Misconceptions Companies Have About BYOD Compliance —
and 10 Best Practices for Managing Mobile Devices in the Workplace
In our latest webinar, “HIPAA-Compliant Faxing in a BYOD World
,” eFax Corporate® discusses several of the act’s vaguely written guidelines governing data privacy — and how these guidelines affect electronic protected health information (ePHI) on mobile devices. (Reserve Your Seat for the Re-broadcast of the Webinar.
We point out, for example, that many healthcare providers increasingly rely on medical apps on mobile devices to get their jobs done. But under what circumstances does storing, transmitting or displaying ePHI on a mobile device meet HIPAA’s standards
? Under what circumstances does it fall short of compliance? What if a healthcare firm places encryption software on its staff’s devices (definitely a move in the right direction from a regulatory standpoint), but then a physician or nurse reviews ePHI on their mobile device in a public place in plain sight of others?
5 common misconceptions about BYOD compliance
Because components of federal acts such as HIPAA are open to interpretation, several misconceptions about them have taken hold across the IT community. Among the misconceptions are erroneous beliefs about how these regulations govern electronic patient health information (ePHI) and other confidential data on employee’s mobile devices. Here are some of the most typical misconceptions.
- We use leading medical apps to view ePHI on our smart phones, and those apps are probably HIPAA compliant.
There’s no place for “probably” in any IT discussion about HIPAA or a business’s corporate governance policies as they relate to confidential data.
An organization needs to be certain that the applications it uses to share and store ePHI do in fact meet regulatory requirements.
- Our doctors are very careful about how and where they share patient data, so we’re HIPAA compliant.
Nowhere in HIPAA’s hundreds of pages does the act spell out exactly what specific solutions or products that care providers, practices or clearinghouses must employ when handling patient data on electronic devices.
Rather, the act outlines several specific methods of protections. For example, HIPAA’s Technical Safeguards Rule CFR 45 Section 164.312(a)(2)(iv) states that a covered entity must “implement a mechanism to encrypt and decrypt electronic protected health information.” This is especially important if this data is sent over a public network, which in many cases it is.
This means it doesn’t matter how thoroughly a healthcare firm’s staff are trained regarding handling of ePHI. If after conducting a Risk Analysis, a provider finds that ePHI on their network, laptops or BYOD devices would be at risk of breach, that entity could find itself on the wrong side of HIPAA, especially if ePHI was not encrypted and a breach occurred.
- We ask our staff to password-protect the mobile devices they use for work purposes. We’re HIPAA compliant.
Password-protecting mobile devices is certainly a positive step toward meeting regulatory requirements, but HIPAA demands the protection and confidentiality of patient data at all times.
What happens if a doctor is reviewing a patient record or email on a tablet or smart phone in a restaurant, and then steps away from the table and leaves the screen displaying this ePHI? Implementing procedures such as passwords are necessary, yes, but alone it will not make an entity HIPAA compliant.
A Best Practice would be to implement both encryption and password protection with mobile-wipe capability, and screen lock timeouts — a much stronger and more layered approach to security and HIPAA compliance.
- We’re compliant for sure, because the vendor that handles our data storage signed a Business Associate Agreement (BAA).
This misconception presents two problems. First, because of HIPAA’s complexity, it is possible that even an honorable vendor might misinterpret its service as it relates to HIPAA — and advertise that it is in compliance when in fact it isn’t.
Second, even if a vendor signs a BAA, that means only that the client and vendor share responsibility for regulatory compliance — not that the responsibility has shifted completely to the vendor. It’s a shared responsibility!
- Our corporate policy is to protect patient information — even on mobile devices — and that puts in compliance with HIPAA.
Yes, protecting patient information is a smart policy — but HIPAA enumerates specific Administrative, Physical, Technical and Organizational safeguards that employees should be trained on; every six months is a good Best Practice.
Just because your practice or organization has completed an Attestation and Meaningful Use phase, that doesn’t mean you can just check the box — “We’re HIPAA-compliant” — and forget about HIPAA. Keeping a business in line with federal regulations governing data privacy is an ongoing, never-ending reality, not a task to complete.
10 best practices for protecting ePHI on staff’s mobile devices
Those common misconceptions might make it appear as though it’d be extremely difficult for any entity to stay on the right side of HIPAA. But, there are methods that can make regulatory compliance a much more achievable goal.
Here is a list of Best Practices for building a Mobile Device Management program that eFax Corporate has compiled from several sources — including news journals HealthITSecurity1 and Becker’s Health IT & CIO Review2, and mobile security firm SecureEdgeNetworks3.
These steps are designed to protect a business’s data, give employees a clear set of procedures and guidelines for handling this data both inside and outside of the corporate firewall — and to significantly improve a business’s overall compliance.
- Create clear, concise and comprehensive policies regarding ePHI —
and disseminate company wide.
- Create a list of allowed devices (and/or operating systems) your organization will allow staff to use for work and to access ePHI.
- Make sure your ePHI data is secure “at rest” as well as in-transit.
- Install and regularly update virus-protection software on all of your staffs’ mobile devices that access or store ePHI.
- Train all healthcare providers and other staff in the secure and compliant use of ePHI on any device in any location
- Employ the highest levels of encryption possible for all ePHI transmitted, shared or stored anywhere, such as TLS.
- Demand that your staff implement password protection for all mobile devices that access ePHI.
- Deploy next-gen security technologies such as IDS (Intrusion Detection Systems and IPS (Intrusion Prevention Systems) and firewalls which can prevent against APTs (Advanced Persistent Threats) such as new Malware.
- Implement biometric authentication, such as fingerprint readers, on portable devices that access ePHI.
- Deploy a Mobile Device Management platform across the company — including tracking and remote wiping of any device lost or stolen, along with automatic backing up of device data.
Move to a cloud solution that supports HIPAA compliant faxing on any mobile device
One more suggestion for bringing a business into better alignment with HIPAA guidelines: Switch to a cloud faxing model that offers HIPAA compliant electronic faxing from anywhere — computers, mobile devices and even integrated with existing multifunction devices.
The best way to do this is to trust the world’s #1 online secure fax service, eFax Corporate®, often complemented by eFax Secure™. eFax Corporate, part of j2 Global®, Inc., is entrusted every day to transmit millions of pages of sensitive corporate documents by businesses in the most heavily regulated industries. Our proven process helps enterprises meet the strictest federal mandates regarding secure data transfer, tracking and storage.
2. Becker’s Health IT & CIO Review: