By Adam Solander, Ali Lakhani and Wenxi Li
The increasing prevalence of mobile technology in the healthcare sector continues to create compliance concerns for physician practices and other health care entities. While the Office of Civil Rights (OCR) of the Department of Health and Human Services, has traditionally focused on technology breaches within larger health systems, smaller physician practices and health care entities must also ensure that their policies and practices related to mobile technology do not foster non-compliance and create institutional risk.
Physicians Integrate Mobile Technology Into Daily Practice
The Physicians Practice's 2014 Technology Survey found that only 31 percent of more than 1,400 survey respondents reported implementing policies and rules to address bring your own device ("BYOD") practices. With more than 80 percent of doctors using mobile devices at work and integrating their personal devices into their professional practice, these devices could potentially represent a significant privacy and security risk.
Traditional Safeguards Undermined By "Anywhere" Access
The HIPAA Security Rule applies when any protected health information (PHI) is accessed and communicated through a mobile device, such as texting a patient's name and phone number for follow-up calls. In the annual OCR report to Congress on breaches of unsecured PHI for calendar years 2011 and 2012, OCR reported that information loss or theft from mobile devices was among the top three sources of breached PHI in 117 of the 222 reported breaches in 2012. Additionally, the Physicians Practice's 2014 Technology Survey indicated that only 61 percent of the respondents surveyed reported securely backing data on a second server or via another method, thereby not complying with the HIPAA Security Rule which requires covered entities to create and maintain retrievable copies of electronic protected health information (ePHI).
OCR Enforcement Areas, Especially Among Small Breaches, Continue to Grow
OCR officials routinely remind covered entities and business associates to understand their obligations with respect to mobile device security – obligations that continue to become more complex to satisfy as the use of mobile technology in the workplace proliferates. Simultaneously, OCR continues to increase enforcement of data breaches by entities subject to the HIPAA Security Rule. Significantly, this enforcement expansion has included smaller entities and breaches affecting fewer than 500 individuals. OCR expects HIPAA Security Rule enforcement to continue its trend and increase going forward in 2014
Be Prepared
Physician practices and health care entities should conduct a thorough risk assessment which addresses the use of mobile devices and storage of mobile device data in their environment. Additionally, policies and procedures should be developed to manage the risk associated with mobile devices to a business tolerable level. Risk management plans and security evaluations should be updated and conducted periodically. Additionally, physician practices and health care entities must remember that their business associates must also comply with the HIPAA Security Rule. Thus, some diligence on the use of mobile devices in their business associates environment is advisable. In practice, over 20 percent of HIPAA data breaches have been traced to noncompliant business associates. While the risk may be significant, with proper staff training to identify and address questionable HIPAA behaviors, physician practices and health care entities can minimize the risk of OCR enforcement and large settlement costs associated with mobile devices.