Ophthalmology and Optometry Coding Alert

Question: Our staff members now carry tablets where they record their documentation. Twice so far, a physician has left one of the devices in an examining room. How can we create a program to keep these more secure?

Codify Subscriber

Answer: Many eye care practices have begun converting into using tablet-based EHRs, and knowing how to keep them secure is a common issue. The HHS Office of the National Coordinator for Health Information Technology (ONC) offers the following steps to ensure your practice mobile devices stay safe and secure:

1. Determine device usage: First, decide whether you'll use mobile devices to access, receive, transmit, or store patients' PHI - and outline who'll be in charge of the management and maintenance of the devices. Also, resolve whether you'll integrate smartphone and tablet utilization as part of your practice's internal network or systems.

2. Calculate the risks: Consider the risks of using mobile devices to transmit PHI. Conduct a risk analysis to identify threats and vulnerabilities.

3. Outline a risk management plan: Using the information garnered from your risk assessment, establish a compliance strategy pertaining to your mobile devices, taking into account the HIPAA Privacy and Security Rules. This will help your office develop and implement safeguards, reducing problems previously identified in your risk analysis.

Tip:  Remember, your compliance planning should include frequent evaluations and regular maintenance of the mobile device safeguards you put in place.

4. Implement HIPAA-compliant policies and procedures: Design and develop mobile device policies and procedures with clear-cut documentation, keeping HIPAA in mind. Ensure that your protocols address MDM, bring your own device (BYOD) issues, and restrictions on personal use. Management of applications, security, and configuration settings for mobile devices must be maintained, too.

5. Educate employees: Provide mobile device privacy and security training for all staff members on an ongoing basis. Educate employees from the bottom to the top on what your office rules entail, on HIPAAcompliance, and what a violation means for your practice.

Here are some tips to secure PHI on mobile devices, also courtesy of the ONC:

• Set strong passwords: Always use a password or other user authentication on mobile devices. Multi-factor authentication passwords are recommended.
• Encrypt: Install and enable encryption to protect health information stored, utilized, or sent by mobile devices.
• Use automatic log off: Also, make sure your mobile device requires a unique user ID for access.
• Enable remote wipe: Install and activate wiping and/or remote disabling to erase the data on your mobile device if it is lost or stolen
• Keep the device with you: Maintain physical control of your mobile device. Know where it is at all times to limit the risk of unauthorized use.
• Use a screen shield: Don't share your mobile device with anyone, lock the device when not in use, and implement at-rest protocols.
• Install a firewall: Install and enable a firewall to block unauthorized access.
• Use a secure Wi-Fi connection: Use adequate security to send or receive health information over public Wi-Fi networks.
• Research mobile applications before downloading: Disable and do not install or use file-sharing applications.
• Employ security software: Install and enable security software to protect against malicious applications, viruses, spyware, and malware-based attacks. Keep your security software up to date.
• Use proper disposal methods: Delete all stored health information on your mobile device before discarding it.

Resource: For more ONC advice on managing your practice's mobile devices, visit www.healthit.gov/sites/default/files/mobile_devices_and_health_information_privacy_and_security.pdf.