I had a conversation with a group of physicians a couple weeks ago that shed some interesting light on where patient information resides and how to protect it. Each of the 5 physicians had a smartphone of various manufacturers. Two had iPhones, two had Android phones and one had a Blackberry phone.
I asked the group of physicians if they had a start up password and an inactivity timeout set on their phone. The general response was something like this:
Setting a password on the phone is a pain in the butt. I will have to re-enter the password 40 times during the day. I don’t have time for that.
I told them I know exactly how they feel. My Android phone is set to a 5 minute time out and I feel like I am constantly entering the password.
One physician then said:
What is the real risk here? All of our patient information is in our EMR we don’t have any of that information on our phones.
They went on to tell me that they use Citrix for remote access to their EMR and all of the data is kept on the server. I agreed with them but asked a follow-up question:
Do nurses email you with status updates on patients? For example test results or a summary of a patient conversation?
The response was:
Of course! That is how we communicate. Nurses send status updates all the time. I probably have 100 patient emails in my inbox. That information stays on our email system and never goes to the patient so we are OK.
My follow-up response made all of their eyes light up:
All of the emails that the nurses send you eventually end up on your smartphone. By using ActiveSync or Blackberry email every email that is in your mailbox is also on your phone. This includes all the emails from the nurses with patient names, test results, summary of conversations and other information. This information makes up protected health information (PHI) and needs to be protected under HIPAA. So if you lose your phone or it is stolen then you are looking at a data breach and HIPAA violations. Without having a startup password and data encryption on the phone your are looking at having to send a breach notification to each one of the patients. You are probably looking at tens of thousands of dollars in forensics to determine which patients need to be notified, sending breach notifications and possibly offering credit monitoring services. In addition you are looking at legal fees and then HIPAA fines for not protecting patient information and not being compliant with HIPAA regulations.
Needless to say all the doctors got the message and said that they would have their IT company implement startup passwords, inactivity policies and ensure that each of the phones are encrypted. I also mentioned to them that a Risk Assessment would uncover other areas that patient data was not being protected. Their heads all nodded in agreement.