Use of personal devices (BYOD) is now commonplace in healthcare – as most physicians and healthcare workers use their personal devices for sharing patient information, checking dosage, authorizing prescriptions, or texting other physicians about patient care. The upside of a well implemented BYOD program is great. If implemented in a compliant manner, BYOD and health apps can result in improved patient care, engagement and overall satisfaction. For example, a research article from Health Management Technology reported that health apps can save doctors up to 20 minutes per day – the equivalent of two additional patients – improving practice revenues, patient care, responsiveness, and reducing wait times.
However, BYOD does not come without risks – as lost, stolen, or compromised devices make up a disproportionate amount (about 40% according to MD News) of reported breaches and HIPAA settlements involving the Department of Health and Human Services (HHS). So, to put it bluntly, misunderstanding HIPAA regulations or improperly deploying a BYOD program for your organization can result in very costly fines – ranging from $100 on the low end to up to $1.5 million in a year for willful neglect without corrective action.
But what does HIPAA really state about BYOD devices and compliance relating to iPhones, iPads, Androids or tablets? What about healthcare apps like Medscape, Kidspeak, HEP iChart, IntensiveMCQ, or online fax apps? Are they compliant? Unfortunately, the HIPAA Security rule, written in 2003 – before many of these devices and apps existed - doesn’t specifically address BYOD or Apps. The lack of specific guidance on BYOD and applications adds to the complexity of implementing BYOD and fosters some common misconceptions – many of which could lead to your organization being exposed to data breach by careless employees or cyber criminals.
As part implementing Best Practices for your organization’s BYOD program, a periodic review of safe and compliant use of BYOD applications and clarification of any misconceptions about application use – such as mobile faxing, texting or eprescribe – should be addressed.
You can learn more about some BYOD Best Practices, misconceptions, and HIPAA-compliant mobile faxing in healthcare during our Webinar next week – on Thursday, June 25th at 11 am PT/2 pm ET. Reserve your seat here!
Some common misconceptions about BYOD, Mobile Apps and HIPAA:
- We use medical apps that are HIPAA compliant – therefore we’re compliant.While that statement may hold true, simply contracting with a third party provider or app software developer that says it is ‘compliant’ and has signed a BAA does not equate to having policies, procedures and robust security in place. You should fully vet any third party vendor to understand how they comply and how their software or application helps you manage toward HIPAA Compliance. It’s important to remember that a BAA does not shift liability away from a healthcare provider to the BA. It is a shared responsibility and, therefore, both parties may be liable for breach of patient data. It’s just as important to instill a common sense approach with your employees – such as not leaving ePHI on devices that are not protected and encrypted, or use of public Wi-Fi for example.
- We don’t need to fax documents anymore – we can just email them to the clearinghouse or pharmacy. Simply scanning documents on multi-function devices and sending them over the Internet may expose ePHI to would-be cyber criminals – especially if encryption is not enabled. This would also put you at risk with the Security Rule (Encryption of data at rest and in-motion: 45 CFR 164.312(a)(2)(iv); and the encryption of data transmitted over an electronic network: 45 CFR Part 164.308(e)(2)(i)).
- If an employee accidentally loses a mobile device or tablet (example: leaving a BYOD device with ePHI on it at a public coffee shop) then the covered entity is not liable. Not true. A major pharmacy recently had to settle a suit with HHS due to an employee who willingly breached ePHI records of a patient for whom they had no reason to review. Even though the employee broke company policy by doing this, the business was held liable.
Once a company implements a BYOD policy they are HIPAA compliant. While many covered entities implement strong security measures and best practices to protect patient data and ePHI accessed through BYOD, research shows that security may still be taking a back-seat to convenience. According to Physicians Practice, a study from Cisco IT channel firms shows that 89% of healthcare workers use personal smartphones for work, but that a staggering 41% of employees’ personal mobile devices are not password protected, and 53% access ePHI via unsecured public Wi-Fi networks. It should not be assumed that employees will understand the regulations or what they should do or not do – best practices must be taught and enforced as part of a holistic BYOD program.