by Daniel J. Schulte, JD, MSMS Legal Counsel
I have noticed lately that practices are providing smartphones, tablets, etc to their employees. These devices are used to facilitate/increase the flow of patient information that more and more is in an electronic form. I am considering making the investment necessary to keep my practice up to date and to enable my employees to do their jobs more efficiently. I would like to know what I should be concerned with before I go any further.
There are many advantages to enabling your employees to access and transmit patient information from the palm of their hands. You are wise to consider the legal risks up front. There are two important legal considerations that you should address.
The first is ownership of the patient record information. You should have a written policy reminding your employees that all patient record information is owned by the practice not the employee. The fact that the information is in an electronic form and a copy of the information resides on an electronic device does not mean it is no longer owned by the practice. Your employees should sign an acknowledgement that they understand and agree that whether a patient record is on paper in their briefcase or a PDF saved on a smartphone or tablet (and regardless of who owns the device) the information is owned by the practice and cannot be viewed, used, transferred, etc unless doing so is in the course of their employment duties. Your practice should be the owner of the devices that will be used by employees to store, view, transmit, etc patient record information. Your written policy should restrict the use of patient record information to only these devices and expressly prohibit employees from doing so on their personal devices.
The second consideration is the security of the patient record information while it is stored and used by employees via mobile devices. HIPAA requires that, as a starting point, your practice conduct a risk assessment. This assessment should be documented in writing and identify the ways your patient record information could be taken/used inappropriately as a result of its availability on mobile devices. HIPAA next requires that your practice have a written policy addressing all the security risks identified by your assessment. The risk assessment and written policy will obviously vary practice to practice. However, most will contain certain critical policies:
- Mobile devices remain in the office unless they are removed for an employee to perform a job function.
- An incident response plan dictating what to do if a breach of patient record information occurs.
- An annual review/update of the risk assessment that takes into account and addresses any incidents that have occurred, new risks identified, breaches of the policies by employees, etc.
- Encryption of patient record information when in transit.
- Password management.
- Active monitoring of who is accessing patient record information.
Audits and enforcement actions related to HIPAA compliance are becoming more and more common. When they result from a reported breach (made by an upset patient, disgruntled employee or otherwise) of patient record information it is the lack of a risk assessment and/or written policies and not the breach itself that results in penalties being assessed. You must fully comply with HIPAA by conducting a risk assessment and adopting proper policies prior to providing mobile devices to your employees.