• Do Healthcare Employees Violate HIPAA by Using Mobile Devices?
  • August 11, 2016
  • Law Firm: Weltman Moskowitz LLP - New York Office
  • Mobile devices, such as cell phones and tablets, are a valuable tool for communicating and delivering information and services to consumers. The success of applications like Uber and Airbnb have made people re-think the way they use these devices, while the stable of health and fitness applications provided by companies like Fitbit provided people with fresh ways to measure their own health information.

    Together, these applications may foster new ideas about how to relay important, time-sensitive information to medical professionals and family members alike. The federal government's push toward electronic health records also makes the use of mobile devices more attractive. However, any healthcare provider that adopts the use of mobile devices for communication among staff, or with outsiders, must be mindful of the Health Insurance Portability and Accountability Act (HIPAA).

    The Security Rule
    The HIPAA of 19961 features the Security Rule, which requires "covered entities" to exercise certain precautions when handling an individual's Protected Health Information (PHI). Covered entities include doctors' offices, outpatient facilities, physical therapy providers, nursing homes, and hospice facilities. PHI has an equally broad definition, consisting of individually identifiable information created or received by a healthcare provider regarding the physical or mental health of any individual. This is information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.2

    The Security Rule addresses vulnerabilities in a covered entity's use of Electronic Protected Health Information (ePHI). The full text of the Security Rule, as well as other regulations related to HIPAA, are available in 45 CFR Part 160, 162 and 164. The threat to ePHI is real. Numerous high-profile data breaches have been experienced via mobile devices held and used by by federal agencies, celebrities, retailers and entertainment companies.

    In essence, the Security Rule requires covered entities to "apply reasonable safeguards" when communicating electronically with patients and others. It "requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security" of an individual's ePHI. Examples of these safeguards are as follows:
    • Administrative safeguards address "management, accountability and oversight" of the whole ePHI process and include risk assessments of company and personal devices that are used to handle ePHI, examination of encryption, authentication and physical protections. They can also include the establishment of protocols to prevent interference from unauthorized third parties, devising processes and procedures to ensure that ePHI is protected on mobile devices and training for those who would use the devices.
    • Physical safeguards include the use of lockers, secured places for mobile devices when they are not in use, and tracking measures such as radio frequency identification (RFID) and location software and the use of remote shutdown and wipe tools.
    • Technical safeguards focus on the actual, under-the-hood operations of the devices. They include encryption, firewalls, anti-malware software, secure backup capabilities and biometric authentication.
    These safeguards pose a significant hurdle in meeting compliance standards, but meeting the standards is not impossible. The care provider should be mindful of employees who wish to use their own devices rather than ones issued by the employer. These devices must also comply with the safeguards. With careful and thoughtful auditing of procedures, a care provider can become more efficient and secure through the use of ePHI and mobile devices.

    Compliance and Third Parties
    This efficiency, unfortunately, does not translate to efficiency in communication with patients or family members of patients.

    First, the very nature of the mobile device works against its use. The ePHI can be stored on a device in its onboard memory; a removable memory card; the SIM card, if the device is a cell phone or device otherwise enabled to communicate with cellular towers; or to cloud storage linked to and accessible by the device. While these individual storage places may be secure, the device's portability makes it a target for theft or easy loss. In fact, a study performed by the Center for Democracy and Technology, a non-profit organization that promotes democratic and constitutional liberties in the digital age, found theft accounted for 66% of reported data breaches between 2009 and 2011.

    Compliance with the Security Rule is an even greater challenge for covered entities that wish to foster the free flow of ePHI between their own organization to patients and their families. That lack of physical security, coupled with the difficulty of auditing devices for proper administrative and technical safeguards, renders the use of mobile devices to communicate to family members of patients less than practical. The covered entity cannot possibly know what security, if any, a patient or family member keeps on his or her phone or tablet, let alone how vulnerable the device is to theft or hacking.

    Working Toward Compliance
    The U.S. Department of Health and Human Services oversees the website HealthIT.gov, which contains tools to help healthcare providers comply with the Security Rule and other regulations. While fast, efficient sharing of ePHI to outsiders through mobile devices is out of the question now, healthcare providers can and should stay in compliance with the Security Rule today. Seeking the guidance of an attorney who has knowledge of HIPAA regulations and compliance requirements can also aid in this process.

    1 PL 104-191
    2 45 CFR 1171, Part C Subtitle F