Re: Smartphone
Paula Pivko
Description
Collection
Title:
Re: Smartphone
Creator:
Paula Pivko
Date:
10/2/2014
Text:
Hi all...everyone seems to be in the same boat as I am as far as the use of smartphones. Frankly I believe it's easier to go with a digital camera and download at the office later. Furthermore I'd rather never email from my phone again. That's just my opinion on someone way too old for this umm...stuff. These were the most useful replies. I did set up my phone with a remote wipe and lock abilities if it were to get lost or stolen. I can also encrypt files as well. I don't know about iphones but androids have the ability built into the phone. One can also find apps that will let you encrypt the files you pick and now I have one. Mine is called Encryption Manager, there are others. One suggestion was to write up and have the patient sign permission to be allowed to videotape or take pictures of them for medical purposes as well as setting up remote wiping and secure emailing. I also made sure I had SSL connection for emailing. But apparently I still need to set up encrypted emails which is the part that gets frustrating. In any case here is the other response.
You're question really involves a few separate issues. I'll address them each separately as I see them, hope I don’t cause an information overload J : 1) If your email is an Enterprise grade email system but hosted by someone other than yourself (such as Microsoft 365, Rackspace, Google Apps etc.) you'll need a Business Associate Agreement with them to keep your internal e-mail (email sent within the your domain - i.e. the name after the @ symbol in your email address) HIPAA compliant. 2) This will also only help for emails within your domain, and as long as the mobile devices are set to use an SSL encrypted connection with the server (which is a local encryption between the server and phone/device). If you don't have SSL set up, or you're sending emails to other domains the email is not secure and can never be HIPAA compliant without encryption. E-mail can be compared to sending a post card through the mail. It can be viewed easily on the way from one domain server to the next when sent unencrypted. 3) If you're using a standard free webmail account (such as a free Google account, yahoo, etc.), then there's virtually no way to make the email HIPAA compliant without encryption at-rest. This is because even within the same domain, there are multiple servers that might not have encrypted connections between them and the free email accounts don't allow for BAA's. There's actually a great new free encryption tool called Virtru that works great for webmail accounts. It encrypts the emails with an at-rest encryption system, so even when it's sitting on the webmail server it's encrypted. This precludes all need for a BAA, as the webmail provider has no access to the actual data in the email. Even Virtru has no access to the data, they only store the encryption keys. Each email is only unencrypted as you view it on your screen but stays encrypted in storage. 4) There is a risk with having patient information on mobile devices outside of the office. Even if the device is password protected, there would need to be drive encryption enabled on top of that, or else someone can just access the information on the storage drive of the phone directly. Deleting the image is not really a solution, as deleting information from a storage drive doesn't actually remove the file, it just removes the index to the file and allows for it to be overwritten in the future. The actual file is still there and easily accessible to anyone with a little IT knowledge and the right tools. Also, the image is still actually accessible to anyone in the email sent folder as an attachment to the email just sent.This would only actually cause a problem if the device was lost or stolen, but not having safeguards in place is itself non-compliance with HIPAA and leaves you at risk of large fines and penalties in case of a breach (Up to $150,000 for the first breach even for small practices - see this article to put it in perspective <URL Redacted> ). There are many low cost Mobile Device Management tools out there which can enable the company administrator to remote wipe the phone if needed. The cheapest one would be to use the google/icloud systems themselves. Both operating systems allow remote wipe through the account associated with the device. This would entail having all the logins to each device and setting up each device separately, which complicates management of multiple devices. Another option is to enable device storage encryption directly through the device OS (this is in addition to a lock code to access the actual device). This would protect against a breach because even if someone gets their hand on the device, the information will be inaccessible.
You're question really involves a few separate issues. I'll address them each separately as I see them, hope I don’t cause an information overload J : 1) If your email is an Enterprise grade email system but hosted by someone other than yourself (such as Microsoft 365, Rackspace, Google Apps etc.) you'll need a Business Associate Agreement with them to keep your internal e-mail (email sent within the your domain - i.e. the name after the @ symbol in your email address) HIPAA compliant. 2) This will also only help for emails within your domain, and as long as the mobile devices are set to use an SSL encrypted connection with the server (which is a local encryption between the server and phone/device). If you don't have SSL set up, or you're sending emails to other domains the email is not secure and can never be HIPAA compliant without encryption. E-mail can be compared to sending a post card through the mail. It can be viewed easily on the way from one domain server to the next when sent unencrypted. 3) If you're using a standard free webmail account (such as a free Google account, yahoo, etc.), then there's virtually no way to make the email HIPAA compliant without encryption at-rest. This is because even within the same domain, there are multiple servers that might not have encrypted connections between them and the free email accounts don't allow for BAA's. There's actually a great new free encryption tool called Virtru that works great for webmail accounts. It encrypts the emails with an at-rest encryption system, so even when it's sitting on the webmail server it's encrypted. This precludes all need for a BAA, as the webmail provider has no access to the actual data in the email. Even Virtru has no access to the data, they only store the encryption keys. Each email is only unencrypted as you view it on your screen but stays encrypted in storage. 4) There is a risk with having patient information on mobile devices outside of the office. Even if the device is password protected, there would need to be drive encryption enabled on top of that, or else someone can just access the information on the storage drive of the phone directly. Deleting the image is not really a solution, as deleting information from a storage drive doesn't actually remove the file, it just removes the index to the file and allows for it to be overwritten in the future. The actual file is still there and easily accessible to anyone with a little IT knowledge and the right tools. Also, the image is still actually accessible to anyone in the email sent folder as an attachment to the email just sent.This would only actually cause a problem if the device was lost or stolen, but not having safeguards in place is itself non-compliance with HIPAA and leaves you at risk of large fines and penalties in case of a breach (Up to $150,000 for the first breach even for small practices - see this article to put it in perspective <URL Redacted> ). There are many low cost Mobile Device Management tools out there which can enable the company administrator to remote wipe the phone if needed. The cheapest one would be to use the google/icloud systems themselves. Both operating systems allow remote wipe through the account associated with the device. This would entail having all the logins to each device and setting up each device separately, which complicates management of multiple devices. Another option is to enable device storage encryption directly through the device OS (this is in addition to a lock code to access the actual device). This would protect against a breach because even if someone gets their hand on the device, the information will be inaccessible.
Citation
Paula Pivko, “Re: Smartphone,” Digital Resource Foundation for Orthotics and Prosthetics, accessed November 23, 2024, https://library.drfop.org/items/show/236839.