Demystifying HIPAA: Texting, Emailing, and BYOD

1
HIPAA Texting/Emailing/BYODMyths vs
Realities

• Brian L. Tuttle, CPHIT, CHA, CHP, CBRA, CISSP,
  CCNA, Net

www.hipaa-consulting.com
2
Again, the HIPAA Privacy Rule vs. HIPAA Security
Rule whats the difference?

• HIPAA Privacy Rule - defined as the right of an
  individual to keep his/her individual health
  information from being disclosed. Privacy
  encompasses controlling who is authorized to
  access patient information and under what
  conditions patient information may be accessed,
  used and/or disclosed to a third party. The
  HIPAA Privacy Rule applies to ALL protected
  health information.
• HIPAA Security Rule - mechanisms in place to
  protect the privacy of electronic health
  information - includes the ability to control
  access to patient information, as well as to
  safeguard patient information from unauthorized
  disclosure, alteration, loss or destruction.
  Security is typically accomplished through
  operational and technical controls. Since so
  much PHI is now stored and/or transmitted by
  computer systems, the HIPAA Security Rule was
  created to specifically address ELECTRONIC
  protected health information.

3
PRIVACY RULE

• The Privacy Rule covers all Protected Health
  Information(PHI)
• This is information that can identify the patient
  to the health record
• De-identified Information does not have to be
  protected by HIPAA
• Privacy Rule is concerned with guarding the
  confidentiality of PHI in ALL formats paper,
  oral or electronic.

4
Security Rule

• Enforcement began on April 21, 2006
• The Security Rule complements the Privacy Rule.
• While the Privacy Rule pertains to all Protected
  Health Information (PHI) including paper and
  electronic, the Security Rule deals specifically
  with Electronic Protected Health Information
  (EPHI).
• It lays out three types of security safeguards
  required for compliance
• Administrative
• Physical
• Technical
• The Rule identifies various security standards,
  and for each standard, it names both required and
  addressable implementation specifications.
  Required specifications must be adopted and
  administered as dictated by the Rule. Covered
  entities and business associates can evaluate
  their own situation and determine the best way to
  implement addressable specifications.
• RISK ASSESSMENT FOR HIPAA SECURITY MUST BE DONE

5
Business Associate (Definition)

• Business Associates (BAs) are individuals or
  entities who create, receive, maintain, or store
  private health information on behalf of a covered
  entity.
• Example Answering Services, Medical
  Transcription, IT groups, Billing companies,
  shredding services are clearly under the auspices
  of Business Associate

6
COMMON HIPAA VIOLATIONS

• Clinical documentation causing HIPAA violations
• Selecting the wrong person to CC on an e-mail
  containing PHI
• Selecting the wrong patient name
• Selecting the wrong account number, medical
  record number, or subject ID
• Entering the wrong supervising or attending
  physician
• Sharing information about a patient with others
  when there is no reasonfor them to know
• Failure to immediately report any potential
  breach or security incident to the compliance
  officer or your supervisor
• Improper disposal of materials containing PHI

7
TELEMEDICINE

• Quote from Roger Severino (former OCR Director)
• We are empowering medical providers to serve
  patients wherever they are during this national
  public health emergency. We are especially
  concerned about reaching those most at risk,
  including older persons and persons with
  disabilities. Roger Severino, OCR Director.

8
FISHING OR PHISHING

• E-mail phishing is often identified as the origin
  of the breach
• Phishing is a fake e-mail or Website that
  attempts to gather your personal information for
  identity theft or fraud
• Phishing scams usually use a spoofed Website that
  looks very much likethe real Website

9
What is Ransomware?

• Type of malware that prevents or limits users
  from accessing their system, either by locking
  the system's screen or by locking the users'
  files unless a ransom is paid.
• More modern ransomware families, collectively
  categorized as crypto-ransomware, encrypt certain
  file types on infected systems and forces users
  to pay the ransom through certain online payment
  methods to get a decrypt key

10
BYOD
11
Positives

• Provide flexibility
• Streamlines communications
• Increases productivity due to familiarity with
  the device
• Can save the practice or business money (i.e.
  equipment, data plans, etc.)
• Allows for easier tele-working
• Preferred by most staff members
• Employees can use apps which they prefer for
  productivity

12
Negatives

• Who is responsible for support or repair?
• Audit devices for security may be considered
  intrusive and troublesome
• Device compatibility problems
• Problems with monitoring how and where PHI is
  stored
• Encryption?
• Are non-authorized individuals using the device?
  (i.e. kids playing games on phone)
• Theft?
• Weak passwords?

13
DO NOT

• Allow PHI to be written to the mobile device
• Permit integration with insecure file sharing or
  hosting services
• Set it and forget it (always include BYOD in risk
  assessments)

14
Best Practices

• Ensure security updates on the phone are done
• Use multi-factor authentication (i.e. passwords
  and biometrics)
• Encrypt the device using whole disk encryption
  (P.S. a lost or stolen encrypted device is not
  a reportable breach under HIPAA)
• Train staff on appropriate apps and software as
  well as cyber threats
• Force complexity in the passwords
• Perform risk assessments annually to identify
  threats

15
2024 Mobile Devices

• HHS issued guidance addressing the extent to
  which PHI is protected on mobile devices.
  Although the HIPAA Privacy Rule and Security Rule
  (protecting PHI when maintained or transmitted
  electronically) provide protections for the use
  and disclosure of PHI held or maintained by
  covered entities and their business associates,
  they do not address PHI accessed through or
  stored on personal devices owned by individual
  patients.
• Example although PHI maintained on electronic
  devices owned by a covered entity would be
  protected from disclosure by HIPAA, once a
  patient downloads that information to a personal
  device, HIPAA would no longer protect it.
• The guidance does provide tips to help
  individuals protect their own PHI, such as
• Avoiding downloads of unnecessary or random apps
  to personal devices and
• Avoiding (or turning off) permissions for apps to
  access an individual's location data. (This
  reduces information about a person's activities
  that can be used by the app or sold to third
  parties, such as the name and address of health
  care providers a person visits.)

16
TEXTING and HIPAA

• Almost 90 of mobile phone users send SMS text
  messages
• Texting has become entrenched in medical care too
• Many physicians and medical professionals are
  sending identifiable health information via
  non-secure texting

17
TEXTING Positives in Healthcare

• Texting CAN provide great advantages in health
  care
• Fast
• Easy
• Loud background noise problems are mitigated
• Bad signal issues mitigated
• Device neutral

18
TEXTING Negatives in Healthcare

• DO NOT TEXT APPOINTMENT REMINDERS WITHOUT CONSENT
  IF SUBSTANCE ABUSE OR MENTAL HEALTH
• Reside on device and not deleted
• Very easily accessed
• Not typically centrally monitored by IT
• Can be compromised in transmission relatively
  easy
• HIPAA Privacy Rule requires disclosure of PHI to
  patient (i.e. text message is used to make a
  judgement in patient care)
• Patient Orders via Text Must Be Encrypted

19
Include Texting in Policies

• Administrative policy on workforce training (i.e.
  minimum necessary)
• Appropriate use of texting
• Password protections and encryption
• Mobile device inventory
• Retention period (require immediate deletion of
  PHI texts)
• Use of secure texting applications

20
THE END

• QA
• www.hipaa-consulting.com

Register Now