This week the Department of Health and Human Services’ (HHS) Office of the National Coordinator (ONC) announced a Privacy and Security Mobile Device Project. The goal is to help protect health information while using mobile devices (e.g., laptops, tablets, and smartphones). This will certainly be welcome information for midwives on the go with their smart devices. You can track the progress and even give your input on this project which will convene with a roundtable process this Spring at the mHealth Initiative.
In the meantime, let’s brush up on the basics of Mobile HIPPA. Here are a few reminders on how to keep your client’s Protected Health Information (PHI) private and secure on your phone, tablet or laptop.
1. Password Protect your Devices and Applications/Software that Contain PHI
It may seem like an extra time burden to have to enter a password every time you use your phone or tablet, but that process of “unlocking” will keep your data protected if you should lose your device. Also, having double password, one on the device to unlock it and one to open the software application that you are using (like Private Practice) will go a long way to keeping information secure AND it’s required under the HIPAA Security Rule. Most devices have a security or privacy setting in the Preferences or Options menu of the device.
2. Don’t Share Your Password
It may sound obvious, but your password is no longer valid or secure if more than one person knows what it is. The whole point of a password for locking your device is to keep it secure from others. In terms of your EHR software, your unique login forms your audit log for who accessed the record and when. Everyone in your practice who is authorized to review client PHI should have their own login in order to be secure and compliant with HIPAA requirements for ePHI.
3. Automatic Time-Out
We know it’s a drag, but arranging your device setting to lock after a period of inactivity or “automatic time-out” is a good idea. Especially important for shared devices, like office computers, this is a good way to ensure that the lock is enabled in the event of a theft or loss. If you aren’t using it, the device is automatically locked. Just don’t forget to hit the save button before you walk away from the device, timeouts can sometimes cause you to lose data if you have not saved it!
4. Clean Out the Trash and Empty Your Cache
If you store client data on your device for the purpose of managing your workflow, that’s fine. Just don’t forget to periodically empty those folders where you store data after you no longer need it. For example, you might have a folder on your laptop or tablet that contains current client info. After the birth, you should delete the data that you no longer need. HIPAA guidelines recommend that you create a security policy that includes review of data stored on devices. We suggest that you assign one person in your office to be the Security Officer and they can oversee “wipes” of all PHI from all devices on a regular basis.
Also, if you are logging into a secure site for PHI (like Private Practice) you should periodically empty your cache. The cache is a saved folder of websites that your brower (like Safari or Explorer) saves on your computer to help you navigate to popular websites quickly. That means that the first or the last page you were on is sometimes available without having to login again. To empty your cache, open up your browser and click on Preferences. You’ll see the option for Empty Cache in the drop down menu. Be sure to do this on a routine basis!
5. Train Your Staff, Students, and Clients
As the provider on the team, you are responsible for making sure that everyone around you understands the importance of privacy and security. This ranges from reminding students to refrain from texting information during a birth (!) to explaining to clients that email in not a secure form of communication about their health concerns. There is a lot to understand, but you can start by balancing common sense with a little bit of extra effort on some of the more subtle nuances of keeping information secure in our ever increasing high tech world.
You might also like:
• HIPAA for Midwifery 101: Part 1 – The Basics
• HIPAA for Midwifery 101: Part 2 – Disclosures, Communication and Storage
• HIPAA for Midwifery 101: Part 3 – The Security Rule- Keeping Electronic Information Safe