Start Your FREE Membership NOW
 Discover Proven Ways to Be a Better Medical Office Manager
 Get Our Daily eNewsletter, MOMAlert, and MUCH MORE
 Absolutely NO Risk or Obligation on Your Part -- It's FREE!

Upgrade to Premium Membership NOW for Just $90!
Get 3 Months of Full Premium Membership Access
Includes Our Monthly Newsletter, Office Toolbox, Policy Center, and Archives
Plus, You Get FREE Webinars, and MUCH MORE!

Staff and remote access: more than patient information is at risk

Mobile technology, arguably, allows for greater efficiency and better communication. But, for the manager of a medical office, it also creates challenges.

Staff who work remotely, even occasionally, may inadvertently share confidential information via unsecure networks when using smartphones and tablets, as well as personal laptops and notebook computers.

Patient information

The biggest area of concern is patients’ personal health information (PHI). HIPAA privacy and security rules apply to all your operations – including remote access.

The Department of Health and Human Services (HHS) lists laptops and home desktop computers, as well as tablets and smartphones, among technology of concern. It also includes public workstations and Wireless Access Points (such as a library, coffee shop or hotel), USB Flash drives and member cards, floppy disks, CDs, DVDs, backup media, email, Smart Cards, and remote access devices.

In other words, every form of connectivity carries risk and is therefore subject to HIPAA privacy and security rules.

But, are the risks really that great?

Actually, there are numerous scenarios that could compromise patient information.

HIPAA Security guidance provides the following risks associated with remote access:

  • Employee’s potential unauthorized access to PHI while working remotely
  • Home workstations left unattended, risking improper access
  • Contamination of office systems by virus introduced through remote access
  • Lost or stolen devices permitting unauthorized access
  • Data left on external devices used for remote access
  • Data intercepted by transmission to or from a remote user

“The number of breaches associated with misplaced or stolen portable devices is extremely high,” says New York attorney Brittany M. Bacon, of Hunton & Williams, who represents clients with regard to information security and compliance.

To keep patient information safe and secure, HIPAA requires adherence to specific standards.

These tips will help your medical practice comply with the HIPAA Security Rule when using mobile technology.

Remember, that in addition to HIPAA privacy and security rules, there are a host of laws and regulations at the federal and state level that make information security a critical issue for medical offices.

Practice financial information

When discussing mobile technology the focus is generally on PHI. However, other types of practice information may be compromised via remote access.

Types of information to consider, among others, include:

  • Accounts receivable
  • Accounts payable
  • Purchasing contracts
  • Staff salaries

Practice staff information

Likewise, sharing personal staff information remotely opens the door to potential problems.

Types of information to consider, among others, include:

  • Files that contain employee Social Security numbers
  • Performance appraisals
  • Written requests from staff for disability-related accommodations
  • Correspondence regarding employee performance, whether between manager and employee’s immediate supervisor or manager/supervisor and direct report

And it’s not only unsecure networks that pose a threat. There are also “wrong address” errors that can occur when communicating by text and email. With today’s one-touch features, these are more common than might be suspected.

What if confidential financial or staff information ends up in the wrong hands as the result of such an error?

Although not subject to the same oversight as PHI, a breach of any private or confidential information may create embarrassment for the practice, if not legal issues.

Establish guidelines

With this in mind, procedures should take into account what kind of work will be performed remotely, and guidelines should be established for how and where those tasks are accomplished. Rules about texting, for example, may be part of these guidelines. Email communication may also be included.

In addition, if it hasn’t done so already, your practice should consider cloud-based technology solutions for practice management. The best of these solutions cover most aspects of medical office management – and they are secure. Today, affordable solutions are available for medical practices of all sizes.

Even if you don’t have regular telecommuters on staff, you and other members of your practice team do sometimes work offsite – when at conferences, while on vacation, and from home during inclement weather.

Remember, a data breach can be costly. Therefore, when it comes to information security, it’s smart to be proactive.

Related reading:

HIPAA is now striking small offices; the first hit is on mobile devices









Try Premium Membership