The fourth webinar, "Bring Your Own Device" was held on March 17th, 2015. Daniel Brown, Esq. of Taylor English Duma LLP and Jason Karn of Total HIPAA Compliance walked attendees through on overview of business associate agreements, and discussed some of the intricacies of this compliance requirement. Topics covered include:
To make the webinar a little easier to navigate, we divided it into shorter clips. If you'd like to view the entire webinar, just start with the first clip, and the rest will be queued up automatically. A transcript of the presentation is available below as well as answers to some of the questions we received during the Q&A.
To keep things simple, we divided the video transcript into short sections corresponding with the clips above. Just click on the section title to expand the transcript.
Shanyce: We are fortunate to have Jason Karn from Total HIPAA Compliance and Daniel Brown from the law firm of Taylor English.
Jason: Alright, thank you so much Shanyce. This is Jason Karn, I am the director of training and IT at Total HIPAA Compliance and we specialize in training and compliance for medical practices, dental practices, insurance agent, employer groups and business associates. One of the things that differentiates us is we customize our documents and training for specific markets. With that I am going to pass back over to Dan here and he is going to get us started. Dan…
Dan: Thanks Jason, I appreciate that. I noticed it is still a few minutes before 2:00 and maybe we should wait until 2 to see if some more folks will come in.
Jason: Think we had an early start because we have a fair amount of attendees already so I think they want to go ahead and get started.
Dan: Very good. My name is Daniel Brown, I am delighted to be here on behalf of NueMD to discuss Bring Your Own Device in the HIPAA compliant aspects to those. I am an attorney with the law firm of Taylor English Duma in Atlanta Georgia. I’ve been practicing health law for over 20 years and helping hospitals, physician practices, ambulatory surgery centers and other providers. We weave their way through the HIPAA wave and today’s presentation is particularly interesting in that we meet the corner of technology, social media and privacy and healthcare all at the same time. I think it will be a very interesting presentation. Jason i am gonna go ahead and start with talking a bit about some housekeeping issues. First, this program is educational, we will discuss some legal aspects but we are not your lawyers. We are here just to discuss some general principles. The material we discuss today are subject to change, so you should check back often to make sure that we are talking about the same set of rules.
Dan: So where are we with the whole concept of HIPAA, it’s requirements for privacy and security and every cell phone and social media generator out there? Well, we have the good, bad and the ugly. Well the good is everyone is connected and stays connected. Code blue becomes immediately broadcasts and can be perceived and received no matter where the participants are. It saves the organization money. You can have folks work from home or you can get immediate response from emergent situations just by having their iPad, iPhones, Samsung devices to look at records,confirm exactly what the condition of the patients are and what protocol to use. What's the bad? Well you have limited control of devices. One thing HIPAA is very good about is the security regulations to require physical safeguards of all instruments that have electronic health information, protected health information. So it’s real easy to lock the door at night as you leave the office. Make sure the server that you got in your office that runs the computer programs are locked away behind screens, behind locked drawers. But let’s face it, when we talk about having that exact same information on our device that you carry on your hip or back pocket in your purse well we can't really fit HIPAA requirements of safeguards into the whole concept when we are all mobile and walking around with them. So we have limited control over these devices, what happens if they get lost, what happens if your employees children play with it and somehow accidently send information over their social network. But this is tracking for employees to see if they are actually doing their tasks and they are beeping all the time, that can be distracting. And the worst situation of them all is the ugly, there’s a data hacking breach. Someone does a major breach, as what happened with Anthem BlueCross or worse there is a malware or virus intro into your system or crashing the system making it non inapplicable for you.
Dan: So what we want to talk about today is first, what are the legal requirements and actual acceptable use for your devices? HIPAA has at least two specific requirements about safeguarding these types of devices. And remember this is apart of your HIPAA Compliance plan and you have an obligation to make sure that under HIPAA you have implemented security measures sufficient to reduce risk and vulnerabilities to a reasonable and appropriate level . Thats right out of rule 164.308A1. When you have a bring your own device, how in the world can your organization implement a security measure sufficient to reduce risk and vulnerability? We can’t think about locking the device in the drawer, we must think about what type of steps we can take to reduce risk and vulnerability. We will includes things like that in this program, doing things like being able to remotely wipe the device or make sure the device is password protected, things you have to make sure you do in order to follow the mandated rule of having measures to reduce the chance of having risk and vulnerabilities. The other rule that HIPAA requires, is we have physical safeguards for all work stations that access EPHI. So we can restrict access to unauthorized users. Again, that is very easy when you have a PC sitting on the desk, you lock it up. But if you are a business associate or a covered entity and have a mobile device well what do we do? We have similar type of mobile device solutions that we are going to talk about today.
