Over the past few years, as a result of the COVID-19 pandemic as well as other developments in the medical arena, practices have increasingly relied on technology. This includes the much wider use of telehealth as well as electronic health records (EHR), online medical portals, and appointment confirmations via email and text.
Although technology is giving physicians, medical staffs and patients much easier access to critical information, it’s also opened the door for fraudsters and hackers to steal or corrupt this data. That’s why it’s important to continue to follow the latest protocols for handling protected health information (PHI).
National standards – Title II of the Health Insurance Portability and Accountability Act (HIPAA), known as the Administrative Simplification provisions, created national standards for electronic health care transactions. Title II covers a lot of ground, but two aspects are particularly relevant to cybersecurity for medical practices:
- The Privacy Rule. This concerns the use and disclosure of protected health information (PHI) held by “covered entities.” According to the rule, covered entities include insurers, medical service providers, and various health care clearinghouses and employer-sponsored health plans, as well as their business associates.
- The Security Rule. Unlike the Privacy Rule, which applies to all PHI (both paper and electronic), the Security Rule applies specifically to electronic PHI. It describes three types of security safeguards: administrative, physical and technical.
HIPAA and mobile devices – Mobile devices usually transmit and receive PHI via public Wi-Fi and email applications or through unsecure mobile networks, which place PHI at risk of interception. In addition, most mobile devices now can take and store photographs — but photos may violate patient privacy, thus raising compliance concerns. Most of today’s smartphones and tablets store data not only on the device itself, but also in “the cloud.”
The primary concern is how a doctor accesses patient information. If a physician uses a properly secured smartphone, tablet or laptop to access EHR, the doctor will generally be in compliance with HIPAA. But if the physician saves EHR data or photos to one of those devices, and it’s stolen or lost, the doctor might be liable for the HIPAA breach. Liability can be costly — though, if the PHI isn’t identifiable, it’s probably nothing to worry about.
Data pulled via browsers is generally encrypted, especially through an EHR portal. But physician-to-patient emails outside the portal can be a problem, because the Internet service provider might not be secure — thus, the email communication could fail to meet HIPAA standards.
Access and training – The three standards of the HIPAA Security Rules are: confidentiality, integrity and access. Access typically refers to passwords. Physicians need to fully evaluate which staff members require access and provide training in security protocols.
A major component of cybersecurity is, of course, encrypting patient data. But also important is setting up monitor protection to prevent people who shouldn’t have PHI access from reading information off a computer screen — for example, over the shoulder of someone in the office.
For most practices, it’s a good idea to document each device’s purpose and limit access to it. The next step is to determine how each device should be configured to make it compliant. Doing so may require engaging a HIPAA compliance expert in addition to an IT consultant.
Physician offices also need to develop policies regarding staff use of smartphones — especially now that almost all of them have cameras. The policies should answer such questions as: How and where can employees use their phones? One suggestion: Instruct staff members to not bring their phones into exam rooms or other patient treatment areas.
But even that might not be enough. For instance, a staffer might take a photograph of something in the office with a recognizable patient in the background and post it on social media. This could be a HIPAA breach, with financial and legal consequences for the practice.
Stay informed – The issues surrounding cybersecurity for physician practices, particularly regarding mobile devices, will continue to evolve right along with technology. Stay informed about the current best practices to avoid running afoul of HIPAA security rules and protocols.