How to Stay HIPAA Compliant with Mobile Archiving
According to HIPAA Journal, 81% of physicians use smartphones for professional purposes, but only 38% of healthcare providers have systems in place that ensure secure text messaging. Doctors, nurses and administrators are now allowed to use mobile devices in clinics and hospitals, but very few are aware of the security-issues related to mobile technology and how serious the implications can be.
The Inherent Problems of Mobile Devices
So what’s wrong with using a personal or company-provided mobile phone to send electronic Protected Health Information (ePHI) to a patient or another physician? To begin with, mobile phones aren’t as secure as computers. Very few of them are protected with antivirus software and none of them have a firewall. Secondly, they’re much easier to steal than servers, desktop computers or laptops. Lost or stolen mobile devices account for two thirds of PHI security breaches in the United States. Consequently, there’s plenty of room for sensitive data to be compromised. Finally, in a BYOD environment, it’s easy to disclose data by sharing the device or content without being aware you’re engaging in a data breach. According to a recent research, 39% of all data breaches are caused by internal threats.
Policies and Internal Controls
Most healthcare providers have already developed policies on email management and implemented appropriate technology to prevent data breaches. Also, many of them already archive email to ensure HIPAA compliance. These initial efforts were shaken when physicians and other healthcare employees started using social media, and soon after, mobile texting to write prescriptions, communicate results, access patient records, ask for a colleague’s opinion on a case or follow up with patients. An archiving strategy that only encompassed email suddenly needed to be revised and include new communication channels.
HIPAA and Smartphones
Healthcare providers and business associates (companies that help process patient data) are subject to HIPAA ‒ the regulation which governs how medical information is stored, accessed and moved in order to ensure patient data privacy. When medical workers use text messaging to exchange protected health information without the necessary safeguards, there’s always a chance of a data breach and most definitely, a case of non-compliance.
Such practices can result in privacy or security violations and have serious legal, financial and reputational consequences for healthcare providers. Imagine a scenario in which sensitive medical information about a patient is being exchanged between two specialists via mobile phones. If not managed properly, this information might stay on their mobile phones indefinitely, be permanently deleted or viewed by unauthorized persons. All three scenarios would constitute a serious HIPAA violation.
Risk Assessment, Policies and Mobile Archiving
Risk assessment is an essential part of any well-designed information governance strategy. The first step is always to conduct comprehensive research into potential threats and pain points, interpret the regulations carefully and educate your workforce. HIPAA’s Security Rule mandates that there need to be regular audits of your IT infrastructure and systems that you use to ensure data security.
HIPAA never specifies which technology you should use, but mandates the existence of security measures to ensure PHI is shared properly, using the channels that are secure and that can be retrieved later. In addition, the regulation requires organizations to “implement technical policies and procedures that allow only authorized persons to access ePHI”. Non-compliance with HIPAA often results in heavy fines ranging from $50,000 to $1.5 million.
Before purchasing any technical equipment, make sure you’ve implemented the necessary administrative and physical safeguards. Appointing a compliance officer or security official, designing and implementing an information governance policy and preaching it to your staff are important steps to be taken.
Enterprise Information Archiving (EIA) technology can support the covered entities’ HIPAA compliance efforts in several ways. You’ve probably heard of these devices when they were referred to as email archiving solutions. Your clinic probably already uses one to capture, store and protect email communication and ensure this important aspect of HIPAA compliance.
The good news is that most of these solutions have gotten an upgrade, and can now archive much more than email ‒ files, social media content and mobile calls, text messages, MMS and voicemail. But what exactly are the benefits of these compliance solutions?
1. Security
Your archived content is stored on an appliance that’s completely under your control (unlike content that’s stored in the cloud and can be compromised more easily). The archived files are the replicas of your original messages that are stored with comprehensive metadata, and are then indexed and made searchable and retrievable.
This means that employees can delete their emails, mobile messages and call records from their personal devices, and by doing so, prevent inadvertent data breaches. Meanwhile, a valid copy of all communication will still be stored in your archive, ready to be retrieved for compliance, eDiscovery or audit purposes.
2. Levels of Access
Email and mobile archiving solutions have access controls and ensure that only authorized personnel can gain access to sensitive patient information.
3. Audit Control
A major advantage of archiving is audit trail ‒ a software feature that provides admins or compliance officers with a mechanism to record and keep track of who accessed what information.
4. Safety First
When you archive enterprise email and mobile content, the information is always stored in a tamper-proof format which prevents content altering or improper deletion.
Mobiles can’t be banned from hospitals. What you can do to control their use is to ensure your hospital staff use them in line with your governance policies and acquire a proper technological compliance solution. Jatheon’s mobile archiving solution, Jatheon CTRL, is a module that can be purchased separately and integrated into our email archiving software. It allows hospitals to archive SMS, MMS, voicemail and phone calls from most carriers around the world, using both carrier deployment and Android or iOS apps.
To learn more about HIPAA and email archiving, check out this infographic. You can also take a look at this eBook for some general benefits of information archiving in the healthcare industry.
Originally published at jatheon.com on April 16, 2018.
