Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent articles in Medical Practice Compliance Alert entitled “Improve Usability but Mind HIPAA if Using Personal Mobile Devices for Work.” The full text can be found in the September 28, 2015, issue of Medical Practice Compliance Alert, but a synopsis reflecting our comments is included below.
Medical practice communications are increasingly mobile, with a reported 83% of physicians using mobile technology to provide patient care and 71% of nurses doing the same, according to a mobile technology survey from the Healthcare Information and Management Systems Society (HIMSS). Mobile devices, however, must be managed carefully to avoid creating an undue HIPAA security risk.
Some steps to protect patient data when using mobile devises include the following:
- Health care providers should use encryption to make mobile devices more secure. Email programs should be able to assure that the message cannot be read until it has been transmitted to the provider’s device. Kline warns, “A password on a phone is not encryption.”
- Providers should get informal messages and conversations from mobile devices, such as text messages, into the patient’s medical record. Kline says, “Have you made an entry [of the informal message or conversation] in the record? If not, the medical record is not accurate.”
- “Providers should be sure to obtain patient consent to communicate by mobile device as well,” says Litten. This is especially important if the communication may be unsecured.
- Avoiding the lack of discipline that mobile devices often encourage, such as non-medical shorthand, is crucial. Kline says, “Communications over mobile devices are more likely to contain misspellings and other errors, which can create malpractice liability and are not best practice when communicating treatment.”
The ever-increasing utilization of mobile devices in the delivery of healthcare services to patients is placing greater demands on those providers who are subject to, and those who are drafting, implementing and enforcing, HIPAA policies and procedures.