Since writing about some of the concerns related to HIPAA a while back, several people have wondered what it might mean to carry your email with you on your mobile device. What’s the point of being connected if you can’t use your mobile phone without worry that it could get lost or stolen? What does that mean for your data and the information of the clients that you work with?
One of the great ideas that I first found on the Person-Centered Tech website was that only people can be HIPAA compliant. We’ve talked about how you can set up Google’s G-Suite for your practice and enter into a Business Associate Agreement with them but all that means is that Google is going to do their part with your data to keep it safe while it’s in the cloud. When it comes to you on your phone or even on your computer, you still bear the weight of protecting that information. Most of us imagine a scenario where our phone gets stolen while we’re at a coffee shop. But there are other less dubious scenarios too.
Do you have kids? Do they ever play with your phone? If you’re not taking steps to make sure your email and calendar information is safe, even the most well-meaning child could accidentally open your email and accidentally send a copy of your client’s last email to you to your entire contact list.
Luckily, there are a couple of things you can do.
As long as you are keeping client information on your mobile device, you should absolutely know where it is at all times. This doesn’t mean tying it to your wrist or never letting it leave your side, but make sure that you can account for it and know that it is being used responsibly and safely. I’ve heard it said that mobile phones are not so different from a purse or a wallet – and we hold those pretty close. Not just anyone gets access to the financial information, the photos, and the personal material that we keep in those things but many of us will routinely hand our phone off to a child or someone else.
Only people can be HIPAA compliant and we as clinicians bear the weight of protecting the data that we have access to. If you are going to have ePHI on your phone, one of the ways that you need to bear that weight is to use a strong password. It can be a pain, I understand. Typing in four digits is a lot easier than typing in something like “traMpoLine#82” but the second password (which is still easy to remember) is incredibly more complex and difficult to crack than the default four or even six digits (If you’re interested, the second password is 4.72 x 1021 times more complex than the first).
Modern phones with their fingerprint readers make this much easier to stomach. With those devices it’s much more rare that you would even have to type anything in. While it varies between older Android devices that have fingerprint sensors, newer Android phones and Apple’s iPhone implementation has been shown to be very effective. For the few times that you do have to type in the longer password, it’s worth the extra security of the client information.
Not only should you password protect your phone, but it’s a good idea to be using applications on your phone that allow you to double up. If you are one of those people that are using G-Suite, you can use one of Google’s own products to get access to your phones. The Google Drive app for iOS and Android allows you to lock your files down so that, every time you open it, it will require a passcode or your fingerprint.
As for email and calendar, somewhat surprisingly, I’ve been recommending clinicians look at the Microsoft Outlook mobile app to handle their G-Suite email and calendar. It’s a great app on its own and it also allows you to lock it down so that you have to use your fingerprint to access the data inside.
Both of these scenarios are great because you can feel safe handing your phone off to a child or a friend without them ever being able to access your client’s data, even accidentally.
Just in case you do happen to lose your phone — whether it's stolen or a child (or adult) drops it through the storm water drain at the grocery store, you can also remotely wipe you phone. If you're an iPhone user, sign in at iCloud.com and at Android.com if that's you're style. Both sites offer ways to remotely lock or completely erase your phone so you don't have to worry about it falling into the wrong hands.
Hopefully these tips help! Sometimes I feel like we’re channeling Smokey the Bear but “Only YOU can be HIPAA compliant.” With a few very easy and very safe steps, you can make sure you’re doing all you can to protect the data that you have while still being able to do your job well when you’re away from the office.