Synergy - January/February 2013 - 11

continuing education

prevalent in the industry . Failure to ensure
security and privacy under the Health
Insurance Portability and Accountability
Act of 1996 (HIPAA), along with similar
legislation, including those relating to
confidentiality, may very well result in
violations and penalties . A lesson may
be learned from the recent $1 .5 million
settlement reached between the U .S .
Department of Health and Human
Services Office for Civil Rights and a
Massachusetts specialty hospital and its
associated professional group resulting
from an investigation tied back to a theft
of a laptop computer .

HIPAA Security and
Privacy Rules
Unfettered use of mobile devices is
causing PHI and its security to become
a greater concern for providers . The
HIPAA Security Rule requires providers
to implement appropriate administrative,
physical and technical safeguards to
ensure the confidentiality, integrity and
security of PHI . In addition to the HIPAA
Security Rule, the HIPAA Privacy Rule
establishes standards for the protection of
PHI and other personal information . This
protection is done through appropriate
safeguards to limit disclosure of PHI .
With the ever-increasing use of personal
mobile devices for professional purposes,
more and more providers are taking
pictures, dictating or sharing information,
some of which constitutes PHI, through
these devices . In these instances, it is
possible to allow unauthorized access or
give someone inadvertent access to such
protected information .
Hospitals must have written policies in place
addressing the privacy of health information
and must ensure that unauthorized individuals
cannot gain access to patient records . Because
the security and privacy concerns emanate
from HIPAA, the implementation and
enforcement of the policies and procedures
should incorporate and further the HIPAA
policies and procedures in place .

How May Disclosure Occur
With a Mobile Device?
When a practitioner utilizes a mobile
device, it is not unusual that the last thing
11

/

SYNERGY January/Febr uary 2013

on their mind is the HIPAA implications
of such use . The following are common
instances where there may be an improper
disclosure of PHI as a result of using a
mobile device in developing, accessing or
retaining PHI:
•	 It is misplaced by the user or lost or
stolen where another may have access
to such information;
•	 The device is left unoccupied or
viewable where an unauthorized person
may have access to PHI;
•	 An unauthorized individual “hacks” into
the device’s database or through an
unsecured transmission line;
•	 Transferring or placing information on a
mobile device (or even flash drive) that
is not encrypted so that the provider
may have access to it on a trip or at
home; or
•	 The mobile device is traded in and the
memory is not completely deleted or
“scrubbed .”
It should be noted an unauthorized
disclosure does not need to occur to
implicate a violation of the HIPAA Security
and Privacy Rules . These rules allow for
there to be communications between
healthcare providers or with patients as
long they have established appropriate
administrative, physician and technical
safeguards from a security and privacy
standpoint to ensure the PHI remains
confidential with integrity and security .
Failure to do so is a violation itself .

How to Ensure Protection
When Utilizing Mobile
Devices
With the different issues surrounding
the use of mobile devices in the hospital
environment, medical staff policies and
procedures must be established to satisfy
the HIPAA Security and Privacy Rules
and related statutory and regulatory
requirements, to protect against security
breaches and unauthorized disclosure,
and to establish best practices in
recording and exchanging PHI . The
following are suggested areas for hospitals
to review and incorporate into their basic
operations, as well as their medical staff
policies or procedures:

•	 It is mandatory that any information
rising to the level of PHI be kept in a
secured environment meeting the
various requirements and safeguards
previously mentioned . If PHI is received
from another entity or person, there
must be policies and procedures in
place to establish how it must be
immediately designated as PHI and be
secured . It is essential that hospitals
conduct a thorough analysis of the risks
to PHI security and privacy and
continue such analysis on an ongoing
basis . Additionally, providers should
document the methodology chosen to
address such risks and update them as
necessary to keep up with
ever-changing technology .
•	 Any transmissions of PHI using mobile
devices must be through encrypted data
transmission . Because most personal
devices are not going to be as secure as
those of the facility or medical practice,
it is advisable to limit the use of
personal mobile devices .
•	 Access by any mobile device must be
restricted by password and sufficient
other safeguards so the PHI may not be
accessed by those who are not
authorized to access it . There should be
a requirement the passwords be
changed on a set time basis (e .g ., every
90 days) and be of a sufficient security
level to hinder attempts to obtain the
password (e .g ., require different types
of letters, numbers and symbols in the
passwords) . There should also be a
policy and procedure on restricting
access to passwords and how the
passwords are maintained .
•	 So as to limit the theft or loss of a
mobile device, require the mobile
device when not in use to be in a
locked area such as an office or
workstation or in a locked briefcase if
the person is off-site . One should not
leave a mobile device in an automobile
or in a location where the device or the
information may be viewable or easily
stolen . An inventory of mobile devices
maintained by the facility or medical
practice should be maintained .

Continued on page 12
Synergy - January/February 2013

Table of Contents for the Digital Edition of Synergy - January/February 2013
