A trip to the doctor has become a lesson in technology for many of us. Computerized instruments are used constantly, doing everything from reading a patient’s optical prescription by measuring the eyeball to taking pulse and blood pressure at the same time in just a few seconds. It is no surprise that mobile devices like tablets and smart phones have found their way into the healthcare industry. Once considered a luxury, mobile devices are now the norm in many hospitals and practices. Physicians and staff utilize tablets and smart phones to help with diagnostics, patient education, and medical reference. Many are even able to access their EMR systems through their devices. With this new trend in technology there comes the obvious pitfall-protecting patient data. Taking steps to safeguard PHI is a vital part of any practice allowing mobile devices to be part of their patient care.
In 2007 Apple released the first iPhone, and the iPad debuted in 2010. Various statistics show that now as much as 80% of health care providers are using mobile devices at work. Recently, HealthIT.gov has provided information on using mobile devices in the medical workplace. The number one way to protect PHI? Encryption. This means that text is encoded and therefore “disguised” unless your device or computer has the code to read it. It is absolutely imperative to have encryption in place anytime a mobile device is used for PHI. Anything less is not HIPAA compliant. The best guide for encryption is the Federal Information Processing Standards Publication for Computer Security (FIPS 140-20), the Federal guide for encrypting issued by the National Institute of Standards and Technology (NIST). Though it is not specifically intended for HIPAA , it is thorough and is used by both government and private entities.
Using a password or authentication process for your mobile device is also important. Just like any password protection, it is best to use a letter-number combination and make it something easy to remember but hard to guess. Another important step is to make sure that your device locks down after a short amount of time when the device is not being used and the password must be used to reopen. While it seems obvious, one mistake that people often make is storing the password in their device. Never keep a list of passwords in your phone or tablet and be sure to change the password every quarter.
The last thing to consider is avoiding storing any data in your device. Different practices and offices have different rules on this. Some allow a certain amount of storage before it must be backed up. Others allow for none, making sure all information is transferred before the device leaves the premises. No matter what, it is essential that any device being used with PHI should have the ability to be locked or wiped remotely. This is important in the case of theft or loss. Anytime a phone is stolen or lost it is a HIPAA issue and must be reported.
According to a report issued by KLAS, almost every major EMR vendor has physicians that access information through their mobile device. Apps exist for everything from accessing lab tests, calculating medicines, looking up drug interactions and anatomical diagrams. It is unrealistic to ban the use of mobile devices in the healthcare practice. Instead, it is important ensure that they are being used responsibly. Following the basic safeguards will keep the practice HIPAA compliant and allow providers to use technology to its fullest.
Jackson and Coker Research Associates. (2011) Special Report: Apps, Doctors and Digital Devices. Jackson and Cocker Industry Reports. (retrieved December 24, 2013).
Mobile Device and Privacy and Security. (n.d.) HealthIT.gov (retrieved January 24, 2013).
Westerlind, Erik. (October 9, 2012). Mobile Healthcare Applications: Can Enterprise Vendors Keep Up? Klas.(retrieved January 24, 2013).