Healthcare Providers May Violate HIPAA1 by Using Mobile Devices to Communicate with PatientsBy Catherine Barrett, Federal Working Group, Washington, DC2
Communicating with patients using mobile devices such as Blackberrys, iPhones, iPads, or Android phones is a fast-growing trend among healthcare providers.3 A recent survey of almost 3,800 physicians estimates “83% of physicians own at least one mobile device and about one in four doctors are "super mobile" users who leverage both smartphones and tablet computers in their medical practices.”4 As patients and clinicians increasingly use mobile devices to communicate with each other, the trend raises concerns about the security of protected health information (“PHI”).5 This article focuses on the security issues raised by the electronic transfer of PHI between healthcare providers and patients and how those issues may run afoul of the HIPAA Security Rule.
The Use of Mobile Devices to Exchange PHI Triggers the HIPAA Security Rule.
According to the Department of Health and Human Services, the HIPAA Security Rule outlines national standards designed to protect individuals’ electronic protected health information (“ePHI”) that is “created, received, used, or maintained by a covered entity.”6 Unauthorized disclosure of PHI is a risk because mobile devices store data on the device itself in one of two ways: (1) within the computer “onboard memory”; or, (2) within the SIM card or memory chip.7 Thus, mobile devices used to exchange ePHI retain a record of that data on the device. In addition, mobile devices may not restrict user access to data through the use of encryption software or authentication features. Therefore, covered entities must be aware of the unique security risk inherent in using mobile devices to exchange ePHI.
Mobile devices are particularly vulnerable to loss and theft because of their small size and portability. The most common form of security breach is the theft of mobile devices. A recent survey of 600 U.S. hospital executives, physician organizations, health insurers, and pharmaceutical/life sciences companies found that theft accounted for 66 percent of reported data breaches over the past two years.8 Mobile devices are typically small, light and highly visible to would-be thieves looking for an opportunity to take a phone left behind in a public space, such as at a restaurant.
In addition, unlike laptops and PCs, clinicians are far more likely to use their own personal mobile devices, rather than employer-issued mobile devices, to access and exchange ePHI. An estimated 81 percent of 2,041 physicians surveyed use personal mobile devices, whether a BlackBerry, Android or iPhone, to access ePHI, such as patient records.9 The use of mobile devices to access ePHI raises several risks to health care providers:
- Authentication – Mobile device users do not tend to enter passwords or provide biometric identification to access information stored on the mobile device. The lack of authentication on mobile devices presents a risk that any user of the device could access ePHI stored on the device.
- Encryption – Typically, data stored on personal mobile devices is not encrypted. Thus, ePHI stored on a mobile device could be retrieved and shared by anyone with access to the mobile device.
- Wi-Fi Connection – Mobile devices that use public Wi-Fi or unsecure cellular networks to send and receive information risk exposing ePHI. Unless mobile device users connect to a secure web site to transmit data or connect using a VPN (“virtual private networking”), which encrypts data to and from the mobile device, there is a risk ePHI could be compromised.10
The HIPAA Security Rule allows healthcare providers to communicate electronically with patients, such as through email, but the law requires covered entities to “apply reasonable safeguards when doing so.”11 Importantly for healthcare professionals and their employers, the Security Rule “requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”12 Issues regarding each of these types of safeguards pertaining to mobile devices are summarized below.
Administrative Safeguards: Administrative safeguards “provide management, accountability and oversight structure for covered entities to ensure proper safeguards and policies and procedures are in place” to protect ePHI.13 Administrative safeguards include, but are not limited to, the following:
- Conducting periodic risk assessments of mobile device use, include an assessment of whether personal mobile devices are being used to exchange ePHI and whether proper authentication, encryption and physical protections are in place to secure the exchange of ePHI;
- Establishing an electronic process to ensure the ePHI is not destroyed or altered by an unauthorized third party; 14
- Establishing processes and procedures to appropriately protect ePHI in a mobile device environment, including establishing encryption and security breach protocols for mobile device use, among others;15
- Training clinicians on the processes and procedures to use when using mobile devices to access ePHI and educating clinicians on the risks of data breaches, HIPAA violations and fines.
Physical Safeguards: It is important to provide physical safeguards to protect ePHI stored on and exchanged by mobile devices. In less than two years, from September, 2009 through May, 2011, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) reported “116 data breaches of 500 records or more from the loss or theft of a mobile device, exposing more than 1.9 million patients' PHI.”16 Typical steps healthcare providers take to safeguard mobile devices include:
- Keeping an inventory of personal mobile devices used by healthcare professionals to access and transmit ePHI; 17
- Storing mobile devices in locked offices or lockers;
- Installing radio frequency identification (“RFID”) tags on mobile devices to help locate a lost or stolen mobile device; and,
- Using remote shutdown tools to prevent data breaches by remotely locking mobile devices.
