Healthcare providers and healthcare-related businesses are subject to all or any equivalent pressures to adopt new technologies for information management that any modern business is, including portable devices like smartphones and tablets. Using modern technologies can help improve patient care and therefore the overall patient experience while cutting costs and improving efficiencies of operation.
But healthcare-related businesses that manage personal information even have obligations to guard individually identifiable information about individuals’ health, health care, health care services, and payment for such services, referred to as “PHI,” or Protected Health Information, under the insurance Portability and Accountability Act of 1996, better referred to as HIPAA. HIPAA enforcement is on the rise, and mobile devices have shown themselves to be a major source of breaches, consistent with information published on the US Department of Health and Human Services internet site identifying large breaches affecting quite 500 individuals, known informally because of the “HIPAA Wall of Shame.” Under the HIPAA Security Rule, entities have an obligation to think about the safety of knowledge in motion and at rest and take the required steps to guard it against improper uses or disclosures. When PHI is shipped to a transportable device as a text message, as an e-mail, or using another communication method, like a browser or an app, there are two considerations.
First, is that the communication secure? can we know who are the parties that are communicating, and is that the method of communication shielded from interception or alteration? Proper authentication and authorization of both the device and therefore the user must be in situ, including requirements that the user of the portable device be identifiable and auditable. Any actual transmission of data containing any PHI must be secured by encryption to manage the risks of exposure or alteration. the sole reasonable exception would be communication with a private (a patient, not a staffer or business partner) who has exerted their rights under HIPAA and has particularly requested unciphered communications, has had the risks of doing so elucidated to them, and has accepted those risks.