6 rules for protecting health information on mobile devices
In addition, payers should "watch the house" by enforcing their own internal policies to protect ePHI:
- Know where ePHI is stored in your organization. Is it housed, for example, in an old database created for a function that's no longer done? Then consider destroying that database securely in keeping with records management requirements.
- Know who has ePHI access in your company, and confirm that access is required in current roles. For example, it's not appropriate for an executive who began her career as a coder to retain a coder's access to the claims system.
- Consider company issued-devices for work-related mobile communications, in which staff should not use their own cell phones or tablets to do business. Although expensive, issuing work-only devices for employees ensures information stays protected. However, be aware that some employees will resist carrying additional devices and prefer to bring their own.
- Track mobile devices through asset management programs. "We can't protect what we don't know about," Paula Ciotti, compliance officer at Anthelio Healthcare Solutions, Inc., in Dallas, said.
- Make technological upgrades, such as anti-virus and patch management, to approved devices.
- Dispose of obsolete devices securely. Wipe hard drives or memory cards to prevent ePHI retrieval by unauthorized people.
Related Articles:
Consumer use of mobile devices for healthcare continues to grow
Security of mobile devices a continuing concern
Insurers develop next generation of mobile apps
10,000 mobile apps to improve health … and counting
Insurers serious about mobile apps
Comments