hipaa 2013 - hipaa requirements and mobile apps · mobile app strategy 1. identify mobile app needs...
TRANSCRIPT
![Page 1: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/1.jpg)
HIPAA Requirements and Mobile Apps
OCR/NIST 2013 Annual Conference
Adam H. Greene, JD, MPH Partner, Washington, DC
![Page 2: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/2.jpg)
Use of Smartphones and Tablets Is Growing
2
![Page 3: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/3.jpg)
How Info Sec Sees Smartphones
3
Camera for Improperly Recording PHI
Easily Lost, Stolen, or Discarded with PHI on It
Easy Access to Facebook for Improperly
Posting PHI
No Physical Keyboard for complex passwords
![Page 4: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/4.jpg)
How Info Sec First Responds
4
1. Thou Shall Disable Thy Smartphone Camera
2. Thou Shall Not Text 3. Thou Shall Not Place PHI on Thy
Smartphone or Tablet
![Page 5: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/5.jpg)
How Clinicians and Other Staff Respond
5
![Page 6: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/6.jpg)
Design an Effective Mobile App Strategy
1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business associate agreement if
necessary and perform due diligence 5. Document Security Rule compliance 6. For patient/enrollee-facing apps, comply
with Privacy Rule
6
![Page 7: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/7.jpg)
Identify Mobile App Needs
1. Thou Shall Disable Thy Smartphone Camera Is there appropriate
use of smartphone cameras for certain procedures? Is their an appropriate
way to securely share pictures and add them to the record?
7
![Page 8: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/8.jpg)
Identify Mobile App Needs
2. Thou Shall Not Text Why are members of the
workforce texting? Is e-mail effective? Is a no-texting policy
effective, or is secure texting needed?
8
![Page 9: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/9.jpg)
Identify Mobile App Needs
3. Thou Shall Not Place PHI on Thy Smartphone or Tablet Why is PHI ending up on
smartphones? Is remote access to PHI
sufficient? Is a secure vault for PHI
needed?
9
![Page 10: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/10.jpg)
Identify Mobile App Needs
Patient Engagement Improved access to EHR (MU Stage 2) Ability to accept patient health information
(e.g., iBlueButton) Improved treatment communications and
adherence Appointment reminders
10
![Page 11: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/11.jpg)
Identify Mobile App Solutions
Mobile diagnostic tools Secure access to e-mail Mobile EHR portal Secure texting Secure container Secure access to Blue
Button data Remote wipe and antivirus
11
![Page 12: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/12.jpg)
Include Mobile Apps in Risk Analysis
Identify where PHI is located on mobile devices
C - What apps Create PHI (e.g., diagnostic apps) R - What apps Receive PHI (e.g., EHR portal, e-mail, iBlueButton) M - What apps Maintain PHI (e.g., e-mail, secure container) T - What apps Transmit PHI (e.g., secure texting)
12
![Page 13: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/13.jpg)
HIPAA Hot Potato
13
Health Plan Server
Covered by HIPAA
Patient Device
Not Covered by HIPAA
Physician Tablet
Covered by HIPAA
![Page 14: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/14.jpg)
Include Mobile Apps in Risk Analysis
Identify threats and vulnerabilities What if mobile device is lost, stolen, or
replaced? What if mobile device is shared? Can malware on device lead to unauthorized
access? Can transmissions be intercepted by
unauthorized third party? Is PHI on device reasonably available?
14
![Page 15: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/15.jpg)
Include Mobile Apps in Risk Analysis
Identify current security controls? Is information encrypted while maintained? Is information encrypted in transit? What authentication of app users is in place? Is PHI backed up when necessary? Can PHI be remotely wiped?
15
![Page 16: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/16.jpg)
Include Mobile Apps in Risk Analysis
Identify likelihood, impact, and aggregate risk What is the likelihood of a threat exploiting a
vulnerability? What is the impact if exploited? Likelihood x Impact = Risk
16
![Page 17: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/17.jpg)
Implement Risk Management Strategy
What risks are medium and high? Can risks be lowered to reasonable
amounts through: Policies Training Additional technical controls (e.g., locking
down the device or adding remote wipe features)
17
![Page 18: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/18.jpg)
Obtain Necessary BAAs & Due Diligence
Does the app developer create, receive, maintain, or transmit PHI on covered entity’s behalf? If PHI is encrypted and app developer does
not have the key, HIPAA is unclear as to whether BAA is needed
Due diligence - What is app developer’s security?
18
![Page 19: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/19.jpg)
Document Security Rule Compliance
Included in risk analysis Included in risk management Sanctions for violations of policy Reasonably review system activity If activity cannot be centrally reviewed,
document whether this is reasonable Authorization, supervision, and clearance Who needs access to PHI on mobile devices
19
![Page 20: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/20.jpg)
Document Security Rule Compliance
Termination procedures Is PHI on mobile devices secured and access
through apps terminated at employment termination
Include mobile apps in security awareness and training Address potential malware on mobile
device Address mobile app passwords
20
![Page 21: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/21.jpg)
Document Security Rule Compliance
Identify and respond to mobile app security incidents Ensure that PHI in mobile apps is
reasonably backed up Integrate mobile apps into contingency
planning Evaluate mobile app program
21
![Page 22: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/22.jpg)
Document Security Rule Compliance
Address physical security of mobile devices Address which mobile devices need to be
inventoried Ensure proper disposal/re-use of mobile
devices with apps containing PHI Address whether mobile devices need to
be backed up
22
![Page 23: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/23.jpg)
Document Security Rule Compliance
Address automatic logoff of mobile apps Address encryption of data maintained by
apps on device Address encryption of data transmitted by
mobile app Document basis for transmission of some PHI
without encryption
23
![Page 24: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/24.jpg)
PRIVACY RULE AND MOBILE APPS
24
![Page 25: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/25.jpg)
The X-Factor
25
![Page 26: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/26.jpg)
Right of Access
Patient may access copy of designated record set in requested form and format, if readily producible Mobile app to portal may be convenient
means of providing access (and support MU Stage 2 objectives) But, patient may prefer unencrypted e-
mails (permissible after warning of risk)
26
![Page 27: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/27.jpg)
Right to Confidential Communications
Must accommodate reasonable requests for communications to patient by alternative means or at alternative location Some patients may prefer communications
through unencrypted e-mails Other patients may not want unencrypted
appointment reminders
27
![Page 28: HIPAA 2013 - HIPAA Requirements and Mobile Apps · Mobile App Strategy 1. Identify mobile app needs 2. Integrate into risk analysis 3. Design risk management strategy 4. Obtain business](https://reader033.vdocuments.mx/reader033/viewer/2022060513/5f2c07d7eb281b10bb42b8d7/html5/thumbnails/28.jpg)
Don’t Let Security Trump Patient Preference
(No matter how much you paid for that secure mobile app)
28