Is Your Smart Phone HIPAA Compliant?

George IndestBy George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Identity theft is at an all-time high, and the health care industry is at exceptional risk. It’s no mystery that a patient’s health file contains all the pertinent information required to successfully steal a person’s identity, including the “Big 3”; specifically, name, date of birth, and Social Security number.

Worse yet, with ever-increasing technological trends, hackers are capable of banking a quick buck before most of their victims even become aware they are vulnerable.

Technology is a Positive Thing.

Technology offers us the world at our fingertips. Smart phones and tablets are conveniently mobile and, therefore, constantly available to us for information obtaining, information storing, information sharing and other communicative purposes.

Furthermore, technology has provided us with ways in which our lives can be made easier and more manageable through various downloadable applications (apps). These apps provide us with ways to track weather, news, and even our fitness progress, as well as coupons accessible by a simple bar code scan, meditation for the stressful life, and even automatic on/off commands for light switches and dishwashers. Apps also offer hours of enjoyment to satiate our craving for entertainment, even in the “company” of others, without ever having to leave our home.

It’s no wonder that more and more employers, especially hospitals (where everything moves at a fast pace), are jumping on board with the convenience and efficiency that technology can bring to the workplace. Furthermore, by implementing a bring your own device (BYOD) policy (since most employees already have access to their own technological devices) employers can save a ton on not having to purchase the tools on their own.

In a survey conducted by Aruba Networks, Inc., an HP company, in 2012, it was found that a whopping 85% of health care facilities were already allowing staff to utilize personal technological devices in the workplace. What was once considered to be unprofessional, is now determined necessary in carrying out normal job responsibilities. Due to the life-or-death nature of health care, hospitals are relying on electronic devices for:

(a) urgency in decision-making;

(b) constant availability;

(c) immediate response; and

(d) more accurate data; to name a few.

BYOD takes this a step farther in making information readily available to any health care professional at any time from their personal device, avoiding the necessity to access a workplace device which is not portable.

But What Happens When Technology is Used Negatively?

Technology sounds wonderful.

However, we have essentially stored our entire lives (and in the instance of health care professionals, now our patients’ entire lives) on a mobile device. Mobile, as in it goes with us everywhere, and therefore, it’s always at risk. Furthermore, with the heightened adoption of BYOD, systems are at risk of malware attacks resulting from downloads from personal devices that have not engaged appropriate security measures.

Regardless of how the attack occurs (lost, stolen, or of the viral nature), health care providers are responsible for protecting the privacy of their patients per the federal Health Insurance Portability and Accountability Act (HIPAA).

A Tweet May Result in HIPAA Violation for One Florida Hospital.

Following an alleged fireworks incident that resulted in the amputation of an index finger for New York Giants defensive end Jason Pierre-Paul, a tweet surfaced from Adam Schefter, an ESPN NFL reporter. Schefter tweeted a picture of the Giants’ medical record which he allegedly acquired from Miami-based Jackson Health System, reportedly without the consent of Pierre-Paul. To read more on this case, click here.

Tweeting; another by-product of technology and the insurgence of social media platforms. It’s enticing to share intimate details of our every day lives, especially when they affect others; namely, celebrities. And our smart phones offer instant access to photographing, uploading, and sharing of this “juicy” information.

But while Schefter is not in violation of any laws, the Florida hospital very well may be. Fines for HIPAA violations can range anywhere from $100-$50,000 per violation with the imposition of a $1.5 million dollar cap per calendar year.

Is a photograph worth your career?

What Can You Do to Protect Your Device?

Some HIPAA violations via technology are clearly avoidable (i.e., not divulging photographs of patient records for tweeting). Others are somewhat less manageable unless you know how to safeguard yourself against a technological breach.

While HIPAA does not require encryption and other safeguards on mobile devices, many employers do. It is important to know what your specific hospital’s policies are regarding HIPAA compliance on your smart phone and/or tablet.

Additionally, here are some tips to keep you and/or your employees protected under HIPAA violations when utilizing your own mobile device:

(1) Use a password or other user authentication (many devices now allow the use of fingerprint identification to unlock the device);

(2) Install and enable encryption on your smart phone;

(3) Install and activate remote wiping and remote disabling (this will protect you in the event your smart phone or tablet is lost or stolen);

(4) Disable and do not install or use file sharing applications;

(5) Install and enable a firewall on your device;

(6) Install and enable security software (this should protect against malware attacks);

(7) Keep your security software up to date;

(8) Research mobile applications (apps) before downloading (never just assume an app is HIPAA compliant- even health related apps);

(9) Maintain physical control over your device at all times (it goes without saying that your device is at the least risk when it’s in your own hands);

(10) Use adequate security, including those listed above, to send or receive health information over public Wi-Fi networks; and

(11) Delete all stored health information before discarding, selling, donating or trading the mobile device!

If all else fails and you find yourself in the middle of an investigation for possible HIPAA violations, consult with an experienced health attorney right away. There can be civil fines as well as criminal charges imposed on you, in addition to action taken by your employer.

For more information on risk assessment for HIPAA violations, read our previous blog post here.

Comments?
Do you use your own mobile device for your workplace? Do you know if it’s HIPAA compliant? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources:

Bowman, Dan. “Potential HIPAA Violation Could Land Hospital in Hot Water.” FierceHealthIT. 9 July 2015. Web. 8 Sept. 2015.

Cook, Stacy. “How to Maintain HIPAA Compliance With Mobile Devices: A Law Review Q&A.” Advisory.com. The Advisory Board Company, 27 June 2014. Web. 8 Sept. 2015.

“Growing Tech Trends: The Rise of BYOD in Hospitals.” Information Technology Blog. Information Technology Group, 29 Apr. 2015. Web. 8 Sept. 2015.

“How Can You Protect and Secure Health Information When Using a Mobile Device?” HealthIT.gov. n.d. Web. 8 Sept. 2015.

Kolbasuk McGee, Marianne. “Prison Term in HIPAA Violation Case: Are More Such Prosecutions on the Horizon?” InfoRisk Today. 20 Feb. 2015. Web. 8 Sept. 2015.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

KeyWords: HIPAA complaints, HIPAA violations, HIPAA attorney, mobile device, technology in healthcare, technology in the workplace, HIPAA privacy complaint investigation lawyer, breach of patient confidentiality, breach of medical privacy, OCR HIPAA investigation, HIPAA complaint defense, technology in hospitals, health attorney, defense attorney, The Health Law Firm, health law firm, electronic devices, Social Security number, technological breach, breach of patient information, safeguarding patient information, HIPAA compliance, smart phones in hospitals

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2015 The Health Law Firm. All rights reserved.