Marrying the BYOD phenomenon to HIPAA compliance

In today's mobile-friendly culture, few people think twice before pulling out their phone or tablet to take a picture. Recently, this cultural affinity for mobile technology has appeared in healthcare settings through the form of "bring your own device" (BYOD) initiatives, which allow employees to use their personal smartphones and tablets to connect to a hospital's network. In fact, the Ponemon Institute reports 81 percent of healthcare providers have adopted some form of a BYOD policy.

As a result, the use of mobile devices in healthcare settings continues to grow. According to a recent HIMSS Mobile Technology Survey, clinician use of mobile technology to collect data at the bedside rose to 45 percent, up from 30 percent last year. Additionally, clinicians using mobile technology to monitor medical device data increased to 34 percent from 27 percent. Those using barcode readers on mobile devices rose to 38 percent from 23 percent.

Many healthcare organizations have readily accepted the BYOD approach because of the convenience and potential cost savings associated with allowing employees to bring their own devices to work. Unfortunately, these benefits can be negated if leadership does not take into consideration the risks associated with the access/movement of patient information outside of the veil of the Health Insurance Portability and Accountability Act (HIPAA).

With the recent HIPAA Omnibus rule having gone into effect as of March 26  -  which presumes providers are guilty of harming patients when data is breached  -  this issue is even more top of mind for healthcare executives considering the severe financial penalties involved.

In September 2012, the Department of Health & Human Services (HHS) reported a Massachusetts hospital agreed to pay $1.5 million to the federal government to resolve allegations it violated HIPAA rules by failing to properly protect patients' protected health information maintained on portable devices.

"The challenge is that mobile technology and all its related benefits have become the norm in real-time communication in our society," said Guillermo Moreno, vice president and managing director of the Experis Healthcare Practice, part of ManpowerGroup. "When applied to the healthcare space, however, a person's privacy and security must be considered equally as important as convenience and cost."

One of the many ways to address security concerns associated with the BYOD phenomenon lies with encryption. According to a 2012 HHS analysis, almost 40 percent of large HIPAA rule violations involved lost or stolen devices. HHS stated: "Had these devices been encrypted, their data would have been secured."

Additionally, when healthcare organizations are considering technologies to facilitate a BYOD program, they should consider applications that:

  • provide HIPAA-compliant document capture, transmission and storage;
  • prevent local storage of patient data on mobile devices; and
  • allow 24/7 secure access to medical documentation.

Ultimately, the security and privacy requirements of HIPAA that are applied to "traditional" transmission methods of medical documents and images need to be applied to the mobile space.

"The sizable financial and regulatory consequence of lax BYOD policies are too important to ignore," said Moreno. "Healthcare leaders need to continually access and update their mobile security technologies to verify that they are HIPAA-compliant not only for the financial well-being of their organizations, but more importantly to ensure the privacy and security in the access to and use of their patients' protected health information."

Lindy Benton has worked in the healthcare information technology field for more than 20 years and is currently the CEO of MEA, which offers solutions that enable secure capture, transmission, storage and retrieval of medical documentation.