News

5 things to keep your device secure and HIPAA compliant

By February 10, 2017 No Comments

If you are a provider who utilizes mobile technology to access, receive, send or store patient health information, you might want to take a few minutes to refresh yourself and your practice with some of the best practices outlined by the Department of Health and Human Services’ (HHS) Privacy and Security Mobile Device Project.

 

The goal is to help protect health information while using mobile devices (e.g., laptops, tablets, and smartphones). There is a series of 5 videos that despite being styled as late night infomercials, provide some easy to understand tips.

https://www.youtube.com/watch?v=Vz1ddGJn1PM&feature=youtu.be

 

In the meantime, let’s brush up on the basics of Mobile HIPAA. Here are a few reminders on how to keep your client’s Protected Health Information (PHI) private and secure on your phone, tablet or laptop.

 

1. Password Protect your Devices and Applications/Software that Contain PHI

It may seem like an extra time burden to have to enter a password every time you use your phone or tablet, but that process of “unlocking” will keep your data protected if you should lose your device.  Also, having double password, one on the device to unlock it and one to open the software application that you are using (like Maternity Neighborhood) will go a long way to  keeping  information secure  AND it’s required under the HIPAA Security Rule. Most devices have a security or privacy setting in the Preferences or Options menu of the device.

 

2. Don’t Share Your Password

It may sound obvious, but your password is no longer valid or secure if more than one person knows what it is.  The whole point of a password for locking your device is to keep it secure from others.  In terms of your EHR software, your unique login forms your audit log for who accessed the record and when.  Everyone in your practice who is authorized to review client PHI should have their own login in order to be secure and compliant with HIPAA requirements for ePHI.

 

3. Automatic Time-Out

We know it’s a drag, but arranging your device setting to lock after a period of inactivity or “automatic time-out” is a good idea. Especially important for shared devices, like office computers, this is a good way to ensure that the lock is enabled in the event of a theft or loss. If you aren’t using it, the device is automatically locked. Just don’t forget to hit the save button before you walk away from the device, timeouts can sometimes cause you to lose data if you have not saved it!

 

4. Clean Out the Trash and Empty Your Cache

If you store client data on your device for the purpose of managing your workflow, don’t forget to periodically empty those folders where you store data after you no longer need it. For example, you might have a folder on your laptop or tablet that contains current client info. After the birth, you should delete the data that you no longer need. HIPAA guidelines recommend that you create a security policy that includes review of data stored on devices. We suggest that you assign one person in your office to be the Security Officer and they can oversee “wipes” of all PHI from all devices on a regular basis.

 

Also, if you are logging into a secure site for PHI (like Maternity Neighborhood) you should periodically empty your cache. The cache is a saved folder of websites that your browser (like Safari or Explorer) saves on your computer to help you navigate to popular websites quickly. That means that the first or the last page you were on is sometimes available without having to login again. To empty your cache, open up your browser and click on Preferences. You’ll see the option for Empty Cache in the drop down menu. Be sure to do this on a routine basis!

 

5. Train Your Staff, Students, and Clients

As the provider on the team, you are responsible for making sure that everyone around you understands the importance of privacy and security. This ranges from reminding students to refrain from texting information during a birth (!) to explaining to clients that email in not a secure form of communication about their health concerns. There is a lot to understand, but you can start by balancing common sense with a little bit of extra effort on some of the more subtle nuances of keeping information secure in our ever increasing high tech world.

 

Related:

 

Leave a Reply