HIPAA, Mobile Devices, and Your Practice: Policies, Anyone?

May 26, 2011
Marisa Torrieri

When personal computing devices are used in a professional capacity - namely for the access and transmission of patient data - it may be necessary for a practice to set guidelines for use.

Behind every cool gadget and mammoth-size EHR system, HIPAA looms like a large sleeping animal. One false move by a provider (for example, sending an unsecured e-mail) will awaken the beast and potentially unleash dire consequences. 

The consequences of data breaches are becoming even more obvious these days to practices now that a growing number of providers are adopting various sorts of mobile technology.

Just the other day, in fact, I listened to a “how-to” webinar on mobile devices and HIPAA compliance, co-sponsored by HIMSS and BoxTone, which makes mobile device management technology. Even though the broadcast mainly focused more on how enterprise-size healthcare organizations can deploy large-scale IT security solutions, the topic of mobile devices and HIPAA does raise some important - and still largely unaddressed - questions for small practices.

For example, what happens when providers who use a media tablet like the iPad, or who have patient data on said tablet, leave the practice? If the tablet is theirs, do they get to take that data with them? Should physicians be allowed to use their own personal devices, like media tablets, or should practices purchase those for them? What kinds of security considerations should there for mobile-device-minded practices that lack the resources to hire an IT staff?

When personal computing devices are used in a professional capacity - namely for the access and transmission of patient data - it may be necessary for a practice to set guidelines for use.

For example, practices may want to determine what kind of e-mail communication between physicians and patients is necessary and appropriate, and create a policy that reflects that. Don’t forget to include e-mail communications through mobile devices. Should e-mail communications ever take place outside of the office, or en route to the office (or somewhere else)? If so, under what circumstances? Whatever the decision, formalizing it by creating a policy is the best way to avoid confusion. (The policy should also cover the not-always-secure practice of physicians e-mailing themselves).

Regardless of its size, a practice that establishes its own policies and procedures about mobile devices and patient data transmission will be better protected in the future.

“You want to ensure that everyone is using those policies, and make sure you don’t have a compliance problem within the organization,” Dan Dearing, group director of mobile strategies for BoxTone and one of the webinar’s speakers, told Physicians Practice. “Policies are much easier to implement if there’s three or four doctors, versus if you’ve got a workforce of 25,000.”

What are your thoughts on the subject? Does your practice have any internal policies regarding mobile devices such as media tablets? Post your response below.