I hear this question very often. It is similar to the question, “Is email HIPAA compliant?” or “Are texts HIPAA compliant?” And while my gut often kicks in and I want to easily say, “No!” that is often a bad answer. Here is why. We don’t know whether something is compliant or not if we have not assessed the risk it poses. For example, is using iPads or email creating an intolerable risk? If so, what safeguards can you put in place to reduce those risks to a reasonable and appropriate level? If your risks are at a reasonable and appropriate level while using iPads, email and texts along with those safeguards, then yes, they are HIPAA compliant.
Let’s provide an example.
A hospital uses iPads in the ER and in remote clinics. Physicians and nurses use them to review patient charts and graphical images, such as MRIs, ultrasounds and X-rays. Are the iPads compliant?
The answer needs to come from the risk assessment. We addressed the need for risk assessments in a previous blog posting. The question about compliance must be asked using the following grammar:
- For this information asset …
- … what effective controls do we have in place?
- If those controls are not complete, we have vulnerabilities.
- What threats could take advantage of those vulnerabilities enough to compromise the confidentiality, integrity or availability of the asset …
- … and what would be the impact to our mission if it did …
- … and how likely is it that the threat would create that impact?
Then to determine the appropriate safeguard for a risk, ask the following:
- If that creates a risk that is not reasonable or appropriate, what safeguard can I put in place?
- What are the vulnerabilities, threats, impacts and likelihoods with the proposed safeguard?
- Is the cost for this safeguard appropriate to protect against the risk impact?
- Does this safeguard bring my risks to a reasonable and appropriate level?
- If so, then I am proposing a reasonable and appropriate control.
So let’s try that out with the iPad example.
For the iPads that physicians use between clinics, are strong access controls and encryption in place? If encryption is in place but passcodes are not, then what are the threats? An unapproved person who finds or steals the iPad will have unauthorized access to Protected Health Information (PHI) and the hospital will need to protect the patients with costly services as well as pay fines and pay for forensic and investigation services. We lose two iPads per year and they may contain up to 200 patient records per device, so the risk is moderate to high. We cannot accept that risk.
So what if we put passcodes on iPads? The physicians have said they hate using passcodes because they slow access to information at sometimes critical moments. One of the hospital’s missions is to provide care to patients and there would be an absolute impact to patient care if the physicians cannot access patient data on a timely basis in a few circumstances. Because physicians will rely on a physician’s assistant (PA) or nurse to type the passcode in for them when their hands are involved in providing care to the patient all secrecy of the passcode is gone. As well, passcodes will have to be simple because the on-screen keyboard does not make for easy entry of complex passcodes, so there is no complete removal of a risk of an unauthorized person getting access to the PHI on a stolen iPad. So what to do? Can we make iPads safe for PHI?
Well, an easy-to-guess password is never good, but even a simple passphrase that is not a dictionary word or a name may be good enough to delay an unauthorized person’s access to PHI. Meanwhile IT can remotely wipe the iPad’s memory if it is reported stolen. That certainly reduces the likelihood of the risk. If patient records can be limited to twenty per iPad at any time (which may be tolerable to this practice), then that would reduce the impact of a stolen device as well. In fact, the impact and likelihood may be low enough to be reasonable and appropriate.
So when the question comes up, “Are iPads HIPAA compliant?” or email, or texts, remember that the question can only be answered by analyzing the risk in your risk assessment, and determining whether a safeguard can bring the risk down to a reasonable and appropriate level.