HIPAA privacy meets BYOD

The Health Insurance Portability and Accountability Act (HIPAA) has been with us for nearly 20 years, could it be feeling routine? Big mistake. The Health Information Technology for Economic and Clinical Health (HITECH) Act has ramped up the consequences of HIPAA errors and breaches, and new technology has created new risks in every facility, especially from “BYOD” (bring your own device) policies. HIPAA/HITECH is a risk management issue in this age of mobile communication. Violations can result in large enforcement penalties and aggressive audits.

Cultural shifts

Many Americans might give up their firstborn child before giving up their smartphone. Am I exaggerating? Just a little, but many Americans are wedded to their phones every minute of the day and night.

A smartphone really isn’t a phone; it is a highly sophisticated, high-speed computer with large amounts of storage that, coincidentally, can make telephone calls. And even worse, it has a high-definition camera. But then even a $10 flip phone has text, email and camera capabilities.

There are also tablets and laptops, each with massive amounts of data storage. And the ubiquitous flash drive, a thumb-sized device capable of storing from 2 to 64 gigabytes of data—including facility data.

The BYOD situation is both simple and complex—any device into which personal health information (PHI) is loaded or transmitted is the responsibility of the facility, whether or not the device belongs to the facility.

The crackdown on usage

Everyone working the floor of a long-term care facility should be required to lock their personal phone in a locker for the duration of the shift. Good luck enforcing that policy—especially evenings and nights. But the facility must try.

Staff members who work off the residential floor, including front-office personnel, are unlikely to surrender their phones and, in fact, will probably use them to conduct business, which is a problem.

Facility-owned phones

Should the facility buy smartphones for employees who use the phone for work? Although doing so allows control and custody, it also increases expenses and likely will get push back from employees, especially when you tell them that personal use is not allowed. Now they are wedded to two smartphones, which may cause digital overload. It is more likely the employees will use their own smartphones, leaving it up to the facility to secure the HIPAA-relevant contents.

Text and email security

Any means of transmission and receipt is covered when PHI is exchanged, which includes text and email. Facility management needs to decide whether PHI can be transmitted via e-mails. This decision needs to be firm, without exceptions.

Many of us use a computer as our primary means of sending and receiving emails but have secondary access on a phone. When this secondary access involves moving and storing PHI, the phone is covered.

Forwarding emails might be convenient, but it is easy to forward something to the wrong person. Facility policy should firmly state that emails with attachments are not allowed to be forwarded on portable devices. The same company policy should include texting. It is so fast and easy that users tend to forget what was said or attached.

Large-capacity devices are evil

It is not difficult to imagine an MDS nurse downloading files into a laptop—hers or the facility’s—and taking work home. Most of us have done that. The problem, however, is that after PHI is batch loaded into the laptop, the device can be lost or stolen.

Batch file loading into laptops or tablets should be prohibited, regardless of who owns the machine. And circumventing this rule by using a flash drive should be prohibited as well. Encryption is a safe harbor, but perhaps not an absolute safe harbor. Cloud connections from home or remote sites are less risky, unless used to download batches of files.

Operational policies and procedures

Every facility is buried in policy and procedure statements. And the federal agencies in charge of HIPAA compliance expect you to have even more. Policies are a start; regular training is a legal and operational requirement. All facilities already should have a set of comprehensive HIPAA policies, but more guidelines may need to be added to regulate the following:

• Cataloging of devices. Every device to be loaded with or to be the recipient of PHI should be registered with the facility, regardless of ownership. The facility is responsible for the security of PHI.
• Virus and malware software. Each registered device should be protected with anti-virus and anti-malware software.
• Encryption. A safe harbor from breach violations is the use of encryption software that encodes content so only a code will allow viewing or using the materials.
• Remote wipe. Should a device be lost or stolen, the facility should be able to remove content remotely via specialized software. This action may wipe all of the personal contents on a personal phone, so warn the employees very clearly.
• Tracking. Specific software that tracks lost or stolen devices. Your tech adviser can recommend a software system that meets your needs.
• Prompt reporting. If a device is lost or stolen, a report must be sent to senior management immediately, even if it is a holiday or the middle of the night.
• Family usage. Once a device contains PHI, it should not be used by any family member, regardless of ownership. Loaning the company laptop to a child to work on school projects must be forbidden.

Other device limitations

Free! About those really neat free apps—many of them pull data from your device—some innocent, some malicious. No free apps should be allowed on any PHI device.

No photos means NO PHOTOS. Any images taken for legitimate clinical or promotional purposes should be taken with a digital camera and loaded into a desktop computer, reducing the odds of the photo getting loose. In addition, photos by staff of anything, including each other, should be prohibited, whether published or not.

What about families and visitors who want to take photos of mom with her friends or mom with her favorite nurse? There is no clear answer to that question, but as long as the facility is not involved with storing or transmitting the photo, there is a lesser risk. For certain, no resident should have a photo taken in any situation without informed, signed consent.

Social media

Only authorized personnel should load anything to the facility Facebook page or enter tweets on the facility Twitter account. Employees should be warned against entering any PHI, and especially patient photos, onto any social media platform.

The National Labor Relations Board has ruled tht employees are protected, under the concerted action rules, when talking about work, including bad-mouthing the boss! This ruling apparently does not, however, include using social media to violate HIPAA.

Sale, trade-ins and hand-me-down devices

With the “gotta-have-the-newest-model” fever, employees will update and upgrade devices often. Phones are often sold, traded in or given to family members, as are laptops and tablets.

It is imperative that each device be “wiped” before it is passed along, and “wiped” is not the same as deleting files. Also, removable storage devices must be secured. If any uncertainty exists about the security of the device, then it should be locked up or destroyed.

Risk management

Managing risk is a combination of knowledge, a slight touch of paranoia, training and daily supervision. Improved technology has increased risks at a time when enforcement and audits have increased. Vigilance is critical.

Tom Ealey, a professor at Alma College, has more than three decades of experience as a long-term care consultant and compliance expert. He can be reached at ealey@alma.edu

Disclaimer: Legal advice should always be obtained from a licensed and qualified attorney.