Tag Archives: HIPAA

HIPAA

Understanding the Move to Mobile and HIPAA

Five years after the Internet went live to an unsuspecting public – one that had no idea how much it would need cat videos, online shopping and binge-watching –  the Health Insurance Portability and Accountability Act (HIPAA) was born in 1996. Fast forward more than 20 years and we’ve seen the birth of the smartphone, tablet and smartwatch; the rise of social media; the emergence of cloud-based hosting and data storage; and now the Internet of Things (IoT).

Translation? Healthcare information exchange can occur – and must be protected – in more ways than those early HIPAA architects ever dreamed of. The following details what HIPAA does specify, where it’s lacking, and some of the technologies and solutions that can help you stay protected.

A Brief History of HIPAA

HIPAA established the first set of national guidelines for healthcare data maintenance and exchange. Over the next 10+ years, HIPAA expanded to include the enactment of the Privacy, Security and Enforcement rules, which set standards for personal health information (PHI) protection, disclosure, and access. These rules also outlined the compliance infrastructure that healthcare providers, health plans, and clearinghouses should have in place to protect data, monitor HIPAA adherence, and report breaches.

What HIPAA Has to Say About Mobile

HIPAA Journal provides an excellent summary of what HIPAA does and does not mandate when it comes to mobile devices. For instance, HIPAA requires multi-layered user-authentication controls for the access, storage, and transmission of electronic patient health information (ePHI). It further requires protections against data alteration and destruction through the implementation of monitoring controls. Here are a few specific focal areas and technologies for HIPAA compliance:

  • Data tracking – Consider digital watermarking
  • Information access – Certify all devices, block the transmission/download of ePHI where necessary and segregate work/personal data on individually owned devices
  • Password and public wi-fi security – Create policies that specify requirements and mandate VPN for remote access
  • App control – Limit usage to those with certified security controls and ensure security updates occur.
  • Device scanning and maintenance – Install anti-virus software, perform regular scans, and ensure automated security updates.
  • Data erasure – Implement technologies that allow for remote data deletion.

Text Me, Maybe

The healthcare industry is now using text marketing automation tools, social media, chatbots, and SMS marketing tools for everything from appointment reminders to wellness engagement. Opt-out functionality is a must. And while message encryption is critical, HIPAA does not technically require it for data at rest. For data in motion, however, the Security Rule advises encryption for the transmission of ePHI, particularly over SMS networks.

One thing that’s not allowed? Texting patient orders. In December 2017, the Centers for Medicare & Medicaid Services (CMS) clarified that while providers may text patient information to one another, it must be via a secure platform and cannot include the texting of patient orders. Its position reinforces not only HIPAA but its own Conditions of Participation (CoPs) and Conditions for Coverage (CfCs) agreements.

Hey, You! Get on to My Cloud

HIPAA also allows cloud-based storage. The OCR issued guidance in 2016 outlining requirements for the cloud service providers (CSPs) that medical practices must inevitably turn to for secure system implementation. Google Drive is just one of those cloud-based options. HIPAA Journal reports that the company’s Business Associate Agreements (BAAs) address the HIPAA Security, Privacy, and Breach Notification Rules, allowing for the use of Google Drive and subcomponents such as Google Forms, which providers can use to gather and share information.

Left to Your Own Devices

There are four letters that might make anyone operating in the HIPAA spaces cringe: BYOD. It stands for Bring Your Own Device and marks a growing trend in some sectors for employees to use their own technology in the workplace. Adoption is currently higher in other countries than the U.S., but with personal mobile and the IoT entering healthcare in big ways, it’s time to at least start thinking about it. While HIPAA doesn’t speak specifically to these areas, the existing Security Rule is a good place to start and can help you create policies in such areas as:

  • Patient and guest data access
  • Network and software security
  • Email, web and medical device
  • Workflow and information logging

Compliance: Broader than HIPAA, More Important Than Ever

Because there is much that HIPAA doesn’t specify, any organization protecting healthcare data should be aware of what other agencies are advising, including:

  • Mobile security – The National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) issued 2015 guidance addressing standards for company-owned and BYOD mobile devices.
  • App development – The Office of Civil Rights (OCR), the agency responsible for HIPAA enforcement, has created a portal for app developers that addresses components of the Privacy and Security Rules, along with BAA guidance. Meanwhile, ACT | The App Association, has called on the OCR to get more specific as technology grows by leaps and bounds.
  • Connecting the dots – The OCR has mapped the HIPAA Security Rule and NIST Cybersecurity Frameworks, which it acknowledges is more granular when it comes to outlining administrative, physical, and technical safeguards.

As healthcare innovation continues to move at lightning speed, those in the industry will remain continually challenged by the dual needs to keep up with technology while protecting patient data. Advancements shouldn’t be limited by lagging regulations, which puts healthcare providers, executives and manufacturers in a position to drive compliant solutions where federally defined standards are lacking.

Laura Beerman is a writer for TechnologyAdvice. Her insights have appeared in RevCycleIntelligence, Becker’s, InformationWeek and other outlets. She has spoken nationally on population health, long-term care, and been interviewed by The Wall Street Journal for her accountable care predictions. She resides in Nashville with her Canadian husband and American kittens. You can find her on LinkedIn.

 

Medical Tablets: Complying with HIPAA

Healthcare providers increasingly use clinical applications such as EHR, clinical decision support systems, order entry systems, radiology, laboratory and other systems. Health IT makes the medical workforce more agile, mobile and productive. Mobile devices let physicians check patient records on the go, in any location. Nonetheless, the rise of mobile technology increases the risk of data breaches. HIPAA aims to protect ePHI while still allowing hospitals to adopt new technologies & improve their efficiency and care quality.