Dan: Let’s talk about acceptable use. One thing we should be doing as healthcare organizations is adopting policies and procedures that do address these mobile devices, how they are used, what we can put on them and how they can be treated. I cant stress enough about folks thinking about these mobile devices and to adopt a policy to reduce risk and vulnerabilities. One of those may be what applications are allowed or forbidden. For example, folks may want to download netflix on their device. Just because they are an employee of the hospital, does that mean they are prohibited? Well it depends if it is known if netflix will interfere with the operation of the electronic health information. That’s going to require an analysis of what apps are out there and which apps will be acceptable. What about certain website are they restricted during work hours. A lot of places say no Pandora in the workplace, why is that? Well, it takes up too much bandwidth. That’s not a HIPAA problem but we have certain websites to not get on during work hours. Can employee access practice owned resources? What does our policy say about email, contact, documents and other type of records. Your physician may say, I need to look at all my patients records on my cell phone, email and text them. Well, how do we restrict their use. If we do let you use them, that is part of the policy and procedures. And if we do access them, how do we make sure we limit them to where it is necessary for that individual to be able to do their particular job on or off the workplace. Employees should not share devices that can access the practice network with friends or family members. For example giving my child my phone and it gets lost or stolen. At that point have I broken the procedure about sharing.
Dan: What are your policy and procedures say about reimbursements. The physician would say they need these particular applications in order to access an electronic health record. Who is going to pay for them? In some cases, the employer may take the position that they will reimburse the employee for your network bill. Some employers may not do that. More important than reimbursement is making sure we walk that balance to let the employee use their device the way they want to but make sure the protected health does not conflict. I’ve noticed doctors will email their staff on their own private email account. I know Hillary Clinton has got in some hot water for that but if you stop and think about it, thats probably not a good idea in the healthcare setting because once you leave the server of the employer domain, you lose the HIPAA protections within your own domain name. So I always suggest to refuse people to use their own email for a work related email on a domain name other than you work’s domain.
Dan: Should I have a policy in place? Well the short answer is yes. I believe that is always the case. It helps protect the practice, patients and more importantly apart of your HIPAA compliance plan you have a culture of privacy in the workplace and home who has access to PHI at your home. Should there be an agreement? Would it appropriate to have each employer to sign it? This is an agreement to say “I read your policy and you can fire me if I don’t follow them”. These are all things some employers are starting to use to protect the privacy and security of the protected health information.
Jason: We are going to talk about how to secure these devices and there are a lot of different types. There is an ongoing debate on whether to protect the data or the devices. I have find their is a happy medium between both sides. You dont want to lock down the device so much that the user loses all functionality of the device and isn't allowed to use the apps or basic things that are there. How much should you lock it down? That is determined in your practice of how much you think you need to protect. One of the most important thing to look at is what type of devices are you going to allow on your network. What kind of operating systems. Are you going to allow your employees bring their laptop, their tablet computers, mobile devices, flash drives, cds, dvds and who is going to support those connectivity issues. Will you have an IT person on st5aff or contract person to assist you? Giving someone access to your network is opening yourself up to a liability because they now have access to your servers and network. I always caution people to have protection in place. One of the big things is encrypting those devices, especially mobile devices. Tablets need to make sure they are encrypted, iPhones and iPads are usually already encrypted with password protection. Android and Windows devices use SD cards, they are not encrypted. If you lose a device, you need to be able to erase and lock it down as quickly and efficiently as possible. With SD cards, that becomes a little more tricky and that's why we talk about encryption.
Jason: Password changes. This is one of the most important things you need to have in your Policies and Procedures and this needs to be clearly stated in order to set that schedule. Talk about how you’re going to enforce this. Are you going to send a reminder to everybody every quarter or every 90 days? Choose whatever time frame works best for your practice. The key here is that you need to make sure that you clearly state this and that everybody who is bringing their own device, and this also applies to your EHR, is aware that you’re going to be changing those passwords. But, make sure that you have a sanction policy. And this is required under HIPAA to have a sanction policy in case somebody isn’t doing this. This is for somebody who maybe the first time they just get spoken to about it and the next time they might get written up. If it becomes a common occurrence then you may have to think about suspending and/or terminating the employment of that employee. Your passwords are really the first line of defense for how you protect your devices. And that’s really important that those are kept difficult and they change often.
