Securing PHI in a Mobile World

Written by benefitexpress | August 25, 2016

HIPAA EDI Standards

Having personal devices for every employee can make your business more efficient, mobile, and productive. From a laptop down to an Apple Watch, employers are outfitting their employees with more technology than ever before. That’s a great step for business, but a mobile workforce can cause HIPAA violations without your employees even realizing what they’re doing.

HIPAA guidelines are very clear on how electronic records must be stored and transmitted. The HIPAA requirements for electronic transactions are called the EDI Standards. Like all other private health information (PHI) disclosures, electronic transactions require a release and the same reasonable protections. However, the EDI standards add additional guidelines. In addition to those guidelines, here’s how to keep your employees’ data secure without ditching your gadgets.

Electronic Records

  • EDI standards create a standardized format and content for electronic transmissions when engaging in “covered transactions” (legal PHI disclosures).
  • Emails containing PHI must be encrypted. Password protection is not enough.
  • Emails containing PHI should only be sent to one person at a time. This may take a bit longer, but it decreases risk significantly.
  • PHI should not be transmitted over Instant Message. Programs are inherently insecure; they generally aren’t encrypted, and you don’t know who’s looking at the recipient’s screen.

Securing Devices

  • Employees must position screens of any devices displaying PHI so that only authorized individuals can read the display.
  • The device must be configured so that the display goes blank or to a screensaver when unattended for more than a short time.
  • When returning from the screensaver, a password should be required when reasonable.

Outside the Office

  • Employees who work from home should have home offices which comply with the same HIPAA policies as the workplace. A private screen and encrypted email system are necessary, just like in the office.
  • Company devices should only be connected to secure wireless networks (Starbucks’ wifi is not secure, so get that latte to go).
  • Devices containing PHI must be kept in an opaque container and out of sight if left locked in a car. Taking an extra minute to put your laptop in your trunk is a lot less of a headache than notifying all your employees their PHI is vulnerable because someone broke into your car.

Technology makes our jobs easier, but it also makes HIPAA more difficult. Implementing the right behaviors in the first place will save you headaches in the long run.

Topics: HIPAA