In Home Health Care HIPAA and HiTECH Policies

Using You Own Device and HIPAA Compliance
Texting Policy
Removing Access After Termination
Sanction Policy
Business Associate Agreement
Disaster Recovery Plan
Taking Pictures on Phone Policy

How to stay HIPAA Compliant Quiz

Using You Own Device and HIPAA Compliance

HIPAA compliant SmartphoneThis posting is one of a series as identified above covering HIPAA compliant policies and procedures.  Fundamentally, the rules for using your own device on and off premises are the same as using a organization furnished device.  A personal device used for business purposes has the potential to be compromised.  The electronic Protected Health Information (ePHI) stored represent an appealing target by cyber criminals as providing an easier entry point into healthcare networks because of less robust security controls.  Devices which connect to networks via public Wi-Fi are at considerable risk for potential theft or loss.

What is ePHI?

HIPAA includes an enumerated list of 18 possible identifiers that must be absent from a record before it can be considered not to be PHI. These “Safe Harbor” criteria give you an easy checklist to run through when making PHI determinations.

Risk Assessments

Risk assessment is the most important component of reaching a HIPAA compliant processes.  This is an assessement you have designed with specific supporting policies.   Risk assessment is a fundamental element of HIPAA compliance, this includes an assessment specifically for mobile devices connecting to your network.  The IT landscape is constantly changing which means your risk assessment should change with IT modification and improvements.  As risk shifts so should your assessment policy.  You should be able to demonstrate these modifications for HIPAA compliance.

  • Evaluate the likelihood and impact of potential risks to electronic PHI
  • Implement appropriate security measures to address the risks identified
  • Document the chosen security measures and the rationale for adopting those measures
  • Maintain continuous, reasonable, and appropriate security protections

Information Access Controls

Network access should only be allowed if the device has been certified as having the appropriate security controls.  Access to the network should be limited based upon the users needs.   Downloadable date should be restricted to users needs.  It is possible to separate personal data from work data on BYOD devices.  This allows for deletion of protected data while retaining personal files and contacts.

Data Tracking

Data tracking is essential for HIPAA compliance.  In the event of a security breach HIPAA requires that an organization be able to track what happened to its data.  Protected data can and should be watermarked.  Everyone is aware that data can be compromised even with profound security measures in place.  Data tracking allows you to follow and track its trail and to conduct a forensic evaluation post-incident.

Regular Staff Training

Employee negligence continues to be the leading cause of healthcare data breaches.  Users are the weakest link in the data security chain.  Using your own device off premises simply exacerbates this risk. Recent breach report data support this reality.  Regular training sessions are crucial and should cover on premise and off premise data privacy and security issues recognizing and addressing the latest threats.  This is known as a ‘Risk-Aware’ culture.

Data Encryption

While data encryption at rest is not mandatory pursuant to  HIPAA Rules data encryption becomes an important concern for devices removed from the organization’s premises and particularly with a users own device.  Data encryption continues to represent the best protection against data breaches and HIPAA fines.  Data encryption supported by staff training can greatly reduce the risk of privacy violations.  Data encryption should be standard procedure for all data stored on mobile devices including smart phones, portable storage devices, lap tops and tablets.   With encrypted data a lost device is not considered to represent a data breach.

Remote Data Erasure

Remote data erasure provides a second line of defense in addition to data encryption.  Portable devices are often lost or stolen.  With a central control for all mobile devices used to connect to the organizations database a built in feature which allows data to be remotely deleted can rendered the device secure even if it cannot be physically located.

Public Wi-Fi Network  Access

Public Wi-Fi hotspots are easily intercepted with data on the device accessed.  A VPN can protect devices that may remotely access data through public networks.  Only a secure text message service should be used with whom the organization has a Business Associates agreement should be used to ensure communications are not intercepted.

Device Security Scanning

Healthcare data networks should not be accessed without an automated scanning of the device for ransomeware, viruses or other malicious code.  Anti-virus  software  should be installed  on all mobile devices supported by security scans acted on a regular basis.   All mobile devices used tor work purposes must have PHI securely erased and access rights to data must be terminated immediately upon the departure of an employee.

