Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
0 likes65 views
The document explains the HIPAA Privacy and Security Rules, detailing their differences, enforcement, and requirements for protecting patient health information. It discusses common HIPAA violations, the implications of telemedicine, phishing threats, and the pros and cons of using personal devices in healthcare settings. Additionally, it addresses best practices for ensuring HIPAA compliance in communications, especially regarding texting and mobile devices.
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
- 1. Because your patients come first. Because your patients come first. Because your patients come first. HIPAA – Texting/Emailing/BYOD Myths vs Realities Brian L. Tuttle, CPHIT, CHA, CHP, CBRA, CISSP, CCNA, Net + www.hipaa-consulting.com
- 2. Again, the HIPAA Privacy Rule vs. HIPAA Security Rule – what’s the difference? • HIPAA Privacy Rule - defined as the right of an individual to keep his/her individual health information from being disclosed. Privacy encompasses controlling who is authorized to access patient information; and under what conditions patient information may be accessed, used and/or disclosed to a third party. The HIPAA Privacy Rule applies to ALL protected health information. • HIPAA Security Rule - mechanisms in place to protect the privacy of electronic health information - includes the ability to control access to patient information, as well as to safeguard patient information from unauthorized disclosure, alteration, loss or destruction. Security is typically accomplished through operational and technical controls. Since so much PHI is now stored and/or transmitted by computer systems, the HIPAA Security Rule was created to specifically address ELECTRONIC protected health information.
- 3. PRIVACY RULE •The Privacy Rule covers all Protected Health Information(PHI) •This is information that can identify the patient to the health record •De-identified Information does not have to be protected by HIPAA •Privacy Rule is concerned with guarding the confidentiality of PHI in ALL formats; paper, oral or electronic.
- 4. Security Rule Enforcement began on April 21, 2006 The Security Rule complements the Privacy Rule. • While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: • Administrative • Physical • Technical The Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Covered entities and business associates can evaluate their own situation and determine the best way to implement addressable specifications. RISK ASSESSMENT FOR HIPAA SECURITY MUST BE DONE
- 5. Business Associate (Definition) • Business Associates (BA’s) are individuals or entities who create, receive, maintain, or store private health information on behalf of a covered entity. • Example: Answering Services, Medical Transcription, IT groups, Billing companies, shredding services are clearly under the auspices of “Business Associate”
- 6. COMMON HIPAA VIOLATIONS • Clinical documentation causing HIPAA violations – Selecting the wrong person to CC on an e-mail containing PHI – Selecting the wrong patient name – Selecting the wrong account number, medical record number, or subject ID – Entering the wrong supervising or attending physician – Sharing information about a patient with others when there is no reason for them to know – Failure to immediately report any potential breach or security incident to the compliance officer or your supervisor – Improper disposal of materials containing PHI
- 7. TELEMEDICINE Quote from Roger Severino (former OCR Director) “We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.” – Roger Severino, OCR Director.
- 8. FISHING OR PHISHING • E-mail phishing is often identified as the origin of the breach – Phishing is a fake e-mail or Website that attempts to gather your personal information for identity theft or fraud – Phishing scams usually use a spoofed Website that looks very much like the real Website
- 9. What is Ransomware? • Type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. • More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key
- 10. BYOD
- 11. Positives • Provide flexibility • Streamlines communications • Increases productivity due to familiarity with the device • Can save the practice or business money (i.e. equipment, data plans, etc.) • Allows for easier tele-working • Preferred by most staff members • Employees can use apps which they prefer for productivity
- 12. Negatives • Who is responsible for support or repair? • Audit devices for security may be considered intrusive and troublesome • Device compatibility problems • Problems with monitoring how and where PHI is stored • Encryption? • Are non-authorized individuals using the device? (i.e. kids playing games on phone) • Theft? • Weak passwords?
- 13. DO NOT • Allow PHI to be written to the mobile device • Permit integration with insecure file sharing or hosting services • Set it and forget it (always include BYOD in risk assessments)
- 14. Best Practices • Ensure security updates on the phone are done • Use multi-factor authentication (i.e. passwords and biometrics) • Encrypt the device using whole disk encryption (P.S. – a lost or stolen encrypted device is not a reportable breach under HIPAA) • Train staff on appropriate apps and software as well as cyber threats • Force complexity in the passwords • Perform risk assessments annually to identify threats
- 15. 2024 Mobile Devices • HHS issued guidance addressing the extent to which PHI is protected on mobile devices. Although the HIPAA Privacy Rule and Security Rule (protecting PHI when maintained or transmitted electronically) provide protections for the use and disclosure of PHI held or maintained by covered entities and their business associates, they do not address PHI accessed through or stored on personal devices owned by individual patients. • Example: although PHI maintained on electronic devices owned by a covered entity would be protected from disclosure by HIPAA, once a patient downloads that information to a personal device, HIPAA would no longer protect it. • The guidance does provide tips to help individuals protect their own PHI, such as: • Avoiding downloads of unnecessary or random apps to personal devices; and • Avoiding (or turning off) permissions for apps to access an individual's location data. (This reduces information about a person's activities that can be used by the app or sold to third parties, such as the name and address of health care providers a person visits.)
- 16. TEXTING and HIPAA • Almost 90% of mobile phone users send SMS text messages • Texting has become entrenched in medical care too • Many physicians and medical professionals are sending identifiable health information via non-secure texting
- 17. TEXTING Positives in Healthcare • Texting CAN provide great advantages in health care – Fast – Easy – Loud background noise problems are mitigated – Bad signal issues mitigated – Device neutral
- 18. TEXTING Negatives in Healthcare • DO NOT TEXT APPOINTMENT REMINDERS WITHOUT CONSENT IF SUBSTANCE ABUSE OR MENTAL HEALTH • Reside on device and not deleted • Very easily accessed • Not typically centrally monitored by IT • Can be compromised in transmission relatively easy • HIPAA Privacy Rule requires disclosure of PHI to patient (i.e. text message is used to make a judgement in patient care) • Patient Orders via Text Must Be Encrypted
- 19. Include Texting in Policies • Administrative policy on workforce training (i.e. minimum necessary) • Appropriate use of texting • Password protections and encryption • Mobile device inventory • Retention period (require immediate deletion of PHI texts) • Use of secure texting applications