No Vacation for HIPAA

This summer many of us are taking long overdue vacations that were put on hold or delayed because of the pandemic.  As healthcare workers, you are certainly due time off – especially after the brunt of COVID-19 was dealt with by your industry.

While you’re checking out and hoping that you won’t have to check in with the office, be aware that HIPAA does not care if you’re in the office or out.   We’ve put together some suggestions to take with you on vacation, especially if you’re taking your own devices that have access to any patient data.

1. Back up all files before leaving the office – a critical step should you need to restore or recover anything
2. Install all security patches and software updates before taking off. Software companies release these as they become aware of security gaps in their product and it is essential
3. Bring your own power adapter and cords. Malware has been found at airport kiosks, public charging stations, and even hotel lamps! If you MUST use one of these, power down your device before connecting to any public option
4. Make sure that all of your passwords are strong and enable multi-factor authentication on any accounts that offer it. This means that when you log in, you have to verify that it is you, or if a hacker tries to get into your account, you are notified by the second means of communication (i.e., a text with a code)
5. Put a passcode, PIN, or fingerprint id on all of your devices
6. Make sure that if your device encrypts any sensitive data – or has a full encryption method enabled
7. Do not use free or open Wi-fi when traveling – also be aware of any Bluetooth connections that you establish, like that rental car you authorized to use your phone!

Device Theft

Safety and security also go beyond taking measurements to protect the data on your device.  You need to make sure that you lock up any devices that you leave out in the open.  Use the hotel safe if there is one present. Don’t leave your laptop unattended while you sip your morning coffee in the hotel lounge or by the pool – it just takes a few seconds for theft to occur!  And never place your laptop, phone, or tablet in checked luggage.

Even if your device is protected, if it contains PHI and it is stolen, it may need to be reported as a potential data breach under HIPAA guidelines if the data is not encrypted according to the standards established by the National Institute of Standards and Technology (NIST). If it is, be sure that you can provide documentation verifying this.

Preparation

Most facilities assume that they are safely covered with HIPAA compliance if they maintain strict guidelines within the four walls of their facility, but the mobile world in which we live can present challenges that can easily be overlooked.  Working remotely and in the ‘safe space’ of our homes can also present challenges, but when we are on vacation, our guard is down more than ever, and it is when accidents may be more likely to happen.

Enjoy your time away from work, but make sure that you are protecting the data that you carry with you.