Along with the growing usage of mobile devices in the health care field have come an increasing number of experts expressing concern over what they perceive as a lack of effort to protect patient privacy. Beyond the negative effects for patients, breaches of health care data can be extremely expensive for payers, given Health Insurance Portability and Accountability Act (HIPAA) and HITECH regulations. Now, two such experts, in an interview with Fierce Health Payer, have offered a series of tips for payers attempting to “reconcile the advantages of mobile communications with HIPAA requirements and risks.”
One crucial step is to inform patients of the risks that can come with using mobile devices to communicate about health-related matters. They may not understand “the dangers mobile communications present to them in terms of their personal information and identities,” Sherry Ryan of Blue Shield of California told Fierce Health Payer.
Further, payers should be aware of exactly “where ePHI is stored,” and ensure that the destruction process for all records is secure. Also vital is to “know who has ePHI access, and confirm that access is required in current roles.” Further, despite some firms’ “Bring Your Own Device” policy for mobile devices, the experts suggest providing devices to employees for greater data security.
Another potential step in the right direction is to take advantage of an asset management program to keep track of devices. Payers should also make sure to keep all devices technologically up-to-date.
Finally, firms should always “dispose of obsolete devices securely, [and] wipe hard drives or memory cards to prevent ePHI retrieval by unauthorized people.” Overall, providers and payers should exercise caution. As attorney Kirk Nahra of Wiley Rein told Fierce Health Payer, “If the right person can get into your database, you’ve got to make sure the wrong person can’t get in.”
