- With the wide proliferation of mobile devices like smartphones, laptops, and tablets along with fitness trackers and smart watches, it is understandable how the age of the Internet has brought forth a near obsession throughout our culture to use our mobile devices every day. As such, more and more employees are now using their own mobile devices within the workplace. In healthcare, Bring Your Own Device or BYOD policies are taking place to ensure patient data remains secure.
It is incredibly important to include data privacy and security clauses in BYOD policies whether the mobile devices are used in healthcare or the corporate world. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has brought about requirements for hospitals and other medical facilities to protect patient information in both electronic formats and paper-based techniques.
Healthcare data breaches are a major downside to the integration of BYOD policies. According to the 2014 Breach Report: Protected Health Information (PHI) from health IT security firm Redspin, more than 40 million Americans were victims of a data breach of their own personal healthcare data over the course of 2009 to 2014.
In early 2015, there was an alarming data breach reported at Anthem, which affected a total of 80 million patients. This was a record-breaking breach and these type of situations need to be avoided, especially with the integration of BYOD policies throughout many medical facilities.
“From here on, all PHI breach statistics are going have to be reported as ‘pre- or post-Anthem,’” Daniel W. Berger, President and CEO of Redspin, said in a company press release. “It’s that big. We wouldn’t be surprised to see the costs of the Anthem breach exceed a billion dollars.”
Last year, the Department of Health and Human Services (HHS) Office of Civil Rights received a total of 164 occurrences of private health information breaches, which affected approximately 9 million patient records. When compared to 2013, the numbers of patient records breached rose by 25 percent in 2014. This is clearly a turn for the worse when it comes to patient data privacy and security.
“It was only a matter of time before hackers targeted hospitals,” Berger explained. “Health records are very valuable on the black market.”
More than half of the breach totals in 2014 were due to cyber hacking. This also includes larger breaches such as the restricted access of 4.5 million patient records at Community Health Systems (CHS) in Franklin, Tennessee.
HIPAA rules need to be followed in every avenue of the healthcare system and medical care providers will have to improve their security features and BYOD policies in order to reduce these rising numbers of data breaches. The report from Redspin covers some measures that hospitals and clinics can take to protect patient data from hackers and other major security risks.
The HIPAA Privacy Rules affect much of the medical industry including health plans, healthcare providers, and healthcare clearinghouses. Providers can vary from physicians and clinics to chiropractors, pharmacies, dentists, and psychologists. Specifically, these entities must take part in transmitting electronic information “in connection with a transaction for which HHS has adopted a standard.”
“Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information,” the Department of Health and Human Services (HHS) reported on its website.
“If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.”
Healthcare facilities that have gone forward with adopting BYOD policies will need to keep strict patient data privacy and security measures that comply with HIPAA Privacy and Security Rules.