ONC Chief Privacy Officer Emphasizes Need for Proper Management of Mobile Device Usage

In an interview with Information Security Media Group at the 2014 HIMMS meeting, Chief Privacy Officer Joy Pritts from the Office of the National Coordinator for Health Information Technology (ONC) highlighted that mobile devices continue to be “a major concern” because health care providers are “not set up for how they manage those devices” and it is an area that is “really challenging for many.”

In the same interview Pritts talked about how most breaches are currently “more mundane” such as lost laptops or theft, but they anticipate cyber hacking and things of that nature increasing.  ONC is making efforts to be proactive by working on issues such as “privacy by design”, which encourages provides to not store social security, date of birth and names in one place, making the information readily accessible and ripe for identity theft and fraud.

Pritts noted that one of the biggest achievements since the HITECH Act has been clarification of a patient’s access to health information in electronic form and the broadening of protection to include business associates.  In turn, Pritts noted one of the biggest disappointments was how little the industry knows about the law and related rules, and the work to be done.

During the interview, Pritts twice raised the issue of mobile devices and potential security issues, noting “mobile continues to be an area of great concern for us ….” The Department of Health and Human Services (HHS), recognizing the growing use of mobile devices and security issues, previously provided tips and information to providers at the Health IT website.  HHS provided five steps organizations can take to manage mobile devices used by health care providers and professionals:

  1. Decide whether mobile devices will be used to access, receive, transmit or store patients’ health information;
  2. Assess how use of mobile devices affects risks to the health information;
  3. Identify a mobile risk management strategy;
  4. Develop, Document, and Implement mobile device policies and procedures; and
  5. Train providers on mobile device privacy and security awareness.

In light of the heightened attention being paid to mobile devices, increasing security risks related to mobile devices and the upcoming HIPAA audits for both covered entities and business associates in 2014, we encourage our clients to review their HIPAA Security Risk Assessment to ensure that mobile device use is adequately addressed. Further, we encourage providers to develop policies and educate staff on the appropriate use of both entity-owned mobile devices, as well as personally owned devices -including the implementation of “bring your own device” or BYOD policies.

Speak Your Mind