Marianne K. McGee over at Informationweek.com put out a rather informative article detailing the problems that HIPAA requirements pose for IT departments in or associated with the medical field. A salient point in the article is that more and more patients and staff are relying on mobile devices to transfer medical information. As the article points out, mobile devices are often what are attacked when someone is trying to illegally gain access to an information system.
Many medical organizations preempt this by simply avoiding the issue. Mony Weschler, the ancillary informatics director at Montefiore Medical Center in New York City, provides an example of this approach. McGee’s article quotes Weschler thus, “We don't store patient data on devices like smartphones and iPads."
Though this policy is a good one for the present, how will it work in years to come? No blanket policy in the world will prevent your staff from transmitting information in the most expedient manner possible if the situation demands, and that is how it should be—especially in a sector such as the medical professions where so much information is time-critical. HIPAA regulations even make allowances for information that is shared during instances where timeliness is imperative (see: HIPAA and Natural Disaster: when is it appropriate to share medical records?). Instead of totally banning the use of newer, more portable communication technologies, the tact to take is to develop a sound, considered plan of integration of these technologies so that neither timeliness nor security is compromised.
Timeliness is an inherent quality of good communications, in *some* ways even more important than security. In fact, it may be reasonably argued that the advancement of communication is propelled by the invention of methods for *quickly* transmitting ideas, with the security of those transmissions as an after-thought which improves the general method. In a perfect world, timeliness and security would run apace of one another as communication technology progresses. However, that is simply not how the world works, and people use the technologies at hand. The fact is that, at some point, someone who works for you has probably already sent a text or sent an email from a smart phone that contains information that falls under HIPAA’s purview.
In the long run, we can’t expect this issue to go away. In a world that more and more relies on transportability of the work-space, people are not going to stop using their iPads and smart phones. In the medical industry, to do so is to potentially fall behind the competition. The trick is to make sure that the transition is made carefully and with fore-thought. The first thing to do is to familiarize yourself with what exactly HIPAA requires of communication security. To help with this, see 5 Questions to Ask About HIPAA Security. Though it is oriented towards selecting an answering service, it will provide you a good over-view of HIPAA compliance.