Technology and HIPAA Privacy Devices & Software
A lot of our SACES members contacted us requesting more in-depth information as far as why encryption is necessary as it pertains to confidentiality, safety and much more, based on a previous topic in which we discussed about external drives units and flash drives HIPAA compliant devices. We heard you and in the next few lines we will be offering relevant to your questions, answers.
Before we begin, below are some important things that every counselor educator, counseling professional, and counselors-in-training you should know as it pertains to the American Counseling Association Code of Ethics, Section H (Distance Counseling, Technology, & Social Media)-page 17 https://www.counseling.org/resources/aca-code-of-ethics.pdf :
¢ H.1.a. (Knowledge and Competency)
Counselors who engage in the use of distance counseling, technology, and/or social media develop knowledge and skills regarding related technical, ethical, and legal considerations (e.g. special certifications, additional course work).
¢ H.2.a. (Informed consent and disclosure)
Clients have the freedom to choose whether to use distance counseling, social media, and/or technology within the counseling process.
¢ H.2.b. (Confidentiality maintained by the counselor)
Counselors acknowledge the limitations of maintaining the confidentiality of electronic records and transmissions. They inform clients that individuals might have authorized access to such records or transmissions.
¢ H.2.d. (Security)
Counselors use current encryption standards within websites and/or technology-based communications that meet applicable legal requirements. Counselors take reasonable precautions to ensure the confidentiality of information transmitted through any electronic media.
¢ H.3. (Client Verification)
Counselors who engage in the use of distance counseling, technology, and/or social media to interact with clients take steps to verify the client’s identity at the beginning and throughout the therapeutic process.
¢ H.4.a. Benefits and Limitations
Counselors inform clients of the benefits and limitations of using technology applications in the provision of counseling services. Such technologies include, but are not limited to, computer hardware and/or software, telephones and applications, social media and Internet-based applications and other audio and/or video communication, or data storage devices or media.
¢ H.4.b. Professional Boundaries in Distance Counseling
Counselors understand the necessity of maintaining a professional relationship with their clients. Counselors discuss and establish professional boundaries with clients regarding the appropriate use and/or application of technology and the limitations of its use within the counseling relationship (e.g., lack of confidentiality, times when not appropriate to use).
¢ H.5 Records and Web Maintenance
¢ H.6 Social Media
What is Encryption?
According to HealthIt (2017), “Encryption is the conversion of data into a form that cannot be read without the decryption key or password. It is important to encrypt data stored locally on your mobile device (data at rest) and data sent by your mobile device (data in motion) so that it is protected from unauthorized users.”
What Should I look for Before Buying a HIPAA Compliant Encrypted Flash Drive
You should follow the following guidelines when you are looking for an encrypted Protected Health Information (PHI) storage (source from Lux Scientiae, Inc., 2016):
Why store PHI / Patient Data on a USB Flash Drive?
In organizations where use of USB drives and other portable media for patient data is not explicitly forbidden (as it should be), practitioners are left to their own devices and seek solutions to make their work as efficient as possible. USB drives are extremely cheap, extremely portable, and extremely easy to use. Practitioners commonly use them to:
- · Transport patient data from their office to/from the locations where they are meeting with their patients
- · Transport patient data to/from home for storage and/or analysis
- · Store permanent or temporary records for specific patients
- · Make backup copies of patient data
So, What’s Wrong With That?
While USB Drives make things quick and easy, there are a few significant issues that warrant their complete non-use in a health care environment (at least for PHI).
- · Loss. Once you start carrying around these small drives, it becomes excessively easy to lose or misplace one. You could take it home by accident, lose your purse or bag which contains a drive, leave it on a shelf where anyone could pick it up, etc.
- · HIPAA Security Rule. PHI stored on a USB Drive is “ePHI” (electronic Protected Health Information) and automatically subject to a slew of requirements in terms of storage, transport, and destruction of that data. Most of these requirements are unknown to or not met by the casual healthcare practitioner … leaving them automatically out of compliance.
Loss = Breach
A lost of stolen USB drive with ePHI on it is an automatic breach of HIPAA which can and will subject your organization to fines, negative publicity, and possibly criminal charges if willful negligence of HIPAA is determined.
This is not a joke — companies are already being fined millions of dollars for breaches involving even just one lost or stolen hard drive. It is so much easier to lose a USB drive than to have a regular-sized portable hard drive stolen from a car.
HIPAA requires all breaches to be reported, all affected patients to be notified, and the media to be notified (if the breach is large enough). Failure to report a breach would be even worse — should the breach be discovered later — as that would be “willful negligence” and you would not want to have that laid on you (see HIPAA penalties).
The “Onerous” HIPAA Security Rule
Ok – so you will be very careful so your Jump Drive is not lost of stolen? Then HIPAA says that you must be sure to:
1 Follow all the normal rules required by HIPAA for PHI in general. See our Compliance Checklist.
2 Ensure that the PHI on your USB drive can only be accessed via username and password and that that access is logged. (This is not normal and requires extra software or special hardware).
3 The data on the USB Flash Drive should be encrypted. See for example: GolddKey.
4 Log the movements of your USB Drive — i.e. you must keep a written record of everywhere it is moved to (this is best not done in a little notebook kept with the drive…)
5 When you are done with the USB Drive, you must dispose of it in a way that prevents any data from being recovered from it by a third party (that doesn’t mean just simply breaking it or dipping it in liquid… see How–and Why–to Destroy Old Flash Drives).
