Do your employees ever use mobile devices for work related functions? If so, keep in mind that failure to comply with HIPAA mobile device regulations can result in significant fines. Non-compliance can also generate negative publicity and reputational damage that can be difficult to recover from, as well as instigate Office for Civil Rights investigations and corrective action plans.
Recently a Healthcare Business Associate providing IT services to skilled nursing facilities in the northeast was fined $650,000 and a put on a corrective action plan. The reason? Theft of an employee’s iPhone. The iPhone had no password protection, and data stored on the iPhone was effectively left unencrypted. OCR ultimately determined that sensitive information had been compromised as a result of the iPhone theft. Compounding the problem was the fact that the Business Associate had no active risk management plan, and no policies directed toward mobile device use. For more information see https://www.databreaches.net/business-associates-failure-to-safeguard-nursing-home-residents-phi-leads-to-650000-hipaa-settlement/.
HIPAA law requires all Covered Entities, including Business Associates to protect electronic PHI they create, receive, maintain or transmit. The following information is a list of Best Practices to ensure HIPAA compliance with mobile device use:
- Use Password Protection. All mobile devices should have password protection. A well-structured and consistently enforced password policy can be the first and sometimes last line of defense on someone breaking into your system, your network, and/or your data. Passwords should be a minimum of 8 characters, a mix of upper and lower case, numbers, and special characters, and be changed every 90 days.
- Use Data Encryption. Encryption uses mathematical formulas to scramble data, making sensitive details desirable to hackers unreadable without a decryption key or code. Encrypting data can prevent sensitive information from being compromised in transit or at rest, and is critical in light of the high incidence of lost or stolen disks, tapes, laptops, USB storage devices, and/or smartphones. Hackers often use mobile devices as “the way in”, and if one mobile device is compromised, the EHRs on the server could be at risk.
- Install Remote Wiping Features. Installing a remote wiping feature on mobile devices will provide a second line of defense to encryption, allowing you to erase all sensitive data remotely in the event of lost or stolen device.
- Develop Mobile Device Policies and Procedures. Implement and enforce a comprehensive set of policies and procedures related to the use of mobile devices in the work place.
- Perform Regular Security Audits. Routine risk assessments will identify potential cyber security vulnerabilities as well as better position an organization for an audit. A thorough and accurate risk assessment will address all 60+ applicable areas of the HIPAA Security Rule.
Finally, don’t underestimate the complexity of HIPAA compliance. Complex, ever-changing regulations, increased vulnerabilities, implementation of new technologies and changes in business processes can make it difficult to stay in front of emerging threats. Consider hiring a compliance partner to help navigate the process by designing a customized approach based on your organization and tailored to meet your specific regulatory requirements and state statutes.
Worried about the OCR HIPAA Audits? Download our OCR Audit eBook by clicking on the below link:
BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH. Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts. Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.