Page 3 - HIPAA Guard Herald - July 2018 e-Newsletter
P. 3
HIPAA Guard HE RA L D
Y O U R MO N T H L Y N EW SL ET T E R O N SU R V IV I N G H IP A A
# 3 If y o u us e y o u r o w n p h o n e fo r So how are we to address these risks and concerns on mobile device
commu n i ca t i on , secu r e it e l s e us e at security?
yo u r o w n r is k !
1. As always, run your Risk Analysis and Risk Management even on
In most cases, technology is usually ahead of the federal laws especially these BYODs.
with mobile devices or bring-your-own-device (BYOD). The hardware and 2. Come up with BYOD policies and procedures that will outline the
the software inside those devices may or may not be supported by your appropriate, safe and HIPAA compliant usage of these devices.
facility’s central IT department. Regardless, whether these are Make it clear in your policies and procedures if such devices are
supported or not, they do pose security risks to your organization
especially if these devices contain ePHI or access (intentionally or allowed or will be prohibited. Should they be allowed, the
unintentionally ) sensitive patient data when these get connected to standards on its usage must be clearly listed. Also, members of
your facility’s network. Remember that these devices are just like your your organization must be aware of who will be responsible for
mini handheld computers where one can easily access, receive, securing them.
transmit and store PHI. 3. Conduct the regular periodic audits to ensure that your workforce
1. Use of mobile devices to transmit and receive PHI over public WIFI is strictly adhering to the rules and standards set.
or email applications which might use unsecured networks putting 4. Password protect and encrypt these devices in accordance to
PHI at risk of discovery by cyber criminals.
2. Mobile devices have the capacity to store images which can pose a HIPAA technical standards. This is critical because if your encrypt-
compliance issue if the photos violate their privacy. ion passes the HIPAA standards and should the device gets lost,
3. As most of these gadgets gets smaller and smaller, the risk of them then there is no breach and patient/s do not have to be notified.
getting stolen or misplaced is so high thereby resulting to 5. Ensure that you can remotely wipe the data in those BYODs so
unintentional loss of protected health information. should they got lost or stolen as this can help prevent or minimize
4. Mobile devices ability to store data in the cloud is another risk that the gravity of the impact of a breach.
your facility might not be able to monitor and control. BAA might be 6. Have in your policies & procedures the steps on how to
neglected. investigate, document and report breach. Ensure that your
5. Mobile apps too are not risk free and not all are HIPAA compliant. policies and procedures also lay down the corrective actions when
Ask the app developer’s credentials or certifications. such an incident occurs.
ISSUE 08
July 2018
