Keeping Your Devices Secure: HIPAA Rules for Hardware

A hand is about to throw a cracked smartphone in a public trash can. Under the Health Insurance Portability and Accountability Act (HIPAA), health care providers—including therapists—must keep protected health care data secure. Not disclosing this data is insufficient. You must take proactive steps to prevent inadvertent breaches. As more clinicians turn to virtual note-taking, cloud storage, and online patient records, your technological devices (phones, laptops, etc.) become a potential access point for people who wish to violate client privacy.

Keeping these devices secure is not always convenient. You may need to use complex passwords, avoid storing certain types of data on the device, and keep the device in a locked location when you are not using it.

The cost of a violation, however, can be immense. Health care providers and entities can be charged $100 to $50,000 per violation. Clinicians who knowingly violate the law or who are negligent or reckless can expect to pay fines on the higher end of this range.

Physical Access Points

Thieves don’t have to be skilled hackers to get client information if they can access your hardware. HIPAA requires health care providers to implement procedures and policies that protect patient data. When such data are stored on or accessible from physical devices, there must be access controls in place. The law does not require specific types of controls. Multiple layers of security, however, offer the best protection. Some strategies that can reduce physical access include:

Locking all devices with a password or key, even when the device is only unattended for a minute.
Setting app controls to require a password each time you log in.
Never accessing sensitive client data on public computers.
Establishing rigid controls governing who may access office computers. Each user should have their own login and password.
Physically securing devices behind a locked door, in a safe, or in some other secure location.
Never allowing other people to borrow or use devices that contain protected health information (PHI).
Do not use devices with PHI on unsecured or public networks. Set user preferences to ensure the device will not automatically connect to these networks.

Managing Your Passwords

Passwords are a vital tool for protecting sensitive data. Using them correctly offers additional security. Some tips for effective password use include:

Choose longer passwords, as they are harder to guess. Avoid using birthdays, common words, favorite hobbies, or other terms someone could easily figure out.
Don’t use long strings of the same character in a password.
Never give out passwords to another person.
Do not write passwords in an accessible physical location. If you must use a notebook or other physical password manager, keep it locked and use a code system for passwords. You might substitute letters for numbers or list password hints rather than actual passwords. A person who gains access to this document should not be able to immediately guess your passwords.
Do not save passwords in a web browser or app. If you struggle to remember passwords, consider using a secure, password-protected password manager instead.

Webcams and Microphones

Telemental health services are increasingly popular. Online therapy allows therapist to reach a broader audience and may reduce health care costs. It also opens new security holes. Microphones and webcams are common security weak points. Criminals who hack into devices may be able to access these tools to listen in on therapy sessions or gain information they can use for other nefarious purposes.

Additionally, programs that use web conferencing may not be secure. To ensure HIPAA compliance:

Use only fully encrypted programs to communicate with clients.
Turn off webcams and external microphones when you are not using them.
Never use video chat or other web conferencing platforms on public or unsecure networks.

Recycling Devices

People keep their smartphones for an average of 2.9 years, though some upgrade their devices every time a newer, better option comes out. Over the course of a career, that’s a lot of devices with a lot of PHI. HIPAA does not specify rules practitioners must follow before recycling or trading in their devices. Instead, it merely requires that the data must be removed. HIPAA leaves it to the clinician to determine how to do so.

To ensure patient data remain secure:

Never throw away a device that has not been totally wiped clean. Take security precautions even if the device is broken or will not turn on.

Do not sell or trade in devices that may have client information on them.

Delete all apps from the device. Even when password-protected, apps may contain confidential client information.

Erase all content from the device. The steps for doing so vary with the type of device. Some devices have a built-in option for resetting and wiping all data. However, sometimes this data can be recovered. In other cases, all data may be stored on an SD card or other removable type of storage.

If you work for a health care organization, ask about policies for wiping and recycling hardware. There may be an IT department that can do it for you, or specific protocols you must follow and document.

Mental health providers who remove client data from their devices must be mindful of state record maintenance laws. Each state establishes its own rules for how long clinicians must retain medical records. In most cases, you’ll need to ensure another copy of these records is available before deleting them. That may require transferring data to another device or to cloud storage. Make sure to use only encrypted storage and secure devices for data backup.

Digital privacy rules can be complicated and intimidating. However, protecting health care data is a cornerstone of ethical therapy. Ensure your approach complies with the law and with ethical rules. GoodTherapy educates therapists about following these rules with continuing education seminars, a regularly updated blog, and plenty of support to run your practice. Clinicians also get listed in our popular online directory. Reach the right clients for your practice by getting listed today!

References:

FAQ about HIPAA requirements and IT recycling. Retrieved from https://www.securis.com/clients/data-destruction-it-recycling-healthcare/faq-about-hipaa-requirements-regarding-e-phi
HIPAA violation fines. (n.d.). HIPAA Journal. Retrieved from https://www.hipaajournal.com/hipaa-violation-fines
Lovejoy, B. (2018). Americans are now holding on to their iPhones for almost three years. 9to5Mac. Retrieved from https://9to5mac.com/2018/10/30/iphone-upgrades
Mobile data security and HIPAA compliance. (n.d.). HIPAA Journal. Retrieved from https://www.hipaajournal.com/mobile-data-security-and-hipaa-compliance
Rashid, F. (2017). Want stronger passwords? Understand these 4 common password security myths. CSO. Retrieved from https://www.csoonline.com/article/3228106/want-stronger-passwords-understand-these-4-common-password-security-myths.html
Tomes, J. (2014). Can you Skype and be HIPAA compliant? Retrieved from https://www.veteranspress.com/skype-and-hipaa-compliance

Last Update: 12-02-2019

Professional Resources

Learn from Experts: Improve Your Practice and Business

Trusted by thousands of mental health professionals just like you.

Every month, GoodTherapy will send you great content, curated from leading experts, on how to improve your practice and run a healthier business. Get the latest on technology, software, new ideas, marketing, client retention, and more... Sign up today.