With the widespread adoption of mobile devices in the behavioral health space, it is important to be cognizant of how mobile device use can affect client or patient privacy and your organization’s overall security. HIPAA security now is more stringent than it was in 1996 when it was first released at the federal level. Guidance tips on mobile device security and HIPAA compliance are provided below.
Mobile Device Security Tips
The security rule imposed by HIPAA involved unique challenges to the average clinician. When using mobile devices in a healthcare setting, whether to treat patients virtually through telehealth sessions or to use the device to access or disclose protected health information (PHI), it’s important to consider the security implications of doing so. Implementing adequate mobile device security can mean all the differences to overall HIPAA compliance because nonsecure mobile devices pose very specific risks to PHI.
There are several ways in which mobile device security can be improved to ensure the privacy, integrity, and availability of PHI. While most professionals understand privacy, they may not realize that privacy has to do with the client or patient’s right to remain in control of their data. On the other hand, confidentiality refers to the clinician’s duty to protect the client’s or patient’s right to privacy. To offer confidential services, it is the clinician’s confidentiality duty to suggest and use technology that protects privacy. Integrity has to do with the correctness of the data collected. Take, for example, a field that collects weight; if that field gets corrupted and accidentally inserts the digitals related to weight into the field for medication dosage, prescribers could be relying on information that lacks integrity, and therefore make erroneous decisions about future prescriptions.
Implement Advanced Security Measures
Mobile devices are inherently less secure than a computer or laptop. However, certain features can be enabled to make them more secure.
- User authentication: many mobile applications that have access to sensitive data give users the option to require two-factor authentication (2FA). 2FA requires users to input a username and password, combined with another unique login credential, to be permitted access to the application. In most cases, 2FA has to be enabled by the end-user.
- Advanced password protections: when using a mobile device to access PHI, it is important to enable advanced passwords. Standard numerical passcodes can be easily guessed by using computerized hacking technology that simply works at unlocking the password by systematically running numbers through open fields to eventually get in. That’s why the more secure sites only allow a few login attempts, and they freeze access to the field. The user is required to either call the company in question or wait a designated number of minutes before making another login attempt. As a clinician then, you would be correct in not only educating your clients and patients about using a combination of letters and numbers (alphanumeric), but using symbols (e.g., @,$,%,^,&) as well for passwords.
- Digital Device Auto-locking: to prevent unauthorized access to PHI, users should enable mobile device auto-locking. This can be easily done by changing the mobile device screen lock settings. What is mobile device auto-locking? Ipad and iPhones will automatically lock and revert to your opening screensaver after being idle for two minutes. Android phone users will experience mobile device auto-locking through an accelerometer that automatically detects if the device is in the user’s hand or pocket. If the phone is not moving in space, it locks. Some users change the settings to disable auto-locking but may be unaware that if their phone contains private health information, it can be compromised
- Device wiping: within a mobile device’s settings, users can enable auto device wiping after a certain amount of failed passcode attempts. Devices can also be configured so that users can remote wipe a device should it be lost or stolen.
Use a HIPAA Compliant Cloud Data Backup
Backing up data prevents the loss of data should a mobile device be lost or stolen. Cloud backup solutions make it easy for users to back up their data automatically; however, when the device has the potential to access PHI, the cloud data backup provider used must be HIPAA compliant. HIPAA compliant cloud solutions have security protocols in place to limit access to sensitive data and will sign a business associate agreement (BAA). The willingness to sign a BAA is essential for HIPAA compliance, and providers that are unwilling to do so cannot be used to store PHI.
On the other hand, one doesn’t have to worry about HIPAA if the PHI is stored on a thumb drive or backup drive attached to their computer and if files containing PHI are stored exclusively to that device. Then when the device is returned for repair or brought to a shop, the clinician can simply unplug their in-office storage device and be worry-free. Of course, in some states, those storage devices and computers containing PHI must be locked. Reading and understanding the rules of your profession at the state level is essential for each state served.
Keep Software Up-to-date
Mobile device and app developers often issue software updates to address known vulnerabilities in the software. When users fail to install updates as they become available, their mobile device security is at risk. HIPAA security now involves keeping software up-to-date to prevent the device from being hacked. Working with your client or patient to make sure they have updated their software need not be a lengthy discussion. Rather, mentioning the need to do so and noting it in your sessions notes is wise. In some cases, your client or patient may need and will ask for more direction. You may need to have useful resources available to help them update their systems as needed. Also, remember to keep your own software up-to-date.
Don’t Use Public Wi-Fi
Public wifi should never be used when using any device to access PHI. When multiple people connect to a network, those people present a risk to the network’s security. For example, if a behavioral health provider accessed an EHR platform using a public wifi connection, and someone else that was also connected to the public wifi accessed a malicious site, a hacker could gain access to the provider’s EHR through the network. When accessing any sensitive data, it is important to be connected to a secure private network. Guidelines issued by some associations are very helpful in this regard. See Release of New NASW Standards for Technology for details.
Also, if your client or patient is unaware of how to make their device HIPAA secure now, you may want to discourage them from using the public WIFI system made available by visiting their dentist’s office, their local coffee shop, or any other public area. While these free WIFI systems are offered by many health professionals for patients, if you inquire, they will tell you that their systems are not HIPAA-compliant. See Staying Secure on Public Wi-Fi Networks for more information.
Implement a BYOD Policy
A BYOD policy, or a Bring Your Own Device Policy, dictates when it is and isn’t appropriate to use a personal device for work purposes. It also determines what security measures are required to be implemented on a mobile device before accessing sensitive data. This policy statement can be included in your agreements with employees and subcontractors as well as in the informed consent with clients and patients.
Conduct Your Own HIPAA Risk Assessment
HIPAA requires formal and regular risk assessments of all your devices, including your mobile devices. Read more about HIPAA Risk Assessments and the free HIPPA risk assessment tool to complete this task quickly and easily. You may also be interested in Telehealth.org’s blog post about a useful HIPAA Risk Assessment Template.
Train Employees on Mobile Device Policies
HIPAA compliant mobile device usage ultimately comes down to how the end-user uses the device. This is why it is so important to train employees on mobile device best practices. It is also important to document these in-house training in your HIPAA Compliance documentation by your HIPAA Compliance Officer (who can be YOU if you are the practice owner.)
- To see how many and which professionals have failed a HIPAA audit by the Office for Civil Rights and been disciplined for making at least one of the mistakes listed above, visit the HIPAA Wall of Shame, which publically announces the identity of the group involved, their address, state, the type of infraction, and the monetary fines imposed. See more here: HIPAA Wall of Shame.
- Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today.
- For HIPAA training that offers CME or CE hours for your efforts, you may want to take Telehealth.org’s Basic Telehealth Legal Issues on-demand course, which covers HIPAA in detail.
Would TBHI Telehealth Training Help You?
Basic Telehealth Legal Issues: Rules, Regulations & Risk Management
Bring your telehealth practice into legal compliance. Get up to date on interjurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, duty to report, termination and much more!