Technology is typically ahead of the law, especially with mobile devices like handheld tablets and smartphones. With photographic and data transmission/storage capabilities, mobile devices present providers with new legal challenges, particularly maintaining HIPAA compliance.
We spoke with Stacy Cook of Barnes & Thornburg LLP to discuss how providers can maintain HIPAA compliance as the usage of mobile devices increases among staff and patients.
What are some HIPAA issues unique to mobile devices that providers should be concerned about?
Providers are faced with unique challenges with mobile devices. Providers must know that HIPAA applies to any mobile device that receives, transmits, or stores PHI.
Early adopters of smartphones, for instance, put little thought into HIPAA because of the perception of the devices as mere cell phones. People often forget that mobile devices are essentially handheld computers where one can easily access and transmit PHI.
For instance, mobile device users transmitting and receiving PHI via public Wi-Fi or email applications on mobile devices are using unsecure mobile networks, putting PHI at risk of interception. Most mobile devices can take and store photographs, which can be a compliance concern if the pictures violate their privacy. Also, with any mobile device that is relatively small in size, providers must be concerned about misplacement and/or theft resulting in the unintended loss of PHI.
Mobile devices also pose unique storage challenges for providers since individual users can dictate where information is stored that providers cannot monitor and control. Cloud storage is popular among mobile device users, and users storing PHI in clouds may be putting the cloud provider at risk if a HIPAA business associate agreement is not signed.
To minimize PHI storage liability, most providers now require cloud storage capabilities to be turned off on company-issued mobile devices. However, the major challenge is still managing employees' and business associates' personal mobile devices.
What legal challenges do apps pose? Are all apps HIPAA compliant?
People should not download an app and just assume it is HIPAA compliant—the majority of health-related apps are not. Before recommending an app to patients, providers should first conduct a risk assessment of an app to determine whether or not HIPAA even applies to the app. For instance, HIPAA does not apply to apps that allow patients to track their fitness goals and prescriptions; however, HIPAA does apply to apps that deal with PHI and/or allow providers and patients to communicate with each other. Do not feel shy in asking an app developer to show their credentials or certifications. Providers should search for apps produced by large, reputable developers (i.e. Google) who likely factor in HIPAA regulations during the development phase. Providers can also just recommend apps that require app vendors to agree to a business associate agreement before use to ensure that HIPAA compliance is maintained.
A constant challenge for clinicians is communicating about PHI. Clinicians who want to communicate with each other or transmit/receive PHI via mobile devices can rely on a number of HIPAA-compliant apps or programs. Some communication companies will provide a bundled email, text messaging, and fax services package which allows clinicians to choose from a variety of HIPAA-compliant mediums to safely discuss and/or share PHI. Also, most EHR systems provide HIPAA-compliant communication features for clinicians to use on mobile devices.
What are some risk management steps that providers can take to maintain HIPAA compliance regarding mobile devices?
Providers should develop policies and procedures outlining mobile device usage standards. Policies should state whether or not personal mobile device usage is allowed and if so, the usage parameters should be clearly defined. Providers should also be clear as to which party is responsible for security and encrypting the mobile devices. Once mobile device policies are in place, providers should perform periodic audits to ensure that compliance is upheld.
The best ways to protect mobile devices from breaches is to have them password protected and encrypt them in accordance with HIPAA's technical standards. Under the Security Rule, if a mobile device's encryption meets HIPAA standards and is lost or stolen, then there is no breach and the patient(s) do not have to be notified. Another way to protect mobile devices is to install a remote wiping/disabling program into them. A remote wiping/disabling program allows users to quickly clear and disable a lost or stolen mobile device, which can possibly prevent or reduce the magnitude breaches.
What should providers do once a mobile device breach occurs?
Under HIPAA, if the organization is a covered entity (CE) and a breach occurs, then each patient whose PHI was compromised needs to be notified.
Providers should already have written policies and procedures in place outlining how to investigate a breach and actionable steps to prevent future breaches. Providers must report breaches involving 500 patients or more to the Office of Civil Rights (OCR) at the same time as the patient notifications. For breaches affecting under 500 individuals, providers can submit an annual report to OCR due February of the succeeding year.
What are the risks of HIPAA non-compliance?
Under HIPAA, providers can face financial penalties for PHI breaches. The sanctions for enforcement cases range from $100-50,000 per violation with a cap of $1.5 million per calendar year; however, sometimes settlements in excess of this cap occur because the government determined that the violation occurred over a number of years.
A provider's reputation can also diminish because in addition to reporting to patients and the OCR, CEs are required to report to the media in some situations.