Mobile devices have changed the way people share and access information in their personal and professional lives. Smartphones and tablets may make it easier and faster for people to communicate, store, and access information, but they present risks if lost, stolen, or hacked. This can be especially challenging in the healthcare industry as it has become common for providers to use various mobile tools, including smartphones, laptops, notebooks, tablets, phablets, personal digital assistants, USB devices, digital cameras, and radiofrequency identification devices, to communicate with colleagues and access applications.
Privacy and information security programs in healthcare organizations have developed and matured to meet the requirements of HIPAA and other federal and state laws. In some organizations, providers and managers struggle to keep pace with the changes. Expanded focus on EHR technology and new threats to the security of personally identifiable information (e.g., healthcare, financial, educational, employment) will further affect privacy and information security programs in the future.
Small- to medium-size clinics often operate under the assumption that their outsourced IT shop or managed services provider (MSP) is providing a robust security solution, but this is not always the case. MSPs aren't necessarily falling down on the job, though; remember that just because something is outsourced doesn't mean the vendor will manage all of the risk. In the end, if you want additional services from your MSP, it costs money. RapidFire Tools® offers a solution MSPs can use to address risks that many small- to medium-size clinics may falsely assume are already managed.
Q: I work at a pediatric practice, and we receive a lot of holiday cards from our patients, many of which feature family photos. We hang them up because the patients love to see themselves displayed in our lobby. We have reached out to a HIPAA security officer at a nearby hospital who told us it is not a HIPAA violation to display holiday cards received from patients. Is this accurate?
Q: If someone calls a facility to schedule an appointment for a patient, is it a violation of HIPAA to admit the patient receives care at the practice? For example, the practice where I work often helps victims of domestic abuse.
