Technology

Ensure HIPAA compliance with Technology policies for staff

In an era of omnipresent mobile devices, be sure your practice has a strategy to handle any contingency.

Candace Simerson, COO, COE Minneapolis

You’d be hard pressed to find somebody who doesn’t carry at least one mobile device with them at all times these days. These brilliant devices allow staff increasingly convenient tools for communication. Unfortunately, in a medical setting, employees’ habit of bringing a mobile device to work may create compliance and data security challenges. As technology continues to evolve, it is important to constantly update policies to minimize risks associated with use of mobile devices.

This article considers some specific challenges and measures your practice can take to avoid them.

It is your responsibility

The responsibility of protecting a patient’s protected health information (PHI) falls on the HIPAA-covered entity (i.e. your practice) whether that information is accessed via a practice-owned or personally owned device. The HIPAA-covered entity is obligated to create safeguards to avoid risk and unauthorized access to this information.

Practices following meaningful use guidelines are additionally required to undergo an annual security analysis process. This process should result in more diligent monitoring and scrutiny.

In the event of a breach...

Inevitably, data security breaches will occur. Before this happens, develop a mechanism that makes it easy to both report an incident and to have it reviewed. Routinely coach and train all managers and compliance, privacy and security officers in their responsibilities so they know which steps to take when breaches occur.

Learning from experience

When you experience breaches, consider what steps you can take to modify your technology and technology policies to mitigate risk.

For example, shortly after our practice went through our baseline security assessment analysis, it came to our attention that one of our staff members loaned her cellphone to a family member. The problem was, the individual she loaned the phone to accessed our staff e-mail and used it to send out messages. This e-mail account potentially contained PHI. At that time, we did not require the use of passwords, encryption and an authentication process in order to access a practice e-mail account. Immediately after that incident, we decided to implement an authentication process to access any practice e-mail account from a mobile device.

Also, we now discourage non-management from syncing work e-mails to their mobile phones. Users who do attempt to sync their phones are required to go through a forced encryption process.

One other change, our IT department is also now able to monitor which phones are synched to the practice’s e-mail. They can immediately disable access if necessary. Upon employment termination, for example, access is immediately disabled.

A word about password sharing: never

A particularly challenging risk involves users who share passwords. As an example, let’s say a clinic support person logs into the system using the doctor’s username and password. Under HIPAA Privacy and Security Rule guideline requirements, the practice’s written policy will contain this language: Employees are not permitted to share their passwords or use another employee’s account login and password in any circumstance. Now the practice has just violated its own policy creating a liability and failure to meet meaningful use standards. On its face, the ability to share passwords appears to promote efficiency by saving keystrokes and time. However, sharing passwords eliminates required audit trails and creates a way to sidestep the review process for checking accuracy and validity of patient documentation.

Understanding the risk

Imagine this hypothetical situation: A physician sees a patient for a routine eye exam and a staff member documents all of the information in the patient’s record while working under the physician’s login. The patient knows the staff member and requests pain medication that can be submitted through an e-prescription system. The staff member documents a patient complaint for pain and subsequently either submits or prints out a paper prescription for Vicodin and signs off on the chart on the physician’s behalf. Unless this patient’s record ends up going through an audit process or is pulled for some other reason, the unauthorized prescription for narcotics may never be caught. However, if the physician reviews and signs off on each of his or her own charts, it reduces the opportunity for a staff member to do something inappropriate or inadvertently make a documentation mistake.

A culture of confidentiality

To avoid these troubling situations, encourage a culture of confidentiality within your practice. Begin by developing a written and enforceable policy that addresses both practice and personally owned devices. Include guidelines for acceptable use of mobile devices, data security procedures, use of passwords, reporting processes for loss or theft and necessary steps for wiping confidential data before trading or transferring a device.

Often, the practice’s legal counsel or malpractice carrier will provide an appropriate policy template for review and modification for getting started. Consider implementing technology controls such as remote wipe capabilities and location identification.

New employees must be educated about confidentiality, patient privacy and data security protocols during their orientation process.

Ongoing staff education is crucial for maintaining awareness, bringing fresh incidents to your attention, providing a platform to continuously train for evolving regulations or new technologies, and ensuring compliance with existing policies and procedures. Creating a culture of rigorous attention to security will minimize risk. OP

Candace S. Simerson is the President/COO of Minnesota Eye Consultants, P.A. Ms. Simerson is a Certified Ophthalmic Executive and the 2011 recipient of the ASOA Pinnacle Award for Volunteerism.