You’re getting a breather on HIPAA audits — until January.
Laptops, notebooks, handhelds, smartphones, thumb drives, and more — in home care, you’re probably dealing with electronic protected health information (ePHI) on portable electronic devices more than any other health care setting, and that means you should be on your guard.
Portable devices are among the most compromised sources of private patient information. And with HIPAA audits gearing up to start any day, you can’t afford to fall short on your compliance.
Watch out: The permanent HIPAA audit program is scheduled to begin in federal fiscal year 2014, which technically began on Oct. 1, 2013. Fortunately, however, sources who attended the recent HIMSS Privacy and Security Forum in Boston say HHS Office for Civil Rights director Leon Rodriguez indicated during the forum that the audits would more likely begin after Jan. 1. This gives you a little more time to ensure that your portable devices are locked up securely.
Background: Why should you focus on electronic devices like computers and cell phones? A quick scan of the list of HIPAA breaches that impacted 500 or more individuals on the OCR’s website indicates that computer theft is a leading cause of breaches. Among the breaches that occurred between July and August this year, five of the six listed on the site involved the theft of a computer (and the other involved an e-mail breach). You can read the complete list of breaches at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.
Use of mobile devices has often outpaced implementation of appropriate HIPAA security measures. "Given the rapid adoption of mobile devices against the backdrop of the breach incidents reported, there’s been a growing concern about the use of these devices in the health field because of their vulnerability," Joy Pritts, Chief Privacy Offi-cer for the HHS Office of the National Coordina-tor for Health Information Technology (ONC), said in a statement last year.
Because these devices are small and easy to grab and stow, the chances of them being stolen are very high — and theft is perhaps the biggest risk for compromised HIPAA privacy and security.
Bottom line: If you’re allowing staff to use mobile devices to access, manipulate and store ePHI, you must have the following:
1. Physical Safeguards
2. Technical Safeguards
3. Administrative Safeguards
Your staffers aren’t just at risk of getting information stolen over your company-owned de-vices. Many home care employees access PHI over their own personal devices laptops and cell phones, which don’t have the benefit of the HIPAA safeguards that you apply to the company-owned devices.
Because of this, your staff policies regarding these electronic devices, and how your staff will secure the devices when not in use, are of the utmost importance. This is especially true when you’re allowing staff to access health systems from their mobile devices.
You should keep an inventory of personal mobile devices that healthcare professionals use to access and transmit ePHI, ensure that mobile devices are stored securely when not in use, and have a way to locate stolen devices (such as the "location services" feature of an iPhone being in the "Find my iPhone – ON" position). In addition, you should have the ability to use remote tools to shut down any stolen devices so that thieves can’t access PHI.
Most of all, you want to protect the data — the ePHI — stored on these electronic devices. And you can begin with access controls and authentication. But a simple password login is no longer enough. Many privacy experts instead prefer a two-factor authentication, such as a password entry and a PIN or even a more sophisticated method.
You should also encrypt any transmissions of data to and from mobile devices. Doing this ensures that no unauthorized access occurs while sending or receiving ePHI. For your own office, be sure you use a secured internet server to transmit information, since unsecured Wi-Fi transmissions can be viewed by outsiders. Be sure to use firewalls and install malware protection software to ensure that you aren’t sharing anyone’s ePHI with the rest of the world.
Administrative measures mostly involve the policies and procedures you put into place for mobile-device use, so staff training is also crucial. You must train staff on the risks and costs of breaches, as well as how to secure their mobile devices in compliance with HIPAA security and privacy standards.
For instance: Perform internal audits, or "risk assessments," before a formal audit takes place. Once you’ve compiled the results, share them with staff members and create an action plan on how to prevent future issues from arising.
Secure Your Computers
Heed These Physical Safeguards
Technical Safeguards: Start With 2-Factor Authentication
Focus on Policies, Procedures, Training For Administrative Safeguards