Secure Text Messages

SMS messages or text messaging should never be used for PHI unless you have an encrypted system which includes data tracking and a Business Associates agreement in place with the provider.  Unencrypted text which contain PHI violate HIPAA.  A secure messaging application should be the only means of text messaging communication.

Secure Password Policy

Implement and enforce password policies on password length, composition and validity period.  Explain the data security rules to the staff, and communicate the importance of being constantly vigilant tor security risks.

Control of App Usage

Mobile applications are filled with exploitable security flaws.  All apps should be certified.  The necessary security controls for apps must be kept updated.  Internal audits should review portable devices on a regularly scheduled to to confirm compliance with company policies on mobile device security.

Device Maintenance

All mobile device require regular software updates installing patches must be installed  promptly.  Anti-virus and antimalware programs should be updated routinely to ensure device security is maintained at all times.  A single unmaintained or unpatched device has to potential to access protected networks and healthcare data.

Photography with Phone

Images which include health information must be taken with a HIPAA approved app.  An image which includes any type of health information along with enough detail to identify a specific individual, then it is PHI.  The applicable PHI-defining criterion for ePHI for  “Full-face photographs and any comparable images” is likely to cover any medical picture that conveys identity including a “full-face photograph” or photo accompanied with patient identifying information.  A notable physical feature or a tattoo may be considered as patient identifiable information.

Backing Up Phone

Backing up your phone can be incredibly risky.  Backing up to the “Cloud” means you are simply backing up to other people’s computers and this is absolutely NOT HIPAA compliant.  It was the backing up process that put Huma Abedein’s information on Anthony Weiner’s laptop.  Don’t do it !  Identify all points of PHI storage or access on your phone and determine if a cloud service is set to back up.  Turn off back up services including cloud services and use only HIPAA-compliant backupw with a BAA in place with the organization supplying it.

Social App Access to Contact List

This is probably the most overlooked element of patient privacy.  You may store patient numbers on your phone or in a contact list OR a patient may store your number in their contact list.  Social Applications such as FaceBook or LinkedIn ask to access your contact list.  When this occurs your contact information or patient identification is accessed.  You cannot allow contact list access from your phone or device including laptop.  This feature of contact access should be blocked.

Business Associates Agreement

You must have a Business Associates Agreement with entities providing services for your data network including email and SMS messaging.  Simply encrypting messages or email is not enough to meet HIPAA requirements.  Skype, owned by Microsoft, does not provide BA and is not HIPAA compliant at this time.  If you are using text messaging and email be sure that not only is the service encrypted but that data tracking is available and the provider signs a Business Associates Agreement.

The American Medical Association has BA Agreement online in Word for downloading at this link:

Sanctions Policy

HIPAA requires a sanction.  You cannot have an effective rule without a sanction.  Read more here …

Mobile Device Management Policy Summary

Mobile Device Management (MDM) Policies must be implemented by each organization.  PHI must be protected with secure client applications including email, text and web browsers. A remote wipe capability protects a device which has become lost or stolen.   Organizations must also “implement technical policies and procedures that allow only authorized persons to access” ePHI. Essentially, there must be a limit for who is accessing sensitive information.

Health data encryption is another example of how covered entities can apply HIPAA regulations to their use of mobile devices. Encryption allows a healthcare organization to convert the original form of information into encoded text. This makes the health data unreadable unless an individual has the necessary key or code to decrypt it.  However, HIPAA does not require encryption. Instead, encryption is an “addressable” aspect, meaning that organizations can determine if encryption is necessary for their operations and then what type of encryption to use.

Recent regulations regarding mobile devices and applications

The National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) developed a guideline for implementing mobile security measures on both personal and organization-owned mobile devices.  The cybersecurity practice guide, “Mobile Device Security: Cloud & Hybrid Builds,” was designed to help combat the increasing security threat as more facilities implement mobile and cloud options.

The US Department of Health and Human Services Office for Civil Rights (OCR) also launched a portal last year for health application developers.  The portal provides links that discuss the HIPAA Privacy Rule, the HIPAA Security rule, business associates, and a sample business associate agreement.  “A HIPAA covered entity or business associate should be able to assess and implement new and evolving technologies and best practices that it determines would be reasonable and appropriate to ensure the confidentiality, integrity and availability of the ePHI it creates, receives, maintains, or transmits.”

Lee Ann Torrans