If you had to guess how many Americans use a smartphone, what would your answer be? If it seems to you like they’re everywhere, you’re right! Here’s proof that we’ve officially embraced the mobile technology revolution — As of January 2017, about three-quarters of Americans owned a smartphone (that number is likely higher now.)1 We rely on them for everything – for calls to others, for entertainment, for information, the list goes on. We’re counting on them so much, in fact, that the average user spends almost 3 hours per day on a smartphone and 51% of us check our phones a few times per hour!2 While it seems smartphones are a new human appendage, it’s important to recognize when their use is appropriate and when it’s not, especially in the workplace. As a HIPAA covered entity, business associate, or business associate subcontractor, it’s even more important to gauge when or if PHI should be accessed or stored on personal devices at all.
Should smartphones be used to access PHI?
Last week, the Oklahoma Department of Veteran Affairs allegedly violated HIPAA Rules when the Department allowed medical aides to access electronic medical records using their smartphones. A scheduled internet outage (where was their contingency plan?) prevented employees from gaining access to veterans’ medical records, potentially causing significant disruption and preventing “hundreds” of veterans from receiving their medications. Now, three Democrat lawmakers, who have also called for two top Oklahoma VA officials were fired over the incident, have accused the center of a HIPAA violation. While the matter is still under investigation, lawmakers are fighting about whether HIPAA laws were violated.3 An investigation is currently underway.3 Were HIPAA rules broken in this case? We will see, but should smartphones ever be used to access PHI?
What HIPAA says about mobile devices
It’s possible to maintain the integrity of PHI using a mobile device, but if security measures are insufficient, covered entities are at risk of violating HIPAA regulations. Entities that use mobile devices in the workplace must implement data security to protect any patient health data that is accessed through the device, stored on it, or transmitted by it. Many times, mobile devices lack adequate security controls and encryption, allowing the exposure of PHI saved on them. They’re also easily lost or stolen due to their mobility. Cybercriminals view them as a natural entry point into healthcare networks. So what about network security? Devices like smartphones often use public Wi-Fi.
If your organization is going to allow mobile devices, there are a host of rules, policies, and procedures that must surround them to avoid a breach. HIPAA Rules require that you complete a Risk Assessment, documenting administrative processes; physical security controls, and technical procedures, which includes reviewing all systems and equipment capable of storing, transmitting or touching ePHI (including smartphones)! Your Risk Assessment document must be a living one.
Using your Smartphone’s Camera
Here’s another case where smartphone use and HIPAA collide. In September 2017, the University of Pittsburgh Medical Center was under investigation after several nurses and doctors lined up at the door of an operating room to take pictures and videos of an unconscious man with what was described as a “medical anomaly.” Medical workers used the camera on their smartphone to capture the medical wonder and then shared the files with others without consent from the patient. The Pennsylvania Department of Health reported that the material taken on personal cell phones “had no clinical justification,” and staffers “shared those videos and photographs to others uninvolved with the patient’s care.” Risk Assessments must be performed on an ongoing basis, and the hospital’s CEO issued a suspension to the attending physicians and a repeat of HIPAA training; A clear violation of HIPAA? Absolutely!5
HIPAA Rules surrounding patient photos
HIPAA does not require health care providers to obtain permission before taking pictures if they are to be used in the patient’s medical care or to put in their medical record. Providers can also use these pictures for training and teaching purposes, such as teaching medical students, as long as they don’t contain identifying information. Identifying information includes things like the patient’s name, the patient’s face or recognizable facial details, and tattoos or unique birthmarks. They can also use them in outside settings such as conferences, as long as they contain no identifying information. If the photos include identifying information, they can’t be used unless the patient gives written permission.
Using Mobile Devices Wisely
Like it or not, smartphones are part of our existence today. To avoid your own HIPAA violation, make sure you have robust data security measures in place to protect any PHI that could pass through smartphones. Regularly conduct a Risk Assessment. Ensure your employees are reminded of the rules surrounding mobile devices during your annual HIPAA training. Make sure your organization has a Bring Your Own Device policy in place that outlines policies, standards, and other rules for personal devices like smartphones, tablets, and laptops.
Health and Human Services’ Office for Civil Rights October 2017 newsletter offers terrific guidance on using mobile devices. You can find it here: Mobile Devices and Protected Health Information (PHI).
Total HIPAA can help you with all of your HIPAA documentation and training needs, including contingency planning, risk assessments, and your BYOD policy. Please let us know how we can help.