HIPAA Rules: Maintain Security with Electronic Devices


One of the adverse results of extensive adoption of portable technologies is that without the implementation of good security practices, they can become the source of HIPAA breaches. Read this expert HIPAA security compliance article to know more about the risks involved.

Each risk issue, everything you think off where something could go wrong, there's a potential impact. In others words, what's going to go wrong if it does go wrong? And what's the likelihood that it's going to happen?

Think about the dental appointment reminder postcard that you get in the mail every six months that say, “Hey it's time to make an appointment, come see your dentist.” What's the impact of that if that gets out there? The impact of that is like zero. Who cares? The likelihood it's getting out there is 100% okay. But what's the risk here? It's basically zero.

It could be other way around. It could be that you have – you may have some very sensitive information that’s, you know, very highly detailed information with lots of patients with lots of, substance abuse histories and HIV results and all kind of stuff, huge impact stuff that gets out there. But if it's secured, if it's properly encrypted and kept in ways with the – the keys are properly protected following the existing HIPAA security rules and nobody can get with the likelihood that it's going to be exposed is very, very low so you can have a very low risk there as well.

But if anything goes wrong with either of these things, if you have a medium or a high likelihood or impact, you can see what the risks are. Assign for each risk a high, medium or low impact of likelihood. The impact is how bad the damage could be and the likelihood is how likely it's going to happen. And just multiply these two together.

How do you evaluate things?

If the risk level appears to be low, it may be acceptable. And this is whole concept as they talked about in the preamble of the new final rule, is they say, “Well, listen you can make an informed risk decision.”

The issue is what if you have somebody who wants to have a copy of their medical records? And there's all kind of requirements in HIPAA now to give people copies of medical records and again, doing pretty much however they want them. And the way they interpret this in the preamble and, you know, generally HIPAA – if you're sending the information to somebody, you should be encrypting it, you should make sure it's secure as per HIPAA security standards.

But if somebody says, “I want my medical records and I want you to email them to me” or “I want you to text them to me. I want you to text me my test results on my cell phone please. I don’t want to wait for an email. I don’t want to wait for a mail – you know, somebody to come with a postal mail. Just text me my results. Just email my results.”

In the preamble, they say when it comes to somebody wanting to have their results emailed to them, you say, “Well listen, you do realize there are some risks that could be exposed. It's not a secure way to transmit this information. Are you sure you want to go ahead?” And they say, “Yeah, no, it's fine. I accept the risk. It's reasonable. I don’t think it's enough of a risk for me to worry about.” And you got that documented. You can go ahead and move along.

You're not asking them to give up their rights. People can't say, “Oh, I don’t care about that. I don’t care about my rights. You just do whatever I say, do whatever you want, you know, I'm just signing a waiver here and just forget it all.” You can't do that under HIPAA. It's not allowed. But you can come to an informed risk decision. And that's the important thing to do.

So if you have any – if there's any real risk going on, then really encourage them to use a more secured method.

And in fact, you may have other state laws and federal laws that may pre-empt some of this information going out because when you're talking about HIPAA, there is some – there is some flexibility. It's not as hard and fast as people have been interpreting it in many cases over the past couple of years.

Why do we need HIPAA and security policies and procedures? Because they're required and they make a life easier for you, respond to incidents and HIPAA breaches and protect information and prevent breaches if you have good policies and procedures. And you have more consistency and quality keeping in line with the healthcare rules.

The security policy framework is that you need to have, you know, four basic kinds of policies where you're talking about the business of your information security, you're talking about, how you manage it, what's your access controls and do you have good training in place and do you have good regular reviews and you're watching your security on a regular basis?

And do you have good access controls, the second kind of policy? Do you have firewalls and ways to get access and ways to prevent access where there shouldn't be? And do you have data management procedures and policies for things you have good backups? You can hold on to the data that you need to and respond to emergencies. And your policy gives you the right to go ahead and do what you should be doing to protect the data and protect your organization as per HIPAA security rules.

How does BYOD fit into the policy framework?

Few things you need to think about is, you know, what's the process that you're going to have in place? How are you going to understand what the risks are and do the monitoring and audits and documentation, training requirements? So you need to make sure that your regular information security process does the proper evaluation of risks and does the proper monitoring of usage and the proper healthcare audits for HIPAA compliance and documentation and training.

You need to have good access for things in place as well. So you need to make sure that your access is provided and how and what kind of – what kind of app or agent and what kind of controls do you have.

And data management, how is the data synced or backed up? If you have data on these portable devices, how are you going to get it back onto your service or being backed up properly?

And the user policy, okay. We have to fit there, what do the users have to do, what do they have to give up for rights or what warnings do you give them, what do they have to sign so you can get them onboard to following your policies and procedures?

There can be restrictions on the use and sharing of the device as per HIPAA regulations. It's a very easy thing to say, “Oh, yeah, here, use my phone.” Well, not if it's got health data. And a lot of people can log in just by putting in the right – pushing the right buttons. There needs to be some separation of personal data so you don’t wind up with things all intermingled. You don’t want to use the same email account for personal information and for business information, for health information.

Visit AudioEducator for a wide range of helpful healthcare conferences and HIPAA online training programs to help you ensure medical compliance.