Healthy Perspectives: Summer 2016

Blog Layout

Healthy Perspectives: Summer 2016

July 27, 2016

Privacy Protections: Making Mobile Devices More Secure

In our technologically sophisticated society, private information is more vulnerable than ever before. At the same time, physicians increasingly use some type of mobile device to access health care data. This raises a number of security and privacy concerns.

Following the Rules

Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), known as the Administrative Simplification (AS) provisions, created national standards for electronic health care transactions. Title II covers a lot of ground, but two aspects are particularly relevant to mobile security:

The Privacy Rule. This concerns the use and disclosure of Protected Health Information (PHI) held by “covered entities.” According to the rule, covered entities include insurers, medical service providers, and various health care clearinghouses and employer-sponsored health plans, as well as their business associates.
The Security Rule. Unlike the Privacy Rule, which applies to all PHI (both paper and electronic), the Security Rule applies specifically to electronic PHI. It describes three types of security safeguards: administrative, physical and technical.

Understanding HIPAA and Mobile Devices

Mobile devices usually transmit and receive PHI via public Wi-Fi and email applications or through unsecure mobile networks, which place PHI at risk of interception. In addition, most mobile devices now can take and store photographs — but photos may violate patient privacy, thus raising compliance concerns. Phones in particular, and tablets often, don’t store data — instead, they use some sort of cloud storage.

The primary concern is how a doctor accesses patient information. If a physician uses a smartphone, tablet or laptop to access an Electronic Health Record (EHR), he or she generally is in compliance with HIPAA security and network security. But if the physician saves EHR data or photos to a computer, tablet or phone, and those devices are stolen or lost, he or she might be liable for the HIPAA breach. Liability can be costly — though, if the PHI isn’t identifiable, it’s probably nothing to worry about.

Data pulled via browsers is generally encrypted, especially through an EHR portal. But physician-to-patient emails outside the portal can be a problem, because the Internet service provider might not be secure — thus, the email communication might fail to meet HIPAA standards.

Taking Basic Security Precautions

The three standards of the HIPAA Security Rules are: confidentiality, integrity and access. Access typically refers to passwords. Physicians need to fully evaluate which staff members require access and provide training in security protocols.

Part of physical and technological security involves encrypting patient data. It also involves setting up monitor protection to prevent people who shouldn’t have PHI access from reading information off a computer screen — for example, over the shoulder of someone with access.

For most practices, it’s a good idea to document each device’s purpose and limit access to it. The next step is to determine how each device should be programmed to make it compliant. Doing so may require hiring a HIPAA compliance expert in addition to an IT expert.

Physician offices also need to develop policies regarding staff use of cell phones — especially now that almost all smartphones have cameras. The policies should answer such questions as: How and where can employees use their phones? One suggestion: Instruct staff members to keep their cell phones in the break room and out of patient treatment rooms.

For instance, a staffer might take a photograph of something in the office with a recognizable patient in the background and post it on social media. That could be a HIPAA breach, with financial and legal consequences for the practice.

Discovering More Recommendations

For more information and further recommendations regarding protecting and securing PHI, visit https://www.healthit.gov , which offers many useful suggestions. It also provides physician best practices for mobile devices and EHR.

< Older Post

Newer Post >

This material is generic in nature. Before relying on the material in any important matter, users should note date of publication and carefully evaluate its accuracy, currency, completeness, and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances.

BOI Injunction Lifted

By Katrina Arona • February 19, 2025

The Corporate Transparency Act (CTA) which took effect on January 1, 2024 required "reporting companies" in the United States to disclose information about their beneficial owners to the Treasury Department's Financial Crimes Enforcement Network (FinCEN). In May 2024, a lawsuit was filed claiming that Congress exceeded its authority under the Constitution in passing the CTA. Background: December 3, 2024 in the Texas Top Cop Shop, Inc., et al. v. Merrick Garland, Attorney General of the United States, et al., Judge Amos Mazzant of the United States District Court (Eastern District of Texas/Sherman Division) issued a preliminary nationwide injunction barring the enforcement of the Corporate Transparency Act (CTA). December 23, 2024 the Nationwide Injunction is lifted and filing deadlines are reinstated. Financial Crimes Enforcement Network of the U.S. Department of Treasury (FinCEN) may again enforce the CTA. FinCEN has not extended any filing deadlines. Therefore, all reporting companies should file immediately any beneficial ownership information reports (BOIRs) that were already due, and reporting companies formed prior to 2024 should file their BOIRs by January 13, 2025 (extended from January 1, 2025). December 27, 2024 the federal appeals court on Thursday reinstated a nationwide injuction halting enforcement of beneficial ownership information (BOI) reporting requirements, reversing an order the same court issued earlier this week. FinCEN issued an updated alert on its BOI information page , saying that companies can voluntarily submit BOI reports. February 7, 2025 FinCEN will consider changes to the BOI reporting requirements if a court grants the government's request for a stay of a nationwide injunction in a Texas case, according to a motion filed Wednesday, February 5th. If the stay is granted, FinCEN will extend BOI filing deadlines for 30 days, the government said in its filing in Samantha Smith and Robert Means v. U.S. Department of the Treasury, No. 6:24-CV-336 (E.D. Texas 1/7/25). BOI reporting is currently voluntary, pending further legal developments. Businesses and stakeholders should stay alert for additional updates as the situation evolves. Current Status: February 18, 2025 A federal court lifted the last remaining nationwide injunction stopping BOI reporting requirements. FinCEN which enforces BOI requirements under the CTA said it would extend filing deadline for initial, updated, and/or corrected BOI reports to March 21. However, reporting companies that were previously given a deadline later than March 21 may file their initial BOI report by that later deadline. Resources for consideration: March 21 BOI reporting deadline set; further delay possible BOI Injunction Lifted FinCEN BOI Center

BOI Reporting Update

By Katrina Arona • February 12, 2025

February 7, 2025 FinCEN will consider changes to the BOI reporting requirements if a court grants the government's request for a stay of a nationwide injunction in a Texas case, according to a motion filed Wednesday, February 5th. If the stay is granted, FinCEN will extend BOI filing deadlines for 30 days, the government said in its filing in Samantha Smith and Robert Means v. U.S. Department of the Treasury, No. 6:24-CV-336 (E.D. Texas 1/7/25). BOI reporting is currently voluntary, pending further legal developments. Businesses and stakeholders should stay alert for additional updates as the situation evolves