HIPAA Security Quick Tips
We always receive questions regarding the transmission of protected health information (PHI), especially of electronic protected health information (ePHI) on mobile devices. This article will provide some guidance on procedures that are easy to follow to ensure that the Facility is securely transmitting its PHI to the best of its ability.
Secure Transmission of PHI
ShareFile is a secure way for healthcare providers to transmit any documentation that contains PHI. If you haven’t already done so, be sure to set up a ShareFile account. PHI can be uploaded to ShareFile for safe transfer, as there are encrypted passwords for each item uploaded. While ShareFile is certainly a great system for transferring documentation, there are other ways to transmit PHI securely to other third parties. Whenever PHI is involved, all documentation that is transmitted from the Facility to a third party must be sent securely via fax, or US Mail. While some email accounts are secure, we recommend that the Facility stick to the three aforementioned methods of transmission as best practice.
Mobile Device Security
With the ever increasing influence of technology in healthcare, there is a rise in the use of mobile devices such as smart phones or tablets for communication. As with all communication of PHI, maintaining confidentiality is the key to complying with the HIPAA laws. Here are some best practices to keep in mind for securing mobile devices used to transmit or receive PHI:
Always use a password or other method of user authentication. Securing your mobile device with a password ensures that only authorized individuals have access to any information stored on the device. When assigning a password to a device, be sure it is unique to that device; it mixes upper and lower case letters, numbers and symbols; and that the password is not shared with any unauthorized individuals.
Install and enable encryption, firewalls and other security software. Encrypting information that is stored on your mobile device ensures that the data is converted into a form that cannot be read without the decryption key or password, which prevents unauthorized access to information. You should also encrypt data that is sent from your mobile device to prevent unauthorized virtual access while the data is in motion. The National Institute of Standards and Technology has released Special Publications on its website regarding encryption processes for data in motion. [1] When available, the Facility should also install firewalls and any other trusted security software, such as Norton Antivirus, on mobile devices to ensure they are protected from viruses and hacking.
Install and activate remote wiping and/or remote disabling capabilities. Many mobile devices are capable of having all stored data deleted remotely if they are lost or stolen. Enabling a ‘remote wipe’ feature on a smart phone or tablet can prevent unauthorized users from seeing any data that may have been stored on the device. This can help prevent the Facility from experiencing a HIPAA breach, since many HIPAA breaches are caused by theft or loss of a mobile device.
Protect all personal devices. Many Facility staff members use personal devices while on the job to communicate with other staff members and physicians. It is therefore hard for the Facility to ensure that all devices are properly secured. The Facility should provide staff members with information about how to protect their personal devices and require that they secure all mobile devices before using them on the job.
Know your device. Due to the variety of makes and models of mobile devices on the market, there are specific instructions on how to protect the most common types of mobile devices. Instructions should include specific procedures detailing how to encrypt, remotely wipe, and password protect most iPhone, Android and Blackberry smartphones. This information should be shared among Facility staff and physicians that the Facility regularly contacts via mobile device.
Following the best practices detailed above can help to ensure that mobile PHI is protected and private. While there is no guarantee that a HIPAA breach will never occur, it is highly necessary for every healthcare organization to go above and beyond in HIPAA safety.
References
http://www.nist.gov/manuscript-publication-search.cfm?pub_id=906387