HIPAA 2013 - HIPAA Requirements And Mobile Apps - NIST

1y ago
38 Views
2 Downloads
893.22 KB
29 Pages
Last View : 18d ago
Last Download : 6m ago
Upload by : River Barajas
Transcription

HIPAA Requirements and Mobile Apps OCR/NIST 2013 Annual Conference Adam H. Greene, JD, MPH Partner, Washington, DC

Use of Smartphones and Tablets Is Growing 2

How Info Sec Sees Smartphones Easily Lost, Stolen, or Discarded with PHI on It Camera for Improperly Recording PHI No Physical Keyboard for complex passwords Easy Access to Facebook for Improperly Posting PHI 3

How Info Sec First Responds 1. Thou Shall Disable Thy Smartphone Camera 2. Thou Shall Not Text 3. Thou Shall Not Place PHI on Thy Smartphone or Tablet 4

How Clinicians and Other Staff Respond 5

Design an Effective Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business associate agreement if necessary and perform due diligence 5. Document Security Rule compliance 6. For patient/enrollee-facing apps, comply with Privacy Rule 6

Identify Mobile App Needs 1. Thou Shall Disable Thy Smartphone Camera Is there appropriate use of smartphone cameras for certain procedures? Is their an appropriate way to securely share pictures and add them to the record? 7

Identify Mobile App Needs 2. Thou Shall Not Text Why are members of the workforce texting? Is e-mail effective? Is a no-texting policy effective, or is secure texting needed? 8

Identify Mobile App Needs 3. Thou Shall Not Place PHI on Thy Smartphone or Tablet Why is PHI ending up on smartphones? Is remote access to PHI sufficient? Is a secure vault for PHI needed? 9

Identify Mobile App Needs Patient Engagement Improved access to EHR (MU Stage 2) Ability to accept patient health information (e.g., iBlueButton) Improved treatment communications and adherence Appointment reminders 10

Identify Mobile App Solutions Mobile diagnostic tools Secure access to e-mail Mobile EHR portal Secure texting Secure container Secure access to Blue Button data Remote wipe and antivirus 11

Include Mobile Apps in Risk Analysis Identify where PHI is located on mobile devices C - What apps Create PHI (e.g., diagnostic apps) R - What apps Receive PHI (e.g., EHR portal, e-mail, iBlueButton) M - What apps Maintain PHI (e.g., e-mail, secure container) T - What apps Transmit PHI (e.g., secure texting) 12

HIPAA Hot Potato Health Plan Server Physician Tablet Patient Device Covered by HIPAA Covered by HIPAA Not Covered by HIPAA 13

Include Mobile Apps in Risk Analysis Identify threats and vulnerabilities What if mobile device is lost, stolen, or replaced? What if mobile device is shared? Can malware on device lead to unauthorized access? Can transmissions be intercepted by unauthorized third party? Is PHI on device reasonably available? 14

Include Mobile Apps in Risk Analysis Identify current security controls? Is information encrypted while maintained? Is information encrypted in transit? What authentication of app users is in place? Is PHI backed up when necessary? Can PHI be remotely wiped? 15

Include Mobile Apps in Risk Analysis Identify likelihood, impact, and aggregate risk What is the likelihood of a threat exploiting a vulnerability? What is the impact if exploited? Likelihood x Impact Risk 16

Implement Risk Management Strategy What risks are medium and high? Can risks be lowered to reasonable amounts through: Policies Training Additional technical controls (e.g., locking down the device or adding remote wipe features) 17

Obtain Necessary BAAs & Due Diligence Does the app developer create, receive, maintain, or transmit PHI on covered entity’s behalf? If PHI is encrypted and app developer does not have the key, HIPAA is unclear as to whether BAA is needed Due diligence - What is app developer’s security? 18

Document Security Rule Compliance Included in risk analysis Included in risk management Sanctions for violations of policy Reasonably review system activity If activity cannot be centrally reviewed, document whether this is reasonable Authorization, supervision, and clearance Who needs access to PHI on mobile devices 19

Document Security Rule Compliance Termination procedures Is PHI on mobile devices secured and access through apps terminated at employment termination Include mobile apps in security awareness and training Address potential malware on mobile device Address mobile app passwords 20

