Using your own device for work is convenient and cost effective for your employer.
In the health industry, many organizations and hospitals are opting to allow employees to use their own devices for work.
Also, mobile technology is a useful tool with numerous online libraries and hundreds of health-related apps available at the touch of a button.
But when you allow clinical employees to use their own devices as a cost saving measure, you run security risks that might violate HIPAA standards. And if the government audits your organization and finds HIPAA violations, you could be subject to hefty fees.
This is why you need to understand the HIPAA Security Rule and how it relates to Bring Your Own Device (BYOD) policies in your organization.
What Is The HIPAA Security Rule?
In 1996 the Health Insurance Portability and Accountability Act passed. It required that The Health and Human Services Department create regulations to secure Protected Health Information.
And thus were born two rules. The HIPAA Privacy Rule and the HIPAA Security Rule.
The Privacy Rule created national overall standards on private health information. And the Security Rule created security standards for the electronic transference of private health information.
These two rules go hand in hand. The Security Rule is an implementation of the Privacy Rule.
It uses the standards set in the Privacy Rule. And it tells organizations how to secure electronically transmitted protected private health information or e-PHI.
The General Rules For Following The HIPAA Security Rule
The Department of Human Health Services provides some basic rules to follow in regards to The Security Rule.
- “Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- “Ensure compliance by their workforce.“
What Are The Challenges Of A BYOD Policy In Light Of The HIPAA Security Rule?
As you can see, the general guidelines under The HIPAA Security Rule provide some unique challenges already.
Before the invention of the smartphone and cloud computing technologies, these challenges were primarily local.
Protecting against reasonably anticipated threats meant installing anti-virus and anti-malware on your local networks of computers.
Ensuring confidentiality, integrity, and availability of e-PHI meant not letting staff transport files home or email files outside the local network without authorization.
Life for an IT department at a hospital, clinic or insurance agency was simpler.
Today, with the ability to access data through wi-fi and mobile technology, IT departments have to think about a variety of systems. Operating systems, cloud systems, peer2peer apps, just to name a few.
A company can decide to forego BYOD policies. An IT department can then issue their own devices and lock those down with limited priviledges.
They can control which apps a user accesses. They can control which devices can access the devices through Wi-Fi networks and ethernet connections.
The challenge of control is much easier if a company does not implement BYOD policies.
In the field of medical Quality Assurance, the obsession is with compliance. And for good reason.
If an organization is not compliant with certain standards of care, privacy, and other health laws the organization could lose funding or eventually be shut down.
In a BYOD policy environment, it’s difficult to ensure that all staff are compliant with the HIPAA Security Rule.
Unless you have cell signal blocking technology, there is no way to ensure that staff are compliant when using their own devices.
You would have to trust that staff are not disclosing e-PHI over unsecured channels to unauthorized persons.
We aren’t saying the BYOD is the absolutely wrong policy here. We are just pointing out the potential risks.
Lately, personal privacy has been all over the news. The FBI attempting to crack the San Bernadino criminal’s iPhone and other challenges to mobile security raise important questions.
But, as an employee of a health company, you waive your rights to the data on your phone being pulled for investigatory purposes. And this only in a BYOD environment.
The employee still owns the phone. But not the access the data in HIPAA secured apps and company clouds.
And if your BYOD policy does not require passcode protected device access and remote wipe capabilities, it will not be HIPAA compliant. This is not unlike a company having to change the locks when one employee loses their keys.
The legal challenges and the fees and costs associated with having BYOD policies might not be cost-prohibitive to large organizations.
But smaller clinics might want to re-consider when looking at legal costs of both compliance assurance and privacy issues.
Mobile Data Breaches Do Happen
If you think your company is immune to mobile data breaches and breaking the HIPAA Security Rule, think again.
- 102 million healthcare records were exposed,
- 483,655 records were compromised on average every day.
- 34 healthcare data breaches happened involving mobile devices.
- 270,761 records were exposed in HIPAA Security Rule breaches involving mobile devices.
And that’s only half of a year. Those companies probably thought they were walking the fine line and ensuring the privacy of their e-PHI.
The HIPAA Security Rule is not something to be taken lightly as many of us in the health field understand.
Constant auditing by both IT professionals and Quality Assurance staff will help mitigate these risks.
But if you don’t choose the most secure and compliant path you still leave your organization open to failure.
As you can see, it’s highly important that you employ every tool available in ensuring HIPAA compliance.
Do You need a team of experts in HIPAA security? How about documentation, risk assessment, staff training, remediation and other HIPAA compliance and technology services? You’ve come to the right place.
Check out our HIPAA Security Suite solutions and contact a member of our professional team right now. We’re ready to make your processes easier and more secure for everyone.