security Rule
The HIPAA Security Rule requires that a risk assessment study be conducted to determine how mobile data security could affect the risk to patient data. A strong protective framework can be established through the use of normal security controls such as firewalls, anti-virus protection, anti-malware programs, authentication and passwords etc. Nevertheless, a comprehensive risk assessment is crucial to determine what potential weaknesses may still exist in the system.
It is critically important to examine certain aspects of the entity’s security framework, including IT infrastructure, company policies, administrative processes, physical security controls, and all systems and equipment capable of saving, sharing, or accessing ePHI. A risk assessment tool has been made available by the Department of Health and Human Services to help conduct the assessment.
Novel threats are continually emerging and healthcare organizations must enact defenses to protect the data they oversee. As new exploits are developed, these organizations must stay ahead of the threats by updating software and equipment. For this reason, periodic risk assessments should be scheduled.
Technical Safeguards for Mobile Devices and the HIPAA Security Rule
The HIPAA Security Guidelines Series published by the Department of Health and Human Services states that covered entities “must consider the use of encryption for transmitting ePHI, particularly over the Internet”.
They are also obligated to “implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network”.
While data at rest is not specifically required to be encrypted, the Security Guidelines offer advice on data in motion: “As business practices and technology change, situations may arise where ePHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities”.
The Guidelines further state that “Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption”.
Sending ePHI via SMS or other open networks is a violation of HIPAA regulations and should not be permitted. There is a risk of such data being intercepted on the SMS network, which is not well protected. The risk of a data breach occurring can be reduced by ensuring ePHI is only shared via secure channels incorporating end-to-end encryption.
Mobile Device Audit Controls, Data Access, and Data Integrity
Covered entities are obliged “to implement technical policies and procedures that allow only authorized persons to access Protected Health Information” under HIPAA. Access controls and systems to verify the identity of the user must be in place on any mobile device that can access, share, or save ePHI. The risk of unauthorized access can be further reduced by introducing multi-layered protective controls.
Systems must also be established to permit audits to be carried out on mobile devices to ensure that the information saved or shared on the device has not been deleted or changed. Access logs must also be kept that include data on attempts to access ePHI. There must be a record of any action that could have an impact on data security.
Once suitable protections are implemented, mobile devices can be used by covered entities to vastly increase efficiency, productivity and patient outcomes, while also lowering expenditures. The most important aspects are to ensure patient’s privacy is not compromised and that the devices do not allow criminals to gain access to healthcare networks.