Document Security Rule Compliance Identify and respond to mobile app security incidents Ensure that PHI in mobile apps is reasonably backed up Integrate mobile apps into contingency planning Evaluate mobile app program 21

Document Security Rule Compliance Address physical security of mobile devices Address which mobile devices need to be inventoried Ensure proper disposal/re-use of mobile devices with apps containing PHI Address whether mobile devices need to be backed up 22

Document Security Rule Compliance Address automatic logoff of mobile apps Address encryption of data maintained by apps on device Address encryption of data transmitted by mobile app Document basis for transmission of some PHI without encryption 23

PRIVACY RULE AND MOBILE APPS 24

The X-Factor 25

Right of Access Patient may access copy of designated record set in requested form and format, if readily producible Mobile app to portal may be convenient means of providing access (and support MU Stage 2 objectives) But, patient may prefer unencrypted emails (permissible after warning of risk) 26

Right to Confidential Communications Must accommodate reasonable requests for communications to patient by alternative means or at alternative location Some patients may prefer communications through unencrypted e-mails Other patients may not want unencrypted appointment reminders 27

Don’t Let Security Trump Patient Preference (No matter how much you paid for that secure mobile app) 28

For more information Adam H. Greene, JD, MPH adamgreene@dwt.com 202.973.4213 29

Include Mobile Apps in Risk Analysis Identify where PHI is located on mobile devices C - What apps Create PHI (e.g., diagnostic apps) R - What apps Receive PHI (e.g., EHR portal, e-mail, iBlueButton) M - What apps Maintain PHI (e.g., e-mail, secure container) T - What apps Transmit PHI (e.g., secure texting) 12

Related Documents:

Chapter 1 - HIPAA Basics A-1: Discussing HIPAA fundamentals 1 Who's impacted by HIPAA? HIPAA impacts health plans, health care clearinghouses, and health care providers that send or receive, directly or indirectly, HIPAA-covered transactions. These entities have to meet the requirements of HIPAA.

Overview of HIPAA How Does HIPAA Impact EMS? HIPAA regulations affect how EMS person-nel use and transfer patient information HIPAA requires EMS agencies to appoint a “Compliance Officer” and create HIPAA policy for the organization to follow HIPAA mandates training for EMS personnel and administrative support staffFile Size: 229KB

What is HIPAA? HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA is a Federal Law. HIPAA is a response, by Congress, to healthcare reform. HIPAA affects the health care industry. HIPAA is mandatory.

Basics of HIPAA and HITECH 4 What exactly is HIPAA? 4 Covered entities v. business associates 5 The HIPAA Omnibus Rule 6 7 H C E T I H HIPAA Compliance Simplified 8 Five security-thought-leader tips for HIPAA Compliance 8 Three specific HIPAA tips you need to know post-omnibus 11 Checklist: How to Make Sure You're Compliant 13

Tel: 515-865-4591 email: Bob@training-hipaa.net HIPAA Compliance Template Suites Covered Entity HIPAA Compliance Tool (Less than 50 employees) . HIPAA SECURITY CONTINGENCY PLAN TEMPLATE SUITE Documents in HIPAA Contingency Plan Template Suite: . Business Impact Analysis Policy includes following sub document (12 pages) Business Impact .

Tel: 515-865-4591 email: Bob@training-hipaa.net HIPAA Compliance Template Suites Covered Entity HIPAA Compliance Tool (Less than 50 employees) . HIPAA SECURITY CONTINGENCY PLAN TEMPLATE SUITE Documents in HIPAA Contingency Plan Template Suite: . Business Impact Analysis Policy includes following sub document (12 pages) Business .

transactions, the HIPAA standard uses NCPDP (National Council for Prescription Drug Programs) transactions. This book includes an overview of HIPAA, and then specific information relating to the installation and contents of SeeBeyond's HIPAA implementations. 1.1 Introduction to HIPAA HIPAA amends the Internal Revenue Service Code of 1986.

"The HIPAA Academy's methodology is an excellent framework to consider as member hospitals launch HIPAA security initiatives and activities. We are working closely with the HIPAA Academy to help members address HIPAA Security Rule requirements such as risk analysis, security policies and training."