This scenario happens more often than you think. Stolen or lost laptops, smartphones or backup media are the most common causes of electronic protected health information (EPHI) loss. Many healthcare professionals access their patient information via smartphones or tablets or take their work home on mobile devices like laptops or removable media like USB memory sticks. The potential legal, financial, reputational, and emotional consequences of EPHI loss can be devastating to both the patient as well as the healthcare provider.
HIPAA Security Rule requires all covered entities to ensure the security of confidential patient health information. Having a strong EPHI security management program is absolutely mandatory. Loss of unencrypted patient data triggers the Data Breach Notification Rule which requires covered entities to notify the appropriate authorities, federal and state agencies as well as the affected individuals. So, what safeguards can be implemented by a healthcare organization to protect EPHI on mobile devices?
A comprehensive well documented mobile device management policy should be implemented and strictly enforced by all covered entities as well as their business associates, whether big or small. The foundation of a sound mobile device management policy to protect EPHI should be a through risk assessment that is conducted on a regular basis.
Ten essential steps of the risk analysis process are:
- Identify and document all mobile devices that may create, receive, store or transmit EPHI. This should encompass EPHI on all devices including workstations, servers, mobile devices like laptops smartphones and tablets, and removable media like USB memory sticks, CD’s etc.
- Document what kind of data resides on which device.
- Identify and document potential threats and vulnerabilities to each EPHI repository. For example: the theft or loss of a laptop is a threat , the vulnerability to the data could be lack of strong password or encryption.
- Assess current security measures in place to prevent loss of EPHI.
- Determine the probability or likelihood of the threat occurring. In the case of mobile devices, this threat occurrence is very high.
- Determine the potential impact of the threat occurrence.
- Based on the likelihood of threat occurrence and its potential impact determine the level of risk with each mobile device containing EPHI.
- Determine additional security steps that can be take to lower the risk.
- Document the risk analysis.
- Conduct periodic (at least annually if not more) risk assessment reviews and make necessary changes to the existing security measures as required.
Based on the findings of the risk analysis, a covered entity/ business associate can implement appropriate policies relating to mobile device usage. Organizational policies on allowing employees to use their own smartphones for work related purposes(BYOD),as well as the minimum security measures (such as data encryption, strong passwords, device tracking, etc) that need to be implemented on mobile devices containing EPHI, can be clearly spelled out and implemented.
Mobile device usage is only going to grow in the future. Implementing a well documented mobile device management policy right now, that is based on a thorough risk analysis, coupled with regular staff training on data security and HIPAA compliance will go a long way in ensuring the security of EPHI in your organization.