Using Mobile Devices Increases HIPAA Related Risk

By | June 20, 2014

The use of mobile technology affords health care practitioners the ability to communicate with patients and access health information from records. Similar to others who use mobile technology regularly for a wide variety of purposes, health care providers utilize mobile devices to exchange ePHI when away from work. However, management for covered entities that employ even a few individual providers should be aware that the use of mobile technology can put them at increased risk of a HIPAA related security breach. HIPAA stipulates that those responsible for ensuring that HIPAA compliance is maintained within a covered entity are “accountable for the actions of their workforce.” In this case, the old adage of “What you don’t know won’t hurt you,” doesn’t apply so remaining blissfully unaware is not an option if you want to avoid extra audits and sizable fines. As far as HIPAA is concerned, there is no such thing as plausible deniability.

While covered entities seem to have gotten the message regarding the importance of maintaining the security and privacy of electronic health information stored and accessed onsite, many do not seem to fully understand the risks involved with using mobile technology to access and communicate patient information. Many assume that if the proper measures ensuring the security of patient information onsite are in place then any devices accessing the same databases that an employee does while at the workplace will also be secure. However, this is not the case and this lack of awareness is leading to numerous security breaches resulting in practitioner citations and fines.

The use of mobile technology by healthcare professionals to communicate with patients is becoming a common practice. A study conducted with physicians showed that almost 85 percent of those surveyed own a minimum of one mobile device and 25 percent of them use these mobile devices for a variety of purposes in their practice. Yet studies have also revealed that many professionals and organizations do not take adequate precautions to protect ePHI accessed through mobile technology. Data stored on the cloud is also vulnerable to security breaches due to insufficient practitioner knowledge of how to manage risk.

Part of the problem with using mobile technology to access or communicate patient information is that most practitioners are not aware of how much EPHI is stored on the mobile devices that they own. Additionally, loss or theft of a mobile device is a particular risk to the security of patient information since these devices are typically small and frequently carried by the individual from place to place. Of the numerous physicians surveyed nationwide, more than 50 percent had at least five data security breaches caused by the loss or theft of their mobile device. Another study conducted with medical executives, medical organizations and health care insurers showed that over the course of the previous two years, more than 65 percent of all data breaches discovered were determined to be the result of the theft of personal mobile devices. The cases represented in these two studies amount to a huge number of breaches and patients whose information was inadvertently disclosed or accessed without their permission.

These types of breaches can also result in a huge financial cost due to fines and lawsuits. These financial consequences have the potential to significantly impact the solvency of an organization if those in charge of HIPAA compliance remain unaware of how to minimize mobile device related risks. Just like history, those that do not learn from past mistakes are bound to repeat them in the future.

Specific risks you should be aware of in regards to the use of mobile devices to access or communicate ePHI include:

Failure to Encrypt: Many providers do not set up encryption on their mobile devices. This means information stored on these devices can be accessed and used inappropriately. It is also possible for computer savvy individuals to unknowing view any information downloaded or retrieved on these devices.

Failure to Require Authentication: Often those using mobile devices regularly fail to use passwords of other user authentication methods. This contributes to the ability of any user in possession of the device to view ePHI stored there.

Public Wi-Fi Networks: With the commonality of establishments offering free Wi-Fi, many people rely on public or unsecure Wi-Fi or cellular connections when traveling or on the road. However, sending or receiving ePHI using unsecure networks makes it possible for some people to view this information when using a common connection. 

Compliance with HIPAA/HITECH regulations requires that all covered entities, their employees and their business associates utilize “reasonable safeguards” when communicating with patients or when accessing health information electronically. This includes mobile devices. It is important to recognize that the focus of HIPAA is the security and privacy that must be provided to patients regarding their health care information and not the device used to convey this information. Compliance with the policies and procedures safeguarding ePHI apply to all computing and electronic equipment that is used to access and communicate this information. HIPAA mandates compliance no matter how many times or how frequently you utilize your handheld device call up ePHI. Even using a mobile device just once can lead to unauthorized disclosure or access of ePHI which will result in the same reporting requirements as if the disclosure had occurred on an office based computer. This can lead to large problems if the need to disclose occurs and results in an audit. Usually those who fail to protect ePHI on mobile devices based on one set of criteria fail to protect it according to almost all sets of criteria.

If you are a manger or owner of a healthcare facility or practice and are not sure what information employees have stored on their tablets, laptops, and smartphones, you will not know if the ePHI stored or accessed at your facility is fully protected. A good starting point is to ensure all employee mobile devices are encrypted even if the employee does not intend to use them for accessing ePHI. You never know when a request or issue related to ePHI will occur and many find that although they never intended to use their mobile devices for work related purposes, it is easier to address a situation through a mobile device than being forced to return to the workplace. Encryption programs are relatively easy to use and provide extra protection in the form of a safe harbor based on HIPAA regulations. This means that should a security breach occur the entity is not bound by the reporting rules for breach notification as they would be if the information was not encrypted. It is also important to make sure that include all personal and employee owned mobile devices are included in your risk analyses and remediation planning.