Technical Safeguards: Technical safeguards, such as encryption, can protect ePHI transmitted between healthcare provider and patient. Technical safeguards are the “automated processes used to protect data and control access to data.”18 Examples of technical safeguards for mobile devices include, but are not limited to, the following:
- Installing and regularly updating anti-malicious software (also called malware) on mobile devices;
- Installing firewalls where appropriate;
- Applying encryption to ePHI and metadata;19
- Installing IT backup capabilities, such as off-site data centers and/or private clouds, to provide redundancy and access to electronic health information;
- Adopting biometric authentication tools to verify the person using the mobile device is authorized to access the ePHI; an d,
- Ensuring mobile devices use secure, encrypted Hypertext Transfer Protocol Secure (“HTTP”) similar to those used in banking and financial transactions to provide encrypted communication and secure identification of a network web server.
Clinicians and patients alike will continue to use mobile devices to communicate with each other and the exchange of ePHI is likely to continue to increase. Mobile devices offer healthcare providers a convenient, user-friendly way to communicate with their patients and access health records. For covered entities, the trend towards greater utilization of mobile devices to exchange ePHI is of concern because the HIPAA Security Rule specifies covered entities are “accountable for the actions of their workforce.” Thus, it is important for covered entities to identify and establish administrative, physical and technical safeguards to protect ePHI.20
The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).
|2 ||Catherine Barrett is a principal consultant at the Federal Working Group in Washington, DC and is a policy fellow with the e-Health Initiative, a nonprofit representing private and public sector stakeholders committed to improving healthcare through the use of Health Information Technology (“HIT”). She received her JD and MBA from American University Washington College of Law and Kogod School of Business, respectively. She is currently working with federal clients to help implement the Patient Protection and Accountable Care Act. She is also enrolled in the George Washington University School of Medicine, Public Health and Health Services graduate certificate program in Health Information Privacy and Security. She may be reached at email@example.com.|
A “health care provider” includes doctors, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, and pharmacies, among others, that transmit any information “in electronic form in connection with a transaction for which HHS has adopted a standard”(Public Law 104-191) available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html (last accessed September 22, 2011).
QuantiaMD is an online physician-to-physician learning collaborative where 1 in 6 U.S. physicians engage, share, and learn from experts and each other, free of charge.
Protected health information (“PHI”) refers to individually identifiable information created or received by a healthcare provider regarding the physical or mental health of any individual that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. See 45 C.F.R. §1171, Part C, Subtitle F, available at http://aspe.hhs.gov/admnsimp/pl104191.htm (last accessed on September 22, 2011).
The HIPAA Security Rule applies only to “covered entities”. Covered entity refers to: (1) A health plan; (2) A health care clearinghouse; (3) A healthcare provider which includes any provider of medical or other health care services or supplies that transmits any health information in electronic form in connection with specific transactions. For more information about who is a covered entity under HIPAA, See http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf.
Center for Democracy and Technology, “HIPAA Security Rule Compliance When Communicating with Patients Using Mobile Devices”, (January 2011), http://www.projecthealthdesign.org/media/file/Mobile-Device-Privacy-and-Security-Webinar-Slides-012511.pdf, (last accessed on September 30, 2011).
Health Research Institute, PWC, Old data learns new tricks: Managing patient privacy and security on a new data-sharing playground, (2011), http://pwchealth.com/cgi-local/hregister.cgi?link=reg/old-data-learns-new-tricks.pdf, (last accessed September 30, 2011).
Pamela Lewis Dolan, Doctors driving IT development with their mobile technology choices, amednews.com (May 23, 2011), http://www.ama-assn.org/amednews/2011/05/23/bisb0523.htm.
“The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information” (March 2010), available at this link (last accessed on September 21, 2011). See also 45 C.F.R. § 164.530(c).
See CMS Health Information Privacy Security Rule available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html (last accessed September 14, 2011).
Marisa Torrieri, Lowering Mobile Device Security Risks for Patients, Physicians Practice (July 21, 2011), http://www.physicianspractice.com/mobile-health/content/article/1462168/1911474.
Rebecca Herold, 10 Risk-Reducing Actions for Mobile HIPAA/HITECH Compliance, MobileHealthcareToday.com (May 25, 2011), http://www.mobilehealthcaretoday.com/webinars/2011/06/risk-reducing-actions-for-mobile-hipaa-and-hitech-compliance.aspx?cmpid=SEM4.
“HIPAA Security Series: Security 101 for Covered Entities,” (March 2007) available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf (last accessed on September 21, 2011).
According to Indiana University, metadata is data about data. “It is descriptive information about a particular data set, object, or resource, including how it is formatted, and when and by whom it was collected.” See “Knowledge Base,” (October 22, 2010), available at: http://kb.iu.edu/data/aopm.html (last accessed on September 22, 2011).
“The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment: Accountability” (2009), available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/accountability.pdf (last accessed on September 14, 2011).
The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.