“My friend’s company lets her use her phone at work,” a resident tells you. “Find a way to make it work,” mutters your facility administrator while keeping his eyes glued to his iPhone. Whether they like it or not, healthcare compliance officers and CIOs are facing a growing dilemma. Seemingly everyone in their organization wants to adopt a bring your device (BYOD) mobile policy. However, the benefits of empowering employees with greater access to data typically drown out the lingering data control concerns.If you find yourself considering a BYOD policy, first think about your risks. As any OCR/HHS or hospital CIO, who has suffered through a data breach, will tell you, security risk assessments are vital to a HIPAA compliance plan. So what are the unique risks of adopting a BYOD policy in the healthcare world?
A primary concern a CIO or CCO should consider is the transmission of PHI between providers via text message. Even if the purpose behind the communication is treatment related, the HIPAA Security Rule prohibits sending PHI through an unsecured channel, which is almost always the case with texting. With intermingled work and personal contact lists, the inadvertent sending of PHI to an individual outside of the organization is ever present.
Another risk to consider is the storage of PHI in a mobile device’s native texting application. Coordinating patient care across a team through a series of text messages can yield great benefits. The transcript each user creates via a text dialogue presents enormous risks if not locally encrypted. A workforce member who loses his or her phone with unsecured data saved locally just caused his HIPAA Privacy Officer to disclose a breach to OCR.
A third important risk to consider when rolling out a BYOD policy is to assess the third parties. THis includes any vendor associated with the phone applications with access to PHI. As the recent HIPAA Omnibus regulations made clear, cloud-based vendors that store PHI are considered business associates under the law. If a facility neglects to enter into business associate agreements with these data-storing providers, they'll face sanctions when a reportable security incident or HIPAA audit.
CIOs and CCOs need to carefully consider their risks before rolling out a full BYOD policy. Practically speaking, mobile device communication is probably already going on at your facility – BYOD policy or not. Identifying and mitigating risks associated with smartphones will save hospital administrators major headaches should OCR comes knocking on the door.
With over two decades of technology entrepreneurship background, Krishna Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges in US Healthcare. During the late 90s, Krishna co-founded IPCell to build the first Cable IP Telephony switch, eventually selling the company to Cisco Systems. In 2003, he started Sipera (acquired by Avaya Systems) to solve security issues for Unified Communications' and raised over $30MM in venture funding. Additionally, he has been actively involved in the early-stage financing of startups in both the US and India.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More
AllianceChicago, a national network of more than 70 community health centers (CHCs) across 19 states, today announced the publication of a quality improvement-focused article titled “CHEC-UP: A digital intervention to reduce disparities in well-child and immunization completion in community health” in Telehealth™ & Medicine Today. The project focus was made possible with the donation of QliqSOFT’s Quincy artificial intelligence (AI)-powered chatbots.
The journey of the specialty pharmacy patient is a complex and expensive process, as most any hub services participant knows. It starts when the patient is diagnosed with a life-changing chronic or complicated condition and the pharmacy receives the order for a specialty drug.
When thinking about a healthcare emergency preparedness plan, how much does compliance matter in your disaster communications? If your organization is in the throes of a power outage from heavy storms or a cyber attack that’s left your network down, thoughts of compliance may not be top of mind.