Over the last few years, mobile technology has made enormous contributions in the healthcare sector with tablets and smartphones equipped with medical applications for calculating medication dosages, reading EKGs, looking up differential diagnoses and associated symptoms, and searching for references. According to a study done by Spyglass Consulting Group in 2010, about 90% of healthcare providers now carry smartphones. 1 These smartphones are especially useful and powerful because of their size and ability to make phone calls, instant/text message, access the web, and utilize a huge selection of medical applications. These features make the smartphone an extremely favorable tool with physicians. In a study done at a Level 1 trauma center in Arizona, 94% of trauma surgeons agreed that using smartphones as a means of wireless communication increased their efficiency.2 They reported that the use of smartphones improved the speed and quality of communication, increased accessibility of other surgeons, and improved the physician response time by allowing physicians to have complete and accurate patient information well in advance.
However, with the increased accessibility to patient information on mobile devices, there is the ever-increasing danger of breach of confidential protected health information (PHI) and compliance with Health Insurance Portability and Accountability Act (HIPAA). A single HIPAA violation can cost anywhere from $100 to $50,000.3 A study conducted by Whipple (2012) at Indiana University School of Medicine surveyed third year medical students on their knowledge of privacy and security issues concerning mobile devices.4 The study demonstrated that the majority of students understood how to protect PHI; however, the study also highlighted the fact that there were still many issues that many were unsure of how to deal with due to the lack of standard guidelines as well as the recent boom of social media. The following are a few of the security issues regarding mobile devices that have been identified by experts and their solutions for compliance with HIPAA.
- Smartphones and tablets should always be locked with a passcode in case of theft or unauthorized use. Emails containing PHI should only be sent via encrypted email accounts, which most hospitals usually issue to their employees. Another factor to remember is that some devices have external memory cards which can be removed. The best policy is to not store confidential information on mobile devices at all and to use instant messaging applications which only store conversations temporarily.5,6
- Ensure the mobile device has encryption capabilities, and if not, install one7
- Ensure that the Wifi network which you are accessing or sending confidential PHI is secure; do not use public Wifi networks.7
- Mobile devices that contain PHI should have a “remote wiping” feature so that in the case that it is lost, the owner can delete all sensitive PHI from the device remotely, thereby protecting confidential patient information.5
- Sending confidential information to the wrong recipients unintentionally when in a rush can lead to a breach in confidentiality.Take the time to double check the recipient of your messages as well as checking that the device did not erroneously “auto-fill” or “auto-correct” any aspect of your message.5
- Another potential danger of mobile devices is their ability to connect both to the external internet and the local hospital network, introducing the potential for transferring malicious software such as Trojan spyware. Such malware are able to take screenshots or log keystrokes and transmit them to outside parties. In order to minimize this risk, mobile devices and all hospital computers should have security software installed and updated regularly. In addition, limitations can be placed on mobile device access to the local network.7
- Do not use file sharing applications, because these allow outside parties to access your mobile device.7
- Research apps before you download them to know what they are capable of doing and that you approve.7
- It is also important to have procedures in place in the event a breach occurs. There are federal laws which require that organizations notify affected patients.5
- Remember to discard all PHI from the mobile device before discarding or giving it away.7
- Most importantly, as pointed out on the Ober-Kaler law firm website: medical institutions need to be aware that this new aspect of healthcare will only continue to grow and that guidelines are necessary for regulating its use. Risk assessments should be conducted and appropriate training required of all employees.9
One such area that is in desperate need of appropriate employee training is social networking, most notably, posting on social media sites such as Facebook. A Nucleus Research study (2009) reported that about 77% of employees have a Facebook account, and about two-thirds of those employees access their accounts during work hours.10 It is important for healthcare workers to understand that simply removing a patient’s name does not make posts to Facebook or Twitter exempt from HIPAA rules.11 If the identity of the patient can be pieced together from whatever is posted online, it is still considered a violation of HIPAA.
Mobile devices and their seemingly endless potential for efficiency and quality of patient care are indeed exciting for the future of healthcare. However they need to be thoroughly and carefully regulated by each medical institution in order to protect not only the patients and their families, but also the employees and employers. The first step is to acknowledge all the possible dangers and pitfalls of this new technology and then to properly train all employees in how to properly utilize these powerful tools in bettering patient care. For more information, The Office of Civil Rights and the Office of the National Coordinator for Health Information Technology launched an initiative for offering advice to healthcare providers on how to protect PHI called Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information.
- Point of care communications for physicians. Menlo Park, CA: Spyglass Consulting Group, 2010.
- Joseph B, Pandit V, Khreiss M, et. al. Improving Communication in Level 1 Trauma Centers: Replacing Pagers with Smartphones. Telemed J E Health. Mar 2013, 19(3): 150-154.
- 42 U.S.C. § 1320d-5(a) (2010).
- Whipple EC, Allgood KL, and Larue EM. Third-year Medical Students’ Knowledge of Privacy and Security Issues Concerning Mobile Devices. Med Teach. 2012, 34:e532-e548.
- Consoli A. Data Security is Key When Using Mobile Devices. Medical Economics. Nov 10, 2012
- Bones E, Hasvold P, Henriksen E, Strandenaes T. Risk Analysis of Information Security in a Mobile Instant Messaging and Presence System for Healthcare. Int J of Med Inform. 2007; 76: 677-688.
- HealthIT.gov. Mobile Device Privacy and Security: How Can you Protect and Secure Health Information When Using a Mobile Device.
- Brost D. Identifying the Most Vulnerable Devices to HIPAA Compliance. Health Management Technology. Feb 2013.
- Swank SE. Are Your Mobile Devices HIPAA Compliant? Practical Steps to Ensure Compliance. Ober-Kaler website. 2013.
- Nucleus Research. Facebook: Measuring the Cost to Business of Social Networking. July 2009.
- AIS Health. HIPAA Dangers Lurk on Facebook; Ongoing Policy Revisions Are Advised. Nov 11, 2011, 11(11).