Keeping Up with Cybersecurity is Essential to HIPAA Compliance
Over the past few years, as a result of the COVID-19 pandemic as well as other developments in the medical arena, practices have increasingly relied on technology. This includes the much wider use of telehealth as well as electronic health records (EHR), online medical portals, and appointment confirmations via email and text.
Although technology is giving physicians, medical staff, and patients much easier access to critical information, it has also opened the door for fraudsters and hackers to steal or corrupt this data. That is why it is important to continue to follow the latest protocols for handling protected health information (PHI).
Title II of the Health Insurance Portability and Accountability Act (HIPAA), known as the Administrative Simplification provisions, created national standards for electronic healthcare transactions. Title II covers a lot of ground, but two aspects are particularly relevant to cybersecurity for medical practices:
- The Privacy Rule: This concerns the use and disclosure of protected health information (PHI) held by “covered entities.” According to the rule, covered entities include insurers, medical service providers and various healthcare clearinghouses and employer-sponsored health plans, as well as their business associates.
- The Security Rule: Unlike the Privacy Rule, which applies to all PHI (both paper and electronic), the Security Rule applies specifically to electronic PHI. It describes three types of security safeguards: Administrative, physical and technical.
HIPAA and Mobile Devices
Mobile devices usually transmit and receive PHI via public Wi-Fi and email applications or through unsecure mobile networks, which place PHI at risk of interception. In addition, most mobile devices now can take and store photographs — but photos may violate patient privacy, thus raising compliance concerns. Most of today’s smartphones and tablets store data not only on the device itself, but also in “the cloud.”
The primary concern is how a doctor accesses patient information. If a physician uses a properly secured smartphone, tablet or laptop to access EHR, the doctor will generally be in compliance with HIPAA. However, if the physician saves EHR data or photos to one of those devices and it is stolen or lost, the doctor might be liable for the HIPAA breach. Liability can be costly — though, if the PHI is not identifiable, it is probably nothing to worry about.
Data pulled via browsers is generally encrypted, especially through an EHR portal. Physician-to-patient emails outside the portal can be a problem, because the Internet service provider might not be secure — thus, the email communication could fail to meet HIPAA standards.
Access and Training
The three standards of the HIPAA Security Rules are: Confidentiality, integrity and access. Access typically refers to passwords. Physicians need to fully evaluate which staff members require access and provide training in security protocols.
A major component of cybersecurity is, of course, encrypting patient data. Also important is setting up monitor protection to prevent people who should not have PHI access from reading information off a computer screen — for example, over the shoulder of someone in the office.
For most practices, it is a good idea to document each device’s purpose and limit access to it. The next step is to determine how each device should be configured to make it compliant. Doing so may require engaging a HIPAA compliance expert in addition to an IT consultant.
Physician offices also need to develop policies regarding staff use of smartphones — especially now that almost all of them have cameras. The policies should answer such questions as: How and where can employees use their phones? One suggestion: Instruct staff members not to bring their phones into exam rooms or other patient treatment areas.
The issues surrounding cybersecurity for physician practices, particularly regarding mobile devices, will continue to evolve right along with technology. Stay informed about the current best practices to avoid running afoul of HIPAA security rules and protocols. Contact us with questions.