HIPAA, PIPEDA and Communication Regulations Regarding Telecom
It is understood that when you go to the doctor, you are protected under doctor-patient confidentiality. It is also understood that your doctor should take the necessary means to protect your private information, that includes electronic, written, or oral. This is why it is important that the devices your healthcare professionals use are secure and accountable. 96% of physicians, specialists, and nurses interviewed reported using Smartphones as their primary communications devices to support clinical communications.
While the use of mobile devices as a means for communication have permeated the health care workforce and blurred the lines between personal and business, it is important that this blurred line is replaced with a very fine and exacting line.
HIPAA (Health Insurance Portability and Accountability Act, 1996) was enacted to protect confidential documentation and conversation between a patient and their doctor.
In Canada, PIPEDA applies to all personal data, health or otherwise regardless of the entity.
The strict policies that surround PIPEDA and HIPPA, in particular, mean that not just any commercial device is compliant and would stand up to a compliance audit that is becoming more frequent recently. With violations ranging from $100 to $50,000 per violation and a maximum penalty of $1.5 million per year for violations of an identical provision, this should be enough motivation to comply.
While it is pretty clear what information is protected, there is indeed some vagueness about how the information should be protected. The U.S. Department of Health & Human Services quotes on their information page:
“How this Information Is Protected [in regards to Patient Health Information]
- Covered entities must put in place safeguards to protect your health information and sure they do not use or disclose your health information.
- Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
- Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.
- Business associates also must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.”
In order for your telecommunications business to comply with HIPPA’s standards, your devices and networks must comply with 3 rules in HIPAA:
1. Privacy Rule
This rule establishes a standard to protect the medical records of patients. It sets limits and conditions to any disclosure of information made without patient authorization and clearly defines the parameters on who should have access to the information, and who should not.
2. Security Rule
This includes all safeguards required to ensure that the privacy rule is not breached. This includes Administrative Safeguards (contingency plans, security management processes, etc), Physical Safeguards (access controls, workstation security, device, and media controls, etc), and Technical Safeguards (transmission security, audit controls, etc).
3. Breach Notification Rule
Patients are required to be notified when there is a breach of unsecured patient health information. Patients must be notified promptly of any breaches, and notify the media and public if the breach exceeds more than 500 patients affected.
What does that mean for telecom and IT partners?
It means that the popular BYOD (bring your own device) policy that many healthcare professionals are using in all likelihood do not comply with HIPAA and that is problematic.
There is some security to the average smartphone, but most devices were never designed to be used in compliance with such strict security and privacy regulations. Privacy and security can be easily compromised in lost or stolen devices, lack of password protection on their device or easily cracked passwords, lack of encrypted data, and accidentally mixing personal and patient history information.
The first step in implementing a HIPAA compliant mobile environment is to research companies that can provide the following:
1. Server Monitoring and Care
Your IT partner should be able to track and analyze your network activity 24/7. When a system function fails, an alert will be generated for their team to immediately investigate and fix it.
2. Desktop Monitoring and Care
Your IT partner should be able to monitor and address issues on your desktop 24/7. Whether it’s getting rid of viruses, attacking spyware issues or installing patches, your telecom company should be able to do it all while operating in the background so your employees can remain productive.
3. Mobile Device Management (link)
Telecom partners like Epik Networks can provide mobile device management services that can allow devices to be configured for company access and ensures that your organization’s data is secured on smartphones and tablets.
4. Scheduled Network and Security Assessments
Your IT partner should be able, on a regular basis, to generate reports on the state of your systems, letting you know of potential problems that fall outside of safe parameters. With these comprehensive assessments, you’ll always have the best information for choosing the most effective response option.