Login

WELCOME TO SOUTHERN ASSOCIATION FOR COUNSELOR EDUCATION AND SUPERVISION

Technology and HIPAA Privacy Devices & Software

  • February 21, 2017 11:18 PM
    Message # 4622575

    Technology and HIPAA Privacy Devices & Software

    A lot of our SACES members contacted us requesting more in-depth information as far as why encryption is necessary as it pertains to confidentiality, safety and much more, based on a previous topic in which we discussed about external drives units and flash drives HIPAA compliant devices. We heard you and in the next few lines we will be offering relevant to your questions, answers.

    Before we begin, below are some important things that every counselor educator, counseling professional, and counselors-in-training you should know as it pertains to the American Counseling Association Code of Ethics, Section H (Distance Counseling, Technology, & Social Media)-page 17 https://www.counseling.org/resources/aca-code-of-ethics.pdf :

    ¢  H.1.a. (Knowledge and Competency)

        Counselors who engage in the use of distance counseling, technology, and/or social media develop knowledge and skills regarding related technical, ethical, and legal considerations (e.g. special certifications, additional course work).

    ¢  H.2.a. (Informed consent and disclosure)

        Clients have the freedom to choose whether to use distance counseling, social media, and/or technology within the counseling process.

    ¢  H.2.b. (Confidentiality maintained by the counselor)

        Counselors acknowledge the limitations of maintaining the confidentiality of electronic records and transmissions. They inform clients that individuals might have authorized access to such records or transmissions.

    ¢  H.2.d. (Security)

       Counselors use current encryption standards within websites and/or technology-based communications that meet applicable legal requirements. Counselors take reasonable precautions to ensure the confidentiality of information transmitted through any electronic media.

    ¢  H.3. (Client Verification)

        Counselors who engage in the use of distance counseling, technology, and/or social media to interact with clients take steps to verify the client’s identity at the beginning and throughout the therapeutic process.

    ¢  H.4.a. Benefits and Limitations

    Counselors inform clients of the benefits and limitations of using technology applications in the provision of counseling services. Such technologies include, but are not limited to, computer hardware and/or software, telephones and applications, social media and Internet-based applications and other audio and/or video communication, or data storage devices or media.

    ¢  H.4.b. Professional Boundaries in Distance Counseling

    Counselors understand the necessity of maintaining a professional relationship with their clients. Counselors discuss and establish professional boundaries with clients regarding the appropriate use and/or application of technology and the limitations of its use within the counseling relationship (e.g., lack of confidentiality, times when not appropriate to use).

    ¢  H.5 Records and Web Maintenance

    ¢  H.6 Social Media

    What is Encryption?

    According to HealthIt (2017), “Encryption is the conversion of data into a form that cannot be read without the decryption key or password. It is important to encrypt data stored locally on your mobile device (data at rest) and data sent by your mobile device (data in motion) so that it is protected from unauthorized users.”

    What Should I look for Before Buying a HIPAA Compliant Encrypted Flash Drive

    You should follow the following guidelines when you are looking for an encrypted Protected Health Information (PHI) storage (source from Lux Scientiae, Inc., 2016):

    Why store PHI / Patient Data on a USB Flash Drive?

    In organizations where use of USB drives and other portable media for patient data is not explicitly forbidden (as it should be), practitioners are left to their own devices and seek solutions to make their work as efficient as possible.  USB drives are extremely cheap, extremely portable, and extremely easy to use.  Practitioners commonly use them to:

    • ·       Transport patient data from their office to/from the locations where they are meeting with their patients
    • ·       Transport patient data to/from home for storage and/or analysis
    • ·       Store permanent or temporary records for specific patients
    • ·       Make backup copies of patient data

     

    So, What’s Wrong With That?

    While USB Drives make things quick and easy, there are a few significant issues that warrant their complete non-use in a health care environment (at least for PHI).

    • ·       Loss.  Once you start carrying around these small drives, it becomes excessively easy to lose or misplace one.  You could take it home by accident, lose your purse or bag which contains a drive, leave it on a shelf where anyone could pick it up, etc.
    • ·       HIPAA Security Rule.  PHI stored on a USB Drive is “ePHI” (electronic Protected Health Information) and automatically subject to a slew of requirements in terms of storage, transport, and destruction of that data.  Most of these requirements are unknown to or not met by the casual healthcare practitioner … leaving them automatically out of compliance.

     

    Loss = Breach

    A lost of stolen USB drive with ePHI on it is an automatic breach of HIPAA which can and will subject your organization to fines, negative publicity, and possibly criminal charges if willful negligence of HIPAA is determined.

    This is not a joke — companies are already being fined millions of dollars for breaches involving even just one lost or stolen hard drive.  It is so much easier to lose a USB drive than to have a regular-sized portable hard drive stolen from a car.

    HIPAA requires all breaches to be reported, all affected patients to be notified, and the media to be notified (if the breach is large enough).  Failure to report a breach would be even worse — should the breach be discovered later — as that would be “willful negligence” and you would not want to have that laid on you (see HIPAA penalties).

     

    The “Onerous” HIPAA Security Rule

    Ok – so you will be very careful so your Jump Drive is not lost of stolen? Then HIPAA says that you must be sure to:

    1               Follow all the normal rules required by HIPAA for PHI in general. See our Compliance Checklist.

    2               Ensure that the PHI on your USB drive can only be accessed via username and password and that that access is logged. (This is not normal and requires extra software or special hardware).

