Earlier this year, the U.S. Department of Health and Human Services Office of Civil Rights ("OCR") announced its plan for a number of audits regarding compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). As a refresher, on January 17, 2013, the U.S. Department of Health and Human Services ("HHS") issued the Omnibus Final Rule (the "Rule") concerning the implementation of changes to privacy and security provisions of HIPAA pursuant to the Health Information Technology for Economic and Clinical Health ("HITECH") Act. The Rule strengthened the protection of patient health information ("PHI") under HIPAA. In accordance with the Rule, healthcare providers are required to have appropriate safeguards and measures in place to ensure patients' PHI is protected.
In September of this year, OCR Senior Advisor Linda Sanches discussed the upcoming audits. Ms. Sanches did not provide a specific timeline for when the audits will begin but did discuss certain areas providers should evaluate in preparing for the audits. Two areas that the OCR will likely focus on while conducting the audits are security risk assessments and breach notifications. With regard to breaches, Ms. Sanches indicated that OCR will look for a pattern of similar types of breaches which could indicate that the provider is not doing anything about the breaches or does not have proper procedures in place to prevent them. With regard to risk assessments, Ms. Sanchez indicated that one of the most important things a provider can do is conduct a periodic risk analysis. She explained that without one, a provider has no idea where they stand. It is crucial for providers to already have a risk assessment in place rather than waiting to develop one right before an audit.
In preparing for these audits, providers should also evaluate their current mobile device security policy along with how closely it is being followed. As more and more practitioners are using mobile devices to communicate PHI, providers need to ensure that their employees are aware of the mobile device security policy and are following it. Mobile devices provide a convenient means of communication for healthcare providers. They also allow physicians, nurses, and staff to be more efficient. However, mobile devices pose threats to healthcare providers that can have serious legal and financial consequences.
A provider may have an excellent mobile device security policy in place but if the provider's employees are not following that policy then it is futile. It is important to consider that while employees likely know that there is some policy out there governing their use of their mobile devices, that on a daily basis those same employees may not know just what that policy entails and what they can and cannot do under that policy. Thus, in preparation for the upcoming audits, providers should train employees on how to properly use their mobile devices.
One of the main problems surrounding the use of mobile devices in the healthcare environment is that there is no real way to either validate the identity of the sender of the message or that the message was received by the intended recipient (e.g., the mobile device could be in the wrong person's hands). Reports show that a significant portion of data breaches result from human error due to an employee's use of an unsecured mobile device. One common issue is the threat that the employee's mobile device may be lost or stolen. Almost 60% of the reports of data breaches of PHI from 2009 through August 2014 were caused by the loss or theft of devices. In April 2014, two providers settled with OCR for almost $2,000,000 due to a similar problem. Both instances involved stolen laptops that were not equipped with appropriate encryption technology. Like laptops, smart phones or tablets may also contain PHI that could just as easily be stolen or lost. In resolving the violations, OCR stated that providers need to understand that mobile device security is the provider's responsibility. OCR also stated that one of the best defenses is to have encryption technology in place.
The Department of Health and Human Services ("HHS") recommends using the following tips when using mobile devices:
1. Enable encryption on your mobile device.
2. Always use a password to access your mobile device, and do not give that password to others.
3. Allow remote "wiping" or "disabling" on your phone in the event your phone is lost or stolen.
4. Enable firewalls on your mobile device to prevent unauthorized access.
5. Research mobile applications before downloading them.
6. Always maintain physical control of your mobile device.
7. Delete any stored health information from your mobile device before discarding it.
While the use of technology in healthcare certainly has its benefits for practitioners and patients alike, providers must also be mindful of protecting their patients' privacy rights. While preparing for the upcoming HIPAA audits, in addition to other safeguards, providers should carefully evaluate their mobile device security policy and confirm that their employees are adequately trained on the policy and following it in their daily practice. As more practitioners use mobile devices in their daily practice, providers should be mindful that one lost cell phone can have expensive consequences.
Maggie Lester practices at Burr & Forman LLP in the Health Care Practice Group.