The Health Insurance Portability & Accountability Act (HIPAA), 1996, consists of HIPAA Privacy Rule & the HIPAA Security Rule. The former establishes national standards for the protection of individually identifiable health information; the latter – security standards for protecting individually identifiable health information held or transferred in electronic form. The Security Rule dwells on the technical and non-technical safeguards covered entities must implement to secure patients’ electronic protected health information (e-PHI).

Understanding HIPAA

The HIPAA Security Rule covers health plans, health care clearinghouses and health care providers that create, receive, store or transmit e-PHI, as well as their business associates. Read the Summary of the HIPAA Privacy Rule [PDF].

Under HIPAA, covered entities must:

  • Ensure confidentiality, integrity & availability of e-PHI.
  • Identify threats to e-PHI and protect against them.
  • Protect e-PHI against disclosures or impermissible uses.
  • Ensure HIPAA compliance by the workforce.

The HIPAA Security Rule requires covered entities to perform a risk assessment to determine reasonable security measures for a particular organization. Risk assessment includes evaluation of the likelihood of a data breach, implementation of appropriate security measures, documentation of security measures, & rationalization of their choice, and continuous protection of e-PHI.

Safeguards

On the administrative, physical and technical levels, HIPAA requires for the organizations to implement certain safeguards.

Administrative

  • Security management process – identify & analyze risks to e-PHI, implement security measures for protection.
  • Appointing a security official overseeing HIPAA compliance.
  • Information access management – limit uses and disclosures of e-PHI, granting access to data only when appropriate, to authorized personnel only.
  • Providing the medical staff with data protection training, ensuring policy compliance by the workforce.

Physical

  • Limit physical access to the facility for unauthorized individuals, yet ensure authorized access is allowed.
  • Implement device security procedures, specify proper use of devices and access to them, have policies regarding device transfer, disposal or re-use.

Technical

Health care providers must implement:

  • Access control to e-PHI for authorized personnel only.
  • Audit controls of hardware, software and data access and use procedures.
  • Integrity controls to ensure e-PHI is not destroyed or altered improperly.
  • Transmission security measures that guard against unauthorized access to e-PHI in transit.

Features of Medical Tablets That Ensure HIPAA Compliance

So, when we talk about the features of the medical tablets that ensure HIPAA compliance, we are primarily concerned with the Technical Safeguards of the HIPAA Security Rule provisions.

Encryption

The HIPAA Security Series Guidelines require covered entities to “consider the use of encryption” for e-PHI in transit. Encryption for data at rest is not mandatory, but its implementation depends on the risk assessment.

End to end encryption ensures the data in transit is protected against data breaches and man-in-the-middle attacks, according to HIPAA Journal. Technology based on the end to end encryption helps providers avoid HIPAA violations.

HIPAA-compliant medical tablets are Windows or Linux-based, which enables the support of full disk encryption for data at rest, & implementation of end to end encryption programs for data in transit. Furthermore, Windows medical tablets have USB 3.0 and USB 2.0 ports and can encrypt data on external storage devices just like your normal desktop computers would.

One of the glaring security holes in consumer grade mobile devices is text messaging and consumer chat apps medical staff use to communicate with patients and colleagues. e-PHI details sent in a text message is a direct violation of HIPAA Security Rule. Skype, WhatsApp or Hangouts lack necessary protections for a secure data transfer, despite claims of encryption. Medical professionals must implement secure communication programs, with the end to end encryption and preferably from trusted, zero-knowledge providers.

Data Access

HIPAA requires the implementation of technical policies and procedures that allow access to PHI to authorized staff only. Medical tablets have access control mechanisms that enable advanced user authentication. Moreover, they make it easy to use, because end users tend to bypass any technical procedures they deem as difficult, time-consuming, or hampering their productivity in any other way.

Multi-factor authentication in medical tablets is ensured with RFID Imprivata Single Sign-On, biometric scanner, Smart Card or CAC reader, and Kensington lock. Multi-layered access controls reduce the risk of unauthorized data access. Medical staff can safely leave the device in hospital’s public places, such as corridors or patient rooms, and rest assured the confidential data is locked.

Data Integrity

According to HIPAA, any e-PHI data stored on a mobile device (or transmitted with its help) must be protected against unlawful tampering or destruction. Mobile devices used to store or transmit e-PHI in healthcare must have features that allow them to be audited for access to e-PHI, including attempted access instances, and other activity that could potentially affect data security.

Medical tablets can be configured to enable remote device management to give the IT admins full control over the data stored and transmitted from it. IT admins can push system and software updates and patches remotely, or troubleshoot issues without having physical access to the device. They can set up the device so that the complete log of data access and failed login attempts be documented for revision. They can wipe the device remotely, should it be lost or stolen. They can monitor network activity and spot suspiciously large volumes in upload or download to, again, suspicious servers.

IT admins can block or disable certain OS features, whitelist and blacklist programs, to protect the confidentiality of e-PHI from the inadvertent exposure by the end users. For example, disabling automatic connection to any available Wi-Fi network protects devices from connecting to insecure public networks.

From ad-block browser extensions to firewalls and sandboxing, Windows supports the full list of security measures an IT admin can deploy on a device. With Windows 10, the security features have advanced even further.

Windows makes the use of password managers easy since most enterprise programs are developed for Win OS. Also, administrators can disable access to app store, so that users cannot download and install unauthorized applications, or games. Alternatively, blacklist every app but a list of authorized applications from accessing the Internet.

Medical tablets ensure admins have necessary means of scanning them for malware and other malicious code, install antivirus, perform regular and random scans. When an employee is left or fired, admins can safely terminate access to PHI.