- The proliferation of mobile devices has caused many covered entities and business associates to take a closer look at HIPAA regulations, to ensure that they remain secure while they are using the latest technologies.
It is essential to understand the basics, and to also be aware of recent changes that have been made at the federal level to help guide healthcare organizations through the implementation process.
While HIPAA regulations have not been changed to specifically account for smartphones, tablets, and laptops, they do specify how PHI must be protected. Moreover, certain agencies have also put out more recent guidelines to ensure that covered entities and business associates are able to remain compliant and still successfully use mobile devices.
HealthITSecurity.com will discuss the basics of HIPAA regulations as they apply to mobile devices, and also review additional regulations that have been put in place to further guide healthcare organizations.
Mobile devices and technical safeguards
HHS describes technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” The HIPAA Security Rule also does not require specific technology solutions, but it does mandate that organizations implement reasonable and appropriate security measures for their daily operations.
“HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.”
For example, if a clinic allows physicians and other staff members to use smartphones as part of its BYOD policy, it would likely make sense for there to be a type of Mobile Device Management (MDM) policy. This approach can assist facilities control their PHI at all times and can provide secure client applications, such as email and web browsers. It can also allow remote wipe capability, which could be beneficial should a device become lost or stolen.
Organizations must also “implement technical policies and procedures that allow only authorized persons to access” ePHI. Essentially, there must be a limit for who is accessing sensitive information.
Health data encryption is another example of how covered entities can apply HIPAA regulations to their use of mobile devices. Encryption allows a healthcare organization to convert the original form of information into encoded text. This makes the health data unreadable unless an individual has the necessary key or code to decrypt it.
However, HIPAA does not require encryption. Instead, encryption is an “addressable” aspect, meaning that organizations can determine if encryption is necessary for their operations and then what type of encryption to use.
“Adopting a single industry-wide encryption standard in the Security Rule would likely have placed too high a financial and technical burden on many covered entities,” explains the HHS Security Series. “The Security Rule allows covered entities the flexibility to determine when, with whom, and what method of encryption to use.”
Recent regulations regarding mobile devices and applications
One of the recent tools created to help organizations stay compliant with their mobile devices was released toward the end of last year.
The National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) developed a guideline for implementing mobile security measures on both personal and organization-owned mobile devices.
The cybersecurity practice guide, “Mobile Device Security: Cloud & Hybrid Builds,” was designed to help combat the increasing security threat as more facilities implement mobile and cloud options.
“Unfortunately, security controls have not kept pace with the security risks that mobile devices can pose, not only in Bring Your Own Device (BYOD) scenarios, but also in corporately owned and personally enabled (COPE) mobile device deployments, where mobile devices are adopted on an ad hoc basis,” NCCoE explained. “This gap in protection mechanisms means that data stored on or accessed from mobile devices is at increased risk of being breached.”
The US Department of Health and Human Services Office for Civil Rights (OCR) also launched a portal last year for health application developers.
“Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is safe and secure and will be used and disclosed only as approved or expected,” the portal states. “Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security and Breach Notification Rules.”
The portal also provides links that discuss the HIPAA Privacy Rule, the HIPAA Security rule, business associates, and a sample business associate agreement.
More recently, ACT | The App Association called for even better guidelines when it comes to the development of health apps and other connected devices. While OCR had clarified how patients can better access their own health records, more needs to be done to help app makers and connected device companies.
Another important set of guidance recently released connected the HIPAA Security Rule and the NIST Cybersecurity Framework.
OCR released a crosswalk to help covered entities identify “mappings” between the two frameworks.
This crosswalk maps each administrative, physical and technical safeguard standard and implementation specification in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework Subcategory,” OCR stated in the crosswalk. “Due to the granularity of the NIST Cybersecurity Framework’s Subcategories, some HIPAA Security Rule requirements may map to more than one Subcategory.”
OCR added that it often hears that it is becoming increasingly difficult to create an atmosphere that adequately protects ePHI. The continued use of mobile devices likely only adds to this issue.
“A HIPAA covered entity or business associate should be able to assess and implement new and evolving technologies and best practices that it determines would be reasonable and appropriate to ensure the confidentiality, integrity and availability of the ePHI it creates, receives, maintains, or transmits,” the crosswalk explained.