Do you authorize the use of mobile devices in your healthcare practice? Remember to safeguard privacy on mobile devices and prevent a privacy breach.
You Can Use This Privacy Breach Example to Review and Improve Your Practices
A business associate (contractor) of the Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia had their iPhone stolen. This iPhone contained unprotected and unencrypted Personal Health Information (PHI). The U.S. Department of Health and Human Services Office for Civil Rights (OCR) started their investigation on April 17, 2014, and found that a total of 412 patient health records were compromised.
Protected Health Information at Risk
The data on the iPhone included security data, protected health information, social security numbers, family member contacts, treatment, and medication details.
Before a healthcare provider (also known as the custodian) authorizes the use of mobile devices to manage patient records, they must conduct a specific risk assessment to (1) determine the threats of mobile technology and (2) secure the data. Reasonable safeguards include written policies and procedures that authorize the use of mobile technology and identify the risks, as well as a mitigation strategy (including additional training to the employees using mobile technology) to ensure that they are aware of the added security risk. The incident investigation found that CHCS did not have these reasonable safeguards in place.Are you using mobile devices in your healthcare practice? This privacy breach could happen to you!Click To Tweet
The OCR fined CHCS $650,000 and imposed monitoring of the business associate and CHCS to ensure compliance with HIPAA regulations for the next two years.
Privacy Breaches – What You Need to Know
This use of mobile devices in healthcare is common and breaches are easily preventable. The following information will help you to prevent a privacy breach.
- Policies and Procedures. You need a policy that states whether or not you allow employees to use their own mobile devices at work, and if so, for what purpose(s). (This is also known as bring your own device or BYOD.) This includes texting co-workers during work hours or accessing their work email from their smart phone. If you provide mobile devices to your employees so that they can do their jobs remotely (from their home office or when attending clients away from your practice), you must also conduct a specific threat risk assessment to determine the threats of mobile technology, secure the data, and implement reasonable safeguards.
Generally, when a mobile device containing personal identifying information is lost or stolen, the device must have both a strong password protection and encryption to not be considered a breach of personally identifying information.
- Training. It is important that you provide specific training to your staff to ensure that they understand the additional specific risk of having personal information on mobile devices. Employees must know their responsibilities to protect the personal information of your patients, clients, and your practice. The custodian should keep record attendance to ensure that training is provided.
- If you have contractors, vendors, or business associates who provide services and use mobile devices, you are responsible to ensure that they also have strong policies and training or follow your policies and training. In Alberta, make sure that you have an Information Manager Agreement (required by the Health Information Act (HIA) s.66) with your contractor, vendor, or business associate.
When we know better, we can do better
I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.
Jean L. Eaton, Your Practical Privacy CoachReady for help now? Register for the FREE training video “Can You Spot the Privacy Breach?”
(7 minute video).