6 Ensure that ALL computers that you use to access the USB drive meet HIPAA requirements for Workstation Use themselves (e.g. software running, virus checkers, access controls, logging, etc.)
7 A careful reading of the HIPAA Security rule will reveal finer nuances as well.
So, while use of a Thumb Drive is possible in a healthcare setting, such use requires a lot of planning, special software, drives with built in encryption, and careful tracking and logging. Even with all that, if the drive gets lost it can still be a breach, even if the data on it is encrypted (though that will help mitigate how much trouble you are in).
Alternatives to USB Drives?
Ok – so you are ready to kick the portable drive habit. What you use instead really depends on what you are trying to accomplish, exactly, with the Flash Drives. In any and all cases, you should start with:
- Getting HIPAA Compliance going in general: Checklist
- Ensuring that all computers used for PHI are up to HIPAA standards
-
Then, you need to have a way to communicate your files between these computers in a compliant way without carrying them with you. There are many ways to do this.
- Online File Storage: Use an outsourced, online file storage system that is HIPAA compliant (such as LuxSci WebAide Documents). Note that services like Google Docs and Dropbox are NOT HIPAA compliant and should never be used for this kind of thing.
- Email: Keep the files in email archives and folders with a HIPAA compliant provider.
- EMR: Purchase and use a specialized EMR/PM system (electronic medical record/practice management) to tracking patient data and more.
- Local File Storage: Use a server in your own office network for custom secure file storage. Unlike with outsourced services, you have much more responsibility to ensure that the servers and access are up to snuff for HIPAA. So, this option is recommended only for organizations with “advanced IT skills” and the time and money to implement.
The first two options – outsourced email or file storage – are least expensive and involve perhaps the least HIPAA knowledge and risk on your part. An EMR is useful if you have more general needs and can afford such a system … though you can get many aspects of an EMR though use of outsourced email, file storage, and collaboration software (such as that provided by LuxSci). Local File Storage requires the most knowledge and risk and a fair amount of cost, but it can grant the most flexibility if your requirements are specialized.
HIPAA Technology & Software
Certified Health IT Product List
https://chpl.healthit.gov/#/search
Practice Management Software
MER/ EHR (comprehensive service for all aspects of practice)
Examples: MyClientsPlus; Simple Practice
Scheduling : Jituzu; YellowSchedule
List of reviews of Software programs : http://www.capterra.com/mental-health-software/
Cell Phones
Remotely lock your cell-phone or erase-data from your cell phone
a. Android device:
https://support.google.com/accounts/answer/6160491?hl=en
b. iPhone device:
https://support.apple.com/kb/PH2701?locale=en_US
Gatekeeper Wireless Bluetooth Computer Lock *Item not found on Amazon
http://www.amazon.com/GateKeeper-Wireless-Bluetooth-Lock-Black/dp/B016N9UVW8/ref=sr_1_2?ie=UTF8&qid=1459653338&sr=8-2&keywords=gatekeeper+wireless+bluetooth+computer+lock
Cloud Storage
Example: http://www.carecloud.com/hipaa-compliant-cloud-storage/
HIPAA E-mail companies:
4securemail
HealthBI
Hushmail – offers free accounts
Neomailbox
Luxsci
SendInc – offers free accounts
More information at: http://telehealth.org/blog/hipaa-compliant-email-
companies/
Technology Resources focused on HIPAA Privacy
- Healthit.gov (HIPAA and Health IT)
https://www.healthit.gov/policy-researchers-implementers/hipaa-and-health-it
- U.S. Department of Health & Human Services
Health Information Technology
http://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/index.html
Listservs specifically focused on HIPAA privacy and security
Sign Up for the OCR Privacy & Security Listserv (http://www.hhs.gov/hipaa/for-professionals/list-serve/index.html)
Want to learn more about the HIPAA Privacy & Security Rules?
OCR has established two listservs to inform the public about health information privacy and security FAQs, guidance, and technical assistance materials. We encourage you to sign up and stay informed!
These are announcement only listservs, so we will be unable to distribute or directly respond to any feedback you provide.
Privacy List Serv
Visit the OCR-PRIVACY-LIST for a summary of archived announcements
-OR-
Subscribe, delete or update your subscription to the OCR Privacy Listserv
Security List Serv
Visit the OCR-SECURITY-LIST for a summary of archived announcements
-OR-
Subscribe, delete or update your subscription to the OCR Security Listserv
References
Healthit.gov. (2016). What is encryption? Retrieved from https://www.healthit.gov/providers-professionals/2-install-and-enable-encryption
Lux Scientiae, Inc., 2016. Jump/thumb drives and phi don’t mix. Retrieved from
https://luxsci.com/blog/jumpthumb-drives-and-phi-dont-mix.html
You have questions or comments? Contact me at sacessocialmedia@gmail.com
Panos Markopoulos
SACES social media co-chair
SACES Technology Interest Network
Doctoral Candidate
The University of New Orleans
Counselor Education program
E-mail: pmarkopo@uno.edu
Amended by Webmaster, 2023