Jason: Now with iPhone and iPads...again this is kind of a controversial topic and everybody goes back and forth. They say that iPads and iPhones have a fairly inclusive architecture and they’re always scanning and looking for these things and you can only download things through the Apple Store. It is up to you on this whether you want to do this, but there are applications out there that will scan your iPhone. And now with the new operating system, it will do background scans so it can run in the background.
Android devices and Windows devices, and Linux-based devices...those definitely have to have virus protection. There are free plans and several that are very lightweight that only cost a little bit. When you get into the enterprise level, if you’re going to be managing multiple devices, then yes you’re going to want to get into a paid enterprise level where you have an IT manager who can manage that for you. For individuals, you can put that on individually, but again back to the configuration. You want to make sure before these devices come on your network that they’re configured for these.
Jason: So, how do you track and remotely wipe any of these devices? For laptop PC’s, unfortunately there’s not a way to do this that’s built into the operating system. You would have to get a program to do that and there are a couple great third-party options out there. There’s a company called Prey, it’s free and it allows you to track a lost PC. If you don’t have that on your PC, I would highly recommend it. Basically they’ll track it wherever it is. You can lock it down. Again, it’s very lightweight and I would highly recommend this. They also have enterprise plans that work for all mobile devices. So it works with your PC’s, your desktop computers, it’ll work with your phones so you can track all of them. And this is for a larger company that may need to manage multiple devices.
For Android phones, there’s a program called Android Device Manager. This is a free program through your Google Account. Again, I’m cautioning you...external SD cards are not encrypted as a default so you need to enable that. And if you do a remote wipe of an Android device, there is not a secure erase of SD cards. So that’s why you need to make sure that those SD cards are encrypted. That way people can’t access them without having the passcode to get into them.
Windows phone has a free program called Find My Phone. For that, you just need to sync your phone with your Windows ID and that will allow you to remotely wipe your phone. And I do not have a Windows phone, but they state on their website that they will allow people to wipe cards remotely.
For Mac OS and iOS devices, there’s a great program called Find My Mac. I’ve used that myself. This program will allow you to track and erase any of your mobile devices. Again, these are great for individual uses and for smaller practices this may be all that you need. For larger companies, you may want to look into one of the enterprise options that will allow you to track those devices.
Jason: So again, one of the things you need to think about is remote access. How are you going to allow a contractor or somebody who’s working from home to access your network or access files that they need to work on from home? I wish I could say that I never had to work after 5 o’clock myself, but we all have things that we have to take home and do on our personal time.
So, what kind of remote access is acceptable for your practice? Are you going to allow someone direct access into your servers? How are you going to protect that information? We recommend a VPN which is a Virtual Private Network. That creates an encrypted tunnel and an IT person can set that up very easily. What that does is makes sure that any information that is transmitted back and forth is encrypted. The only drawback on that is that sometimes it can slow down your network and slow down the speed with which you access that network. But it’s definitely worth it for the encryption it will put on that traffic. One thing the IT person can do, and this is a decision you would need to make when formulating your Policies and Procedures, is to set the VPN as a default for any time someone is trying to access the Internet so all of their traffic is encrypted.
Cloud file sharing. I know a lot of people are starting to move towards this. This is a great way to share information but you need to make sure, and I believe we spoke about this in one of our earlier webinars onManaging Business Associates, that you have Business Associate Agreements and that you understand what they’re doing with that information. And make sure you have access controls. One of the nice things that I see for cloud sharing is the Audit control that you have so you can see who has been doing what with the information. One of the things that is hard to keep track of is once that device is off of your servers and out of your control, it’s hard to figure out who’s doing what with that information. So you want to try to keep as much control over it as possible and know who’s been downloading it, who’s been doing what with it, and who’s been accessing that information. It can really save you a lot of headaches. There are some great programs out there that use applications that house that information so it keeps control over it. Then a person can access the information, but it’s done through an application or through a specific portal so what is happening with that information is continuously monitored.
Jason: Moving on to portable storage devices. This is something that we still see a fair amount, with flash drives, removable hard drives, CD’s and DVD’s, and these can be really handy but also fairly dangerous. You don’t know where they’ve been. What networks they’ve been on. What they may have picked up along the way. Theoretically you would have virus scanning and these devices would be scanned, but this is why I think cloud file sharing is a much better option. With flash drives and mobile hard drives, personally I wouldn’t allow these on my network from somebody that I don’t know or if I don’t know where that device has been. One of the things that I would recommend for this, and there are some programs out there that allow you to do this, is to lock down and say to your operating system, we don’t read flash drives, we don’t read removable hard drives, and you can even decide on the CD’s and DVD’s and lock those out but still have access to your peripherals like your keyboards and mice and those sorts of things. This is something I would really start to wean yourself off of. I know there’s the need to transfer information, but again, once that information has left your servers and gone to a flash drive or removable hard drive you no longer have access or the ability to know what’s happening with that information. This really opens you up for a breach, and let’s be honest, they’re easy to lose. People lose them all the time and if the information is not encrypted, then you right then have a breach which can really open you to a lot of problems within your practice.
