The Health Insurance Portability and Accountability Act (HIPAA) has been with us for nearly 20 years, could it be feeling routine? Big mistake. The Health Information Technology for Economic and Clinical Health (HITECH) Act has ramped up the consequences of HIPAA errors and breaches, and new technology has created new risks in every facility, especially from “BYOD” (bring your own device) policies. HIPAA/HITECH is a risk management issue in this age of mobile communication. Violations can result in large enforcement penalties and aggressive audits.
Many Americans might give up their firstborn child before giving up their smartphone. Am I exaggerating? Just a little, but many Americans are wedded to their phones every minute of the day and night.
A smartphone really isn’t a phone; it is a highly sophisticated, high-speed computer with large amounts of storage that, coincidentally, can make telephone calls. And even worse, it has a high-definition camera. But then even a $10 flip phone has text, email and camera capabilities.
There are also tablets and laptops, each with massive amounts of data storage. And the ubiquitous flash drive, a thumb-sized device capable of storing from 2 to 64 gigabytes of data—including facility data.
The BYOD situation is both simple and complex—any device into which personal health information (PHI) is loaded or transmitted is the responsibility of the facility, whether or not the device belongs to the facility.
The crackdown on usage
Everyone working the floor of a long-term care facility should be required to lock their personal phone in a locker for the duration of the shift. Good luck enforcing that policy—especially evenings and nights. But the facility must try.
Staff members who work off the residential floor, including front-office personnel, are unlikely to surrender their phones and, in fact, will probably use them to conduct business, which is a problem.
Should the facility buy smartphones for employees who use the phone for work? Although doing so allows control and custody, it also increases expenses and likely will get push back from employees, especially when you tell them that personal use is not allowed. Now they are wedded to two smartphones, which may cause digital overload. It is more likely the employees will use their own smartphones, leaving it up to the facility to secure the HIPAA-relevant contents.
Text and email security
Any means of transmission and receipt is covered when PHI is exchanged, which includes text and email. Facility management needs to decide whether PHI can be transmitted via e-mails. This decision needs to be firm, without exceptions.
Many of us use a computer as our primary means of sending and receiving emails but have secondary access on a phone. When this secondary access involves moving and storing PHI, the phone is covered.
Forwarding emails might be convenient, but it is easy to forward something to the wrong person. Facility policy should firmly state that emails with attachments are not allowed to be forwarded on portable devices. The same company policy should include texting. It is so fast and easy that users tend to forget what was said or attached.
Large-capacity devices are evil
It is not difficult to imagine an MDS nurse downloading files into a laptop—hers or the facility’s—and taking work home. Most of us have done that. The problem, however, is that after PHI is batch loaded into the laptop, the device can be lost or stolen.
Batch file loading into laptops or tablets should be prohibited, regardless of who owns the machine. And circumventing this rule by using a flash drive should be prohibited as well. Encryption is a safe harbor, but perhaps not an absolute safe harbor. Cloud connections from home or remote sites are less risky, unless used to download batches of files.
Operational policies and procedures
Every facility is buried in policy and procedure statements. And the federal agencies in charge of HIPAA compliance expect you to have even more. Policies are a start; regular training is a legal and operational requirement. All facilities already should have a set of comprehensive HIPAA policies, but more guidelines may need to be added to regulate the following: