HIPAA @ 20, Part II: In a Mobile-first World, You Need to Be Smart about Smartphones

hipaa, patient privacy, pokemon go, mobile, smartphone

You see them almost everywhere you go: People of all ages with their heads down, faces glued to their phones, and playing Pokémon Go. The GPS/camera-based game has been touted as a healthy activity — it gets people up and moving — but for healthcare providers, it could be a dangerous one, as well.

In the process of capturing those little digital characters, players could also capture sensitive images or other information about patients, putting facilities at risk of violating HIPAA’s rules on privacy and security.

It’s not that far-fetched. In Sacramento, an increase in non-patient foot traffic prompted the UC Davis Medical Center to post a notice about the game, citing “specific instances of players attempting to enter restricted areas” and photo-snapping players “creating concerns about the privacy of patients and staff in the background.”

And in Boston, employees at Massachusetts General Hospital were recently told not to play the game during work or on hospital property in an email that included the warning: “The ability for smartphones to record images and location via the camera and GPS features pose a significant risk to patient privacy and safety.”

It’s probably only a matter of time before someone snaps and shares an image that turns the possibility of divulging PHI into a potentially costly violation. In the meantime, it’s worth remembering that a lot has changed in the 20 years since HIPAA was enacted. (You’ve implemented HIPAA-compliant social media guidelines, right?) With more people using more devices, there’s more to having a mobile strategy than ensuring your practice website is mobile-friendly.

Consider:

Smartphones are ubiquitous and high-speed connections are everywhere: Twenty years ago, mobile phones were a novelty; today, there are upwards of 200 million in use in the U.S. alone. And since most people don’t leave home without them, a lot are being used at work, including in healthcare settings. According to a study by Cisco,

  • 89% of healthcare workers use their personal smartphones for work purposes. (Among eight major industries, only education and technology tally higher on-the-job usage.)
  • 41% of healthcare workers don’t use a password to secure their personal device.
  • 53% reported accessing unsecured wi-fi networks using their personal device.

What it means for doctors: Whether it’s a doctor accessing EHRs on a tablet or an employee sharing a selfie that inadvertently shows a patient or their protected information, mobile devices open the door to divulging PHI in ways no one could even consider in 1996. Therefore, short of banning personal devices entirely — unlikely and unenforceable — every practice should incorporate guidelines spelling out expectations regarding the use of personal devices at work. This video from HHS is a good place to start.

BYOD programs raise the stakes for privacy breaches: Letting employees use their personal devices for business purposes — aka Bring Your Own Device (BYOD) — can save money and boost productivity, but it also raises the issue of PHI exposure when those devices go missing, especially when you consider how many laptops, tablets, and smartphones are misplaced or stolen every year.

What it means for doctors: To keep BYOD programs in compliance, legal experts suggest requiring a range of security measures, such as making passwords mandatory, disabling cloud access, and enabling remote wiping capability. You can find more information here and here.

Pokémon Go is part of a larger (potentially troubling) trend: Pokémon Go may be all the rage today, but rest assured, it will quickly be joined by other mobile services that rely on augmented reality, the cloud, or some other, yet-to-be invented technology. Whatever form they take, it’s unlikely that the law will keep up, muddying the HIPAA waters even more.

What it means for doctors: With Pokémon Go offering a glimpse of the future, covered entities should consider the words of Chicago attorney Mita K. Lakhia, who wrote the following in a recent article on Lexology.com:

As augmented reality mobile applications and games become even more popular, and more immersive, these issues are bound to come up again and reinvent themselves in the form of new challenges. Now is the time to determine your organization’s policy on augmented reality and revisit social media and BYOD policies. Pokémon Go may or may not be here to stay – but it is definitely not one of a kind.

Photo by Cory Doctorow via flickr

About Rob Lovitt

Rob Lovitt is a longtime writer and editor who believes every good business has a great story to tell. He has written for dozens of magazines and websites, including NBCnews.com, Expedia.com and the inflight magazines of Alaska, Horizon and Frontier airlines.

, , , , ,