During the webinar, attendees were able to ask questions directly to Jason. While we tried to get through as many as we could, we simply did not have time to answer all of them. So, we put together a round up of the top unanswered questions. We've organized them by section to keeps things simple.
Q: Why would an employee agree to have their phone or tablet wiped if it's lost or stolen?
A: It's good for the employee and it's good for you because they’re not just storing information from your company but also personal information, financial information. That’s just the trade off to be able to use these devices at work. By making this policy clear and consistent, you should avoid problems
Q: My son needs to use my laptop to complete his school assignments. If I supervise him, is it OK for him to use it?
A: No. If you could supervise him 24/7 on the device perhaps, but anything less is too big a risk.
Q: How is a practice going to control the use of memory sticks or flash drives?
A: You have options. First option is to not allow them, and clearly communicate this policy to all employees. If you do allow them you must ensure have security constraints in place. Those devices must be configured and encrypted before they’re allowed in the system. However, it’s recommended you avoid this. It's very easy to share information in more secure ways. Encrypted, HIPAA compliant cloud is a superior option, because they allow for auditing who accessed the information, and when. This is very important if there’s a breach. Additionally you can manage and block device usage at the operating system level. You'll need to get the IT person to do the configuration for that.
Q: What about using guest account on devices? Is that OK?
A: Yes. Guest Access refers to a second tier of access. You have administrative access and you have less inclusive or powerful access. If your child needs to use your computer, theoretically you could do that because you're able to deny access to files.
Q: We use a cloud-based EHR/PM that requires signing in with a password. Is it OK to use personal electronic devices when accessing PHI through EHR?
A: Yes. Because you’re using a password you've gone through authentication. Just ensure you're using strong passwords and update policies.
Q: Is LogMeIn with password acceptable for access? We have a Business Associate Agreement with LogMeIn.
A: If you have a Business Associate Agreement with them, and you have determined the encryption fits your practice standard, then it is an acceptable program to use.
Q: What about a doctor doing a consultation over the phone with a video?
A: You would need to use a HIPAA compliant video chat service. There's a few out there like VSee that touts their HIPAA compliant video sharing. But make sure you have a Business Associate Agreement before you work with those, and confirm their encryption levels. Definitely don't use Skype, Google Hangouts or any free software that could open you up to HIPAA breach.
Q: Is Google Drive sheets acceptable and HIPAA compliant for emails with BAA?
A: With a BAA yes it is. Google lists the apps that are HIPAA compliant with a sign that says BAA. Drive and Mail is compliant. Google Hangouts and some of the other things they offer are not on the compliant side. But make sure you have that signed BAA and read through it. Remember, they are writing that BAA to be advantageous for them and not for you. So be sure that's going to fit your needs before you commit.
Q: Is there an easy way or a program you can recommend to encrypt an email?
A: Yes, one is ZixMail. That is a great program and they also have an app for the phone. There's also LuxSci. They do email encryption and form capture. There's also another company called Protected Trust that also does email encryption . If you go to TotalHIPAA's resources page, you can find additional companies.
Q: Google Hangouts was mentioned as unsecure, what about other Google products such as Drive, Gmail, Maps, Calendar, etc.?
A: The free Gmail app is not secure. The paid Google mail app can be configured to be, if you sign the BAA, and ensure information is sent as an encrypted email. This means the patient would have to authenticate themselves. Hangout is not secure. Google Drive is with a business associates agreement. Google Maps- not sure how you would send PHI through that so I'm not sure that's an issue. The best thing to do is look at their HIPAA Whitepaper to be sure.
Q: If we use VOIP for our phone service, is it OK to do a conference call from the phone with the patient and their family and our office? We usually set up conference calls.
A: Jason: VOIP is usually done with a SSL license so yes that would be fine. If they're recording and storing that information then you will need a Business Associate Agreement with them. Otherwise I think they would just be considered a conduit. So that means you wouldn't necessarily need the Business Associate Agreement with them.
Have some insights on HIPAA you'd like to share? Maybe a question you'd like answered? Leave comments below!