03-06-13 | Blog Post
Online Tech is exhibiting our HIPAA hosting solutions, including HIPAA compliant clouds, for the healthcare industry at HIMSS 13 in New Orleans this year! Tune into our Twitter and follow our blog for updates on the latest HIMSS 13 news.
If you’re at HIMSS 13, visit booth #1369 to say hi or schedule a free one-on-one consultation with a panel of health IT experts.
Mobile Devices: The Legal Landscape and Adopting Appropriate Policies
Description: Mobile devices in healthcare are becoming ubiquitous with doctors using iPads to improve workflow and hospitals adopting BYOD policies. This session will discuss the legal landscape of mobile health.
Speaker: Brian Balow, JD
Objectives:
Mobile devices present new security threats with the danger of loss, access and use of devices to interact with.
Consider the ways that employees are using devices for social media, random websites, and even texting PHI to patients directly.
If there’s no policy in place, that leave the enterprise vulnerable.
48 states now have breach notification laws in addition to the HIPAA and Federal Trade Commission Act. You need to bake in knowledge of these breach notification policies.
Wage and hour laws: If you allow BYOD and you don’t have good control over how they are used, people who use them at home can be viewed as working at those hours. If they are non-exempt, they can have rights to overtime hours. Be clear when they are using their devices for personal use vs professional use.
Malpractive issues: Physicians are using mobile devices to consult with each other increasingly. Live streaming and other collaboration facilitates consultation across state lines which can bring up issues about practices medicine in other jurisdictions. Physicians might also unknowingly create a provider-patient relationship via mobile devices.
Legislators are worried about security concerns using mobile devices for health care with respect to safety, security, and reliability including the FDA, Office of Civil Rights, NIST, FCC, and FCC. NIST is not involved on the enforcement side, but is involved on the standards side. NIST has some good information available on their website relating to technical securities. FCC has bandwidth interests, and the FDA may be involved if your mobile device can be considered a medical device. It’s possible that your mobile device can be converted into a medical device without the hospital or the software app developer knowing about it.
State regulators are starting to pay closer attention. For example, CA created a privacy program to protect privacy.
Enforcement bodies include the Office for Civil Rights to enforce HIPAA/HITECH, the FTC protecting consumers, and state Attorney Generals who are now enforcing HIPAA. Examples Alaska Department of Health and Human Services, $1.7M fine. Recently, hospice of North Idaho on a breach of less than 500 with a fine of $50,000. FCC just reached a settlement with HTC on security vulnerabilities. Does this now put an obligation on covered entities and business associates to vet mobile devices before implementing them in a BYOD environment?
The final HIPAA Rule came out and made it clear that there are no more excuses – especially for business associates. Now HIPAA applies directly to all business associates. Civil and criminal penalties are possible for unauthorized PHI disclosures. The OCR website has good information available about the safeguards that need to be addressed.
Considerations include making sure you understand how your IT enterprise fits into the various regulations. Understanding the economic pros and cons of enabling BYOD in your enterprise. CIOs need to balance enabling the workforce with protecting sensitive data. It’s a lot easier to control the hardware and privileges. Do a formal risk assessment and use this to determine IF BYOD should be adopted in the first place – it may not make sense for your organization.
Make sure to involve senior management in the stakeholder group for resources and support throughout the enterprise. Also include the CMIO, CIO, CPO, IT staff who need to support BYOD on a daily basis, legal resources, and HR.
BYOD brings many different groups of policies into play that need to be interwoven, including acceptable use, security policies, social media, and many more.
Policy enforcement is key. Even if you have thorough documentation of policies and procedures, you must train and reinforce the mobile device policies to prove due diligence. The new HIPAA final rules go into effect March 26th, 2013.
References:
HIMSS 13 Annual Conference
