HIPAA and BYOD: Bridging the Gap
There is no denying that technology has had a measurable impact on the healthcare industry, but not all of the changes have been positive. Recent data breaches have reignited focus on HIPAA compliance, especially among those healthcare organizations that allow their employees to “Bring Your Own Device” (BYOD). Healthcare professionals who use personal devices, (cell phones, laptops, tablets, etc.) to access sensitive electronic patient health information (e-PHI) risk violating the law’s strict privacy and security mandates.
A staff’s ability to access patient data from anywhere at any time improves productivity, flexibility and financials, but it also increases scrutiny of controls and regulations on the devices used to store such information. A Wisegate survey of senior IT professionals noted that “32 percent of respondents named data breaches and malware as their top threats and risks to their organization.” A 2016 survey from Crowd Research Partners found that “security (39 percent) and employee privacy (12 percent) are the biggest inhibitors of BYOD adoption.”
So how are healthcare organizations combating this in order to implement a BYOD program that protects themselves and their patients?
Some have implemented BYOD policies, using the HIPAA Security Rule as a guide. HIPAA regulations allow healthcare organizations to create BYOD policies to direct and control the use of personal devices to store patient information. The most commonly instituted policies include:
- Device audits,
- Multi-level authentication and security logins,
- Self-locking options that trigger when a device is left inactive for a certain period of time,
- Employee training on cyber-security.
Some organizations have also implemented Mobile Device Management platforms, which can remotely delete all stored data if a device is reported missing.
In addition to those policies, it is important that transmissions of e-PHI via cloud storage or file-sharing hosts are conducted through a secure, encrypted network. Since security risks and threats can change quickly, devices should undergo routine maintenance and regular updates of all security software.
Healthcare organizations are also urged to prepare for upcoming HIPAA audits by instituting policies and procedures (P&P) that enable them to attest to compliance with risk analyses and risk management mandates. This will help them to steer clear of any potential penalties associated with non-compliance.
Because the Office for Civil Rights (OCR), which will be conducting the audits later this year, is still in the process of sending out address verifications, organizations that have not yet put appropriate P&P in place still have time to do so. Along with P&Ps, OCR will also be looking for:
- Notices of privacy practices,
- Workforce Training and Education programs,
- Breach notification system(s),
- Individual rights to access PHI and e-PHI,
- Privacy safeguards (paper shredders, locked cabinets, copiers with data storage, etc.).
In an industry where technology it both a benefit and potential risk, safeguarding e-PHI and ensuring regulatory compliance is of the utmost importance. Implementation of BYOD best practices and HIPAA compliance attestation is critical to the safety of e-PHI and the device owner’s personal data and should be in place prior to allowing access to the facility’s network.
When guided by implementing policies that protect all parties involved, BYOD can help facilitate information sharing in a permissible manner while aiding interoperability—without fear of a data breach.