With the introduction of mobile technology in health care, providers have understandably had to endure some difficult transitions. Maintaining compliance with HIPAA has been one particular challenge, especially as the health care industry has increasingly become an enticing target for hackers. However, new developments may make it easier for providers to adhere to HIPAA and ensure the safety of their patients' information.
Determining the best HIPAA compliance strategy
The Department of Health and Human Services' Office for Civil Rights recently launched a website to collect information from health care and tech industries to understand how they currently comply with HIPAA guidelines. The agency will then use this information to determine how it can create mobile health-specific guidance for HIPAA.
While some of the HIPAA guidelines in place are broad enough to apply to mobile health, there is a demand for specific HIPAA guidance – which is why the agency created the website, as Jeffrey Dunifon, an associate attorney in the technology and communications practice at Baker & McKenzie, LLP, told Healthcare IT News.
"One of the questions that's very interesting is, 'What is our scope of compliance?'" Dunifon said. "That is a good question, especially for companies not exclusively dealing with health care. And the answer to that question goes back to how a company is conducting its risk assessments. The most important factor in HIPAA compliance is diligence, and taking reasonable and good faith measures to control risk."
According to Dunifon, providers also question whether patient-generated data is also guarded by HIPAA and how much they should work to protect that. Dunifon said the key to answering these questions is looking at them from a more general standpoint where there may already be rules, instead of just as concerns specific to mobile health where lines could get blurry.
How providers can take action in the meantime
For now, the Office of the National Coordinator for Health Information Technology has created resources for providers to understand how to enforce HIPAA in mobile health technology. One outlines the necessary steps to increase device privacy: decide, assess, identify, develop, document, implement and train.
First, providers need to determine which devices will contain patient health data, then consider the risks of storing this information on mobile devices. With this in mind, providers are expected to create a strategy to combat these risks and develop protocol that staff can follow to ensure this strategy is enforced. This brings it to the final piece of the plan, which is training.
In another resource, ONC emphasized using strong passwords or other authentication systems, encrypting devices, installing security services like remote wiping and firewalls, and consistently updating this software.
Employees must be educated and reminded of these steps to security. A recent survey from Verizon found that human error could account for a huge portion of access points exploited by hackers in the past year. While the government continues to shape standards to help the health care industry use best security practices with all this new technology, it's still up to providers to develop their own plans.
Since some of this compliance comes from training, you'll need to work to make sure your employees know how to use and protect any technology containing sensitive patient data. For resources and seminars to educate your staff, visit Professional Medical Services today.