As I travel around the country giving seminars and consulting, I more and more learn of HIPAA issues inherent in these devices. For example, another HIPAA consultant who had come to my seminar told me that one of his HIPAA clients had been experiencing difficulties with workforce members printing off pages of their family members’ charts and even their neighbors’ charts without going through the proper procedure to get access. A family member should not
be able to get a copy of another family member’s chart just because he or she is an employee or other workforce member. Unless the workforce members have a valid clinical, business, or administrative reason for the access, they must request the access in the same manner as someone who is not a member of the workforce. Of course, some of my HIPAA clients do not permit workforce members to access family members’ charts even for clinical, business, or administrative reasons.

So, the HIPAA client covered entity mentioned above disabled the printing functions. Workforce members who wanted to print out a document from a patient chart then had to get a code from their supervisor to print the document. The consultant said that, to get around this restriction, they would simply pull out their cell phones, take a picture of the screen, and print out the digital image on their home printer. So do we have to ban cell phones now? Some courts
do ban cell phones that have a camera function.

HIPAA does not ban (or even mention) these devices. As for other portable devices, HIPAA merely requires covered entities to do a risk analysis of the device and implement reasonable and appropriate security measures. One can hardly imagine functioning without these devices. They certainly provide many productivity benefits. But they also certainly pose many risks besides the camera function, such as the following:

• Because of their small size, they are easy to lose or have stolen.
• Unauthorized people can more easily access data on such devices than on a larger device with more sophisticated security.
• Electronic eavesdropping on phone calls and other wirelessly transmitted information is possible.
• Tracking technology permits others to track and monitor the whereabouts of cell phone users.
• These devices are vulnerable to malware and spam.

The National Institute of Standards and Technology, U.S. Department of Commerce Special Publication 800-124, “Guidelines on Cell Phone and PDA Security: Recommendations of the National Institute of Standards and Technology” (October 2008), provides excellent guidance on security for such devices that is consistent with what HIPAA requires. It breaks its guidance into four categories:

• Organizations should plan and address the security aspects of organization-issued cell phones and PDAs.
• Organizations should employ appropriate security management practices and controls over handheld devices.
• Organizations should ensure that handheld devices are deployed, configured, and managed to meet the organization’s security requirements and objectives.
• Organizations should ensure an ongoing process of maintaining the security of handheld devices throughout their lifecycle.

As far as compatibility with HIPAA, among Security Rule standards and implementation specifications called for by the NIST guidance are the following:

• Mobile handheld policy.
• Risk assessment and management.
• Security awareness and training.
• Technical security.
• Security testing.
• Evaluation (auditing).

Go to http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf for the complete report.  When our Premium Member Section launches on this website in the near future, join and check for forthcoming sample Cell Phone and PDA policies.