HIPAA Compliance: Understand the Security Risks of Your Personal Portable Devices


In the existing healthcare scenario, it is very important to take the steps required to configure the devices and your systems, and give training to your users before security problems occur. Read this expert article and know more about the related HIPAA security standards.

BYOD means “bring your own device”? It's the invasion of the portable devices. These things are just – seems to be flowing in from every direction. They're coming in right and left.

And people are saying, “Well, listen, it's easy I think this iPhone. It's really cool. I can do all these great things. I can just use this for a lot of stuff. I mean there's lots of – there's so much that we can do with all these apps that are out here and boy, we can collect all kinds of data or boy, the possibilities are endless.”

Well, that’s – there's so much that you can do. Possibilities really are endless. But all these possibilities also have some real security issues along with them. You have some real questions as to – as to, you know, what can you do about making sure these things are secured so that any data that might be on them or travelling to them doesn’t get exposed improperly. You don’t want to have a HIPAA breach.

But this also involves some real questions of who owns the device and who has control over them, who's liable for various things that happen with the device. And how do you set the parameters? How do you decide who's going to be in-charge of what aspects of it? How much control do you have over the data and whether it involves putting apps and other, you know, agents and things like that on your cell phone to be able to manage things and is that going to be okay?

What is the whole issue of mobile device management? How can you manage these devices in such a way that if something goes wrong, you can make sure things don’t happen to cause a HIPAA breach?

Let’s talk about how staff will use mobile devices in healthcare. There are some very basic things that it comes down to when people want to use their mobile devices and maintaining HIPAA compliance. Some very simple ones have to do with accessing and receiving results and patient information. If people want to be able to, you know, get their information and you need the people – people want to be able to have access of their information.

Then you want this information sent to their mobile device. There may also be some reasons to be able to access information over mobile device if you're a staff person as well, either using the telephone function by calling in or by sending messages back and forth or your text messages or email messages or going through a portal or some kind of a virtual private network or a custom application some ways of exchanging patient information.

Using your Smartphone to find out to get a text message that if you have an extra 15 minutes that you can spend with the patient right now, it would be more valuable than you're just cooling your jets for 15 minutes waiting for the operating room to be prepared for you.

And as our expert suggested in an online HIPAA training session, it might be useful to be able to handle on some kind of a device that you might be able to go and access on your own Smartphone, or also simple things like keeping your appointment calendar or doing dictation either by the phone itself or using some app on the phone. There's lots of ways you can do that.

Where has your health data gone?

And what's happening here is there's interactions and things that, you know, they're happening in technology that may be outside of your control. As an office manager or an IT person who's running an office somewhere and you – you want to make sure you get your arms around all the devices that you're handling health information with. So you can make sure they're being, you know, being done securely and safely and everything.

Well, here's technology that's outside of your control, to somebody’s pockets, they've gotten from the local Verizon store, AT&T store or Sprint wherever, you know, wherever they've gone to get their latest devices.

And so, the question, you know, there's stuff that's really outside of your control. How are you going to get your arms around some of these pieces? That's one question .

Who is accessing or providing the health information?

The authentication question - if somebody is connecting to your systems to get information or if you're sending information to somebody, how can you be sure that’s the right connection, that you're setting information to the right places and whoever is wanting to connect to your system is who they say they are?

Our expert mentioned in a HIPAA conference that you must ensure to have people to have good authentication. It has to be clear as to who is who so you don’t have anybody – anybody making mistakes as to sending information to the wrong individuals or providing some kind of a health mistake to happen. You don’t want that to happen.

What is the right information to provide?

It's not just the authentication, who's who, who should have access but access to what? Who's authorized to access what information? It doesn’t do any good for you to set up a policy to make it possible for people to get their mobile devices to get into your EHR system, get your staff who can do EHR system if you leave them wide open for everybody to get in anywhere.

Your billing staff needs to get through certain information, your nursing staff needs to get through certain information as per HIPAA security rules. You know, different offices need to get through certain information and your authorization controls should be enough to make sure that you're getting just the right information and not too much information for people who are getting information. You need to make sure in HIPAA that you only provide minimum necessary. You need to consider that to ensure HIPAA compliance.

Also, you think about what are some of the access controls that you have in place to protect privacy. How secure is the entity for the interaction point, you know, as far as when somebody dials in to your organization to get information and loads out of their Smartphone? How secure is that interaction point?

How secure is the transmission? How secure is the data as it's getting there? And how secure is that information once it gets onto the device itself? So there's really the whole – the whole access control issue to protect patient privacy.

Get the insider information on healthcare rules and regulations with on demand conference training sessions at