To print this article, all you need is to be registered or login on Mondaq.com.
Over the past few years, as a result of the COVID-19 pandemic as
well as other developments in the medical arena, practices have
increasingly relied on technology. This includes the much wider use
of telehealth as well as electronic health records (EHR), online
medical portals, and appointment confirmations via email and
text.
Although technology is giving physicians, medical staffs and
patients much easier access to critical information, it has also
opened the door for fraudsters and hackers to steal or corrupt this
data. That is why it is important to continue to follow the latest
protocols for handling protected health information (PHI).
NATIONAL STANDARDS
Title II of the Health Insurance Portability and Accountability
Act (HIPAA), known as the Administrative Simplification provisions,
created national standards for electronic health care transactions.
Title II covers a lot of ground, but two aspects are particularly
relevant to cybersecurity for medical practices:
The Privacy Rule
This concerns the use and disclosure of protected health
information (PHI) held by “covered entities.” According
to the rule, covered entities include insurers, medical service
providers and various healthcare clearinghouses and
employer-sponsored health plans, as well as their business
associates.
The Security Rule
Unlike the Privacy Rule, which applies to all PHI (both paper
and electronic), the Security Rule applies specifically to
electronic PHI. It describes three types of security safeguards:
Administrative, physical and technical.
Related Read: How to Avoid HIPAA-Related Data
Breaches
HIPAA AND MOBILE DEVICES
Mobile devices usually transmit and receive PHI via public Wi-Fi
and email applications or through unsecure mobile networks, which
place PHI at risk of interception. In addition, most mobile devices
now can take and store photographs — but photos may violate
patient privacy, thus raising compliance concerns. Most of
today’s smartphones and tablets store data not only on the
device itself, but also in “the cloud.”
The primary concern is how a doctor accesses patient
information. If a physician uses a properly secured smartphone,
tablet or laptop to access EHR, the doctor will generally be in
compliance with HIPAA. However, if the physician saves EHR data or
photos to one of those devices and it is stolen or lost, the doctor
might be liable for the HIPAA breach. Liability can be costly
— though, if the PHI is not identifiable, it is probably
nothing to worry about.
Data pulled via browsers is generally encrypted, especially
through an EHR portal. Physician-to-patient emails outside the
portal can be a problem, because the Internet service provider
might not be secure — thus, the email communication could
fail to meet HIPAA standards.
ACCESS AND TRAINING
The three standards of the HIPAA Security Rules are:
Confidentiality, integrity and access. Access typically refers to
passwords. Physicians need to fully evaluate which staff members
require access and provide training in security protocols.
A major component of cybersecurity is, of course, encrypting
patient data. Also important is setting up monitor protection to
prevent people who should not have PHI access from reading
information off a computer screen — for example, over the
shoulder of someone in the office.
For most practices, it is a good idea to document each
device’s purpose and limit access to it. The next step is to
determine how each device should be configured to make it
compliant. Doing so may require engaging a HIPAA compliance expert
in addition to an IT consultant.
Physician offices also need to develop policies regarding staff
use of smartphones — especially now that almost all of them
have cameras. The policies should answer such questions as: How and
where can employees use their phones? One suggestion: Instruct
staff members to not bring their phones into exam rooms or
other patient treatment areas.
STAY INFORMED
The issues surrounding cybersecurity for physician practices,
particularly regarding mobile devices, will continue to evolve
right along with technology. Stay informed about the current best
practices to avoid running afoul of HIPAA security rules and
protocols.
Related Read: Is Your Cybersecurity Policy Up to the
Task?
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from United States