Managing HIPAA compliance can be a daunting task. The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations, and the vendors that service them, to have safeguards in place to secure protected health information (PHI). However, there are often aspects of HIPAA compliance that are overlooked. With technological advancements, HIPAA law becomes even more confusing. Apps are increasingly used on professional and personal devices, with 81% of people in the United States using smartphones. The widespread adoption of smartphones have privacy implications that most people fail to understand. Covered entities (CEs) using smartphones must be diligent in their efforts to protect patient privacy by using HIPAA compliant apps.
Apps with Microphone Access
It is shocking how many apps ask for permission to access a smartphone’s microphone. The majority of users approve microphone access without a second thought. Enabling microphone access has privacy implications that most users do not realize.
Allowing an app to access a phone’s microphone allows the app to listen to conversations. Some apps need this function to perform properly, however, users should limit microphone access to trusted apps. Covered entities must be particularly cautious when allowing apps to access their phone’s microphone.
Since apps with microphone access can listen in at any time, CEs should either turn off microphone access to apps, or turn their phone off while meeting with patients. In addition, when discussing PHI, covered entities should ensure that their smartphone cannot overhear the sensitive information.
HIPAA Compliant Apps
There are however HIPAA compliant apps. HIPAA compliant apps must have safeguards in place to secure PHI. For an app to be HIPAA compliant, it is required to have access controls. Access controls provide unique user credentials, enabling organizations to control which users have access to what information. In addition, they allow organizations to track which users are accessing information, this way if an employee-related breach occurs, an organization can easily determine who is responsible.
Encryption should also be implemented to prevent unauthorized access to PHI. HIPAA compliant apps with encryption limit the risk of exposure of PHI if a device is lost or stolen. The app must also have an automatic logoff system for this same reason.
An app that has these features can be used in a HIPAA compliant manner. However, before an organization can use the app to store, maintain, or transmit PHI, they must first have a signed business associate agreement (BAA). Without a signed BAA, the app cannot be used in conjunction with PHI.
When installing apps on a smartphone, covered entities should be wary of apps that request microphone access. If they have apps installed on their phone that have microphone access, before treating a patient or discussing PHI, they must turn off access or their phone.