Following is part of a series of posts about the Health Insurance Portability and Accountability Act (HIPAA) provided by the Compliancy Group, an ACA corporate partner and ACA’s preferred HIPAA solution.
When HIPAA was initially enacted, the use of the internet was limited, and therefore best practices were largely unaccounted for. With the widespread adoption of mobile devices, social media, and software applications, it is important to consider the implications of using them in a healthcare setting. To provide guidance on how to comply with HIPAA while using modern technology, HIPAA in the electronic age is discussed.
HIPAA and Mobile Device Security
Although HIPAA does not cover mobile device security, the National Institute of Standards and Technology (NIST) has provided mobile guidelines.
NIST recommends the following for mobile device security:
- Mobile devices should be individually authorized to add, modify, remove, and access PHI.
- Passcode protection should be enabled.
- Encrypt mobile devices.
- Mobile devices should only access a specific Wi-Fi (WPA2) created for mobile devices.
- Each mobile device needs to be registered with the organization.
- Enable certificates to help prove the authenticity of users and devices.
- Enable security policies for mobile security.
- Use role-based access.
To make sure that NIST mobile device security guidance is followed it is important to:
- Implement a BYOD (Bring Your Own Device) policy.
- Train employees on mobile device policies.
- Implement advanced security measures.
- Enable advanced password protections and device wiping.
HIPAA Compliant Social Media Use
HIPAA dictates strict guidelines for the proper uses and disclosures of protected health information (PHI), which can be applied to the use of social media. To ensure that social media is used responsibly, it is important to have social media policies and procedures and train employees on those policies.
Social media policies and procedures should include what is and isn’t permitted to be disclosed on social media. PHI should never be posted on social media without prior patient authorization. For instance, before sharing a patient testimonial on social media, the patient must give prior written authorization to do so. When patients explicitly give authorization to use their PHI on social media, it is permitted to share this information. (Editor’s Note: Recognize that state laws apply even to social media, so be sure to read and understand your state laws related to social media and patients.)
Other permitted use of social media is as follows:
- Health tips that patients might find useful.
- Upcoming events patients might like to attend.
- New research or findings related to your field.
- Honors or awards your organization has been granted.
- Profiles or bios of your staff.
- Advertisements of your services.
- Discounts or special offers on services you provide.
HIPAA Compliant Software Applications
When using software applications that have the potential to access PHI, the software provider is considered a business associate. As a business associate the software provider must be willing and able to sign a business associate agreement (BAA). A BAA is a legal contract that limits the liability for each signing party as it requires each to be responsible for maintaining their HIPAA compliance. When a software provider will not sign a BAA, their software application cannot be used to store, receive, transmit, create, or maintain PHI.
There are also certain security protections that should be looked for when choosing which software to use, including:
- User authentication: requires users to input unique login credentials to access the software platform.
- Access and audit controls: enables different levels of data access to be designated based on an employee’s job function, and allows administrators to track data access.
- Encryption: secures sensitive data by requiring a decryption key for data access.
HIPAA Compliance Requirements
HIPAA compliance is an important part of running a successful chiropractic practice. Chiropractic practices that are HIPAA compliant will have considered all of the above-mentioned practices, however there is much more to HIPAA compliance than using modern technology properly.
To be HIPAA compliant, practices must:
- Conduct annual self-audits.
- Develop remediation plans to address compliance gaps.
- Implement HIPAA policies and procedures.
- Conduct annual employee HIPAA training.
- Have signed business associate agreements in place.
- Develop a method for detecting, responding to, and reporting breaches.
Compliancy Group is the affordable industry standard for simplified compliance. It was founded in 2005 by former auditors that saw a gap in the market. Before it was founded, small and mid-size business owners were lacking a cost-effective tool to address their compliance. Learn more about HIPAA at compliancy-group.com and on ACA’s website at acatoday.org/HIPAA.