    3               The data on the USB Flash Drive should be encrypted.  See for example: GolddKey.

    4               Log the movements of your USB Drive — i.e. you must keep a written record of everywhere it is moved to (this is best not done in a little notebook kept with the drive…)

    5               When you are done with the USB Drive, you must dispose of it in a way that prevents any data from being recovered from it by a third party (that doesn’t mean just simply breaking it or dipping it in liquid… see How–and Why–to Destroy Old Flash Drives).

    6               Ensure that ALL computers that you use to access the USB drive meet HIPAA requirements for Workstation Use themselves (e.g. software running, virus checkers, access controls, logging, etc.)

    7               A careful reading of the HIPAA Security rule will reveal finer nuances as well.

    So, while use of a Thumb Drive is possible in a healthcare setting, such use requires a lot of planning, special software, drives with built in encryption, and careful tracking and logging.  Even with all that, if the drive gets lost it can still be a breach, even if the data on it is encrypted (though that will help mitigate how much trouble you are in).


    Alternatives to USB Drives?

    Ok – so you are ready to kick the portable drive habit.  What you use instead really depends on what you are trying to accomplish, exactly, with the Flash Drives.  In any and all cases, you should start with:

    • Getting HIPAA Compliance going in general: Checklist
    • Ensuring that all computers used for PHI are up to HIPAA standards
    •  

    Then, you need to have a way to communicate your files between these computers in a compliant way without carrying them with you.  There are many ways to do this.

    • Online File Storage: Use an outsourced, online file storage system that is HIPAA compliant (such as LuxSci WebAide Documents). Note that services like Google Docs and Dropbox are NOT HIPAA compliant and should never be used for this kind of thing.
    • Email: Keep the files in email archives and folders with a HIPAA compliant provider.
    • EMR: Purchase and use a specialized EMR/PM system (electronic medical record/practice management) to tracking patient data and more.
    • Local File Storage: Use a server in your own office network for custom secure file storage. Unlike with outsourced services, you have much more responsibility to ensure that the servers and access are up to snuff for HIPAA.  So, this option is recommended only for organizations with “advanced IT skills” and the time and money to implement.

    The first two options – outsourced email or file storage – are least expensive and involve perhaps the least HIPAA knowledge and risk on your part.  An EMR is useful if you have more general needs and can afford such a system … though you can get many aspects of an EMR though use of outsourced email, file storage, and collaboration software (such as that provided by LuxSci).  Local File Storage requires the most knowledge and risk and a fair amount of cost, but it can grant the most flexibility if your requirements are specialized.

    HIPAA Technology & Software

         Certified Health IT Product List

          http://oncchpl.force.com/ehrcert

         Practice Management Software

             MER/ EHR  (comprehensive  service for all aspects of practice)

                               Examples:  MyClientsPlus; Simple Practice

               SchedulingJituzu; YellowSchedule

       List of reviews of Software programs : http://www.capterra.com/mental-health-software/

             Cell Phones

                       Remotely lock your cell-phone or erase-data from your cell phone

                        a. Android device:

          http://trendblog.net/how-to-remotely-erase-all-data-on- your-android-phone/

          b. iPhone device:

          https://support.apple.com/kb/PH2701?locale=en_US

      Gatekeeper Wireless Bluetooth Computer Lock

    http://www.amazon.com/GateKeeper-Wireless-Bluetooth-Lock-Black/dp/B016N9UVW8/ref=sr_1_2?ie=UTF8&qid=1459653338&sr=8-2&keywords=gatekeeper+wireless+bluetooth+computer+lock 

      Cloud Storage

          Example: http://www.carecloud.com/hipaa-compliant-cloud-storage/

      HIPAA E-mail companies:

    4securemail

    HealthBI

    Hushmail – offers free accounts

    Neomailbox

    Luxsci

    SendInc – offers free accounts

         More information at: http://telehealth.org/blog/hipaa-compliant-email-

         companies/


    Technology Resources focused on HIPAA Privacy

    •       Healthit.gov (HIPAA and Health IT)

    https://www.healthit.gov/policy-researchers-implementers/hipaa-and-health-it

    •       U.S. Department of Health & Human Services

    Health Information Technology

    http://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/index.html


    Listservs specifically focused on HIPAA privacy and security

    Sign Up for the OCR Privacy & Security Listserv (http://www.hhs.gov/hipaa/for-professionals/list-serve/index.html)

    Want to learn more about the HIPAA Privacy & Security Rules?

    OCR has established two listservs to inform the public about health information privacy and security FAQs, guidance, and technical assistance materials. We encourage you to sign up and stay informed!

    These are announcement only listservs, so we will be unable to distribute or directly respond to any feedback you provide.

     

    Privacy List Serv

    Visit the OCR-PRIVACY-LIST for a summary of archived announcements 

    -OR-

    Subscribe, delete or update your subscription to the OCR Privacy Listserv

    Security List Serv

    Visit the OCR-SECURITY-LIST for a summary of archived announcements 

    -OR-

    Subscribe, delete or update your subscription to the OCR Security Listserv


    References

    Healthit.gov. (2016). What is encryption? Retrieved from https://www.healthit.gov/providers-professionals/2-install-and-enable-encryption

    Lux Scientiae, Inc., 2016. Jump/thumb drives and phi don’t mix. Retrieved from

    https://luxsci.com/blog/jumpthumb-drives-and-phi-dont-mix.html


    You have questions or comments? Contact me at sacessocialmedia@gmail.com


    Panos Markopoulos

    SACES social media co-chair

    SACES Technology Interest Network

    Doctoral Candidate

    The University of New Orleans

    Counselor Education program

    E-mail: pmarkopo@uno.edu


Powered by Wild Apricot Membership Software