You’ve made the decision to ditch your digital recorder. Before you download an app to replace it from the Apple iTunes Store, It’s worthwhile to take a moment to carefully consider HIPAA security standards. Remember, HIPAA security rules apply to any device (computer, tablet, or mobile phone) that manage patient records.
Here are 5 key security considerations required by HIPAA’s Privacy Rules. Make sure whatever solution you choose includes and addresses them.
Your patients’ records must be password protected. This password is IN ADDITION to any password you may have set up to access your personal device. If the app doesn’t require an independent password from your device, STOP.
This may sound obvious, but the vast majority of available digital recording devices, as well as apps, were built for recording classroom lectures and concerts, not securely handling patient records. Like your EHR running on the computer in your office, according to HIPAA, it is not sufficient to count on your computer login to secure patient data; you have to log into the EHR or digital recording app separately. Even a biometric figerprint passcode on your phone’s lock screen, alone, is not enough. The recording device or app that contains your dictations and/or patients’ records must have independent password control.
2. Encrypted Local Storage
All patients’ records on a recording device —dictation, photos, media or reports— must be encrypted using AES-256 bit encryption (or stronger), according to HIPAA. If the device or app you are using does not encrypt your dictation or media, or stores the records using anything less secure (such as AES-128), it does not meet HIPAA requirements.
3. Encrypted Transfer
In addition to maintaining all patients’ records in a secure, properly encrypted fashion on your recording device, all HIPAA compliant apps and devices must be able to transfer any patients’ records it contains via a secure method such as Secure Sockets Layer (“SSL” or “https://”). Standard email or even file transfer protocols such as “FTP” are not generally secure and therefore, any transfer of patient information, records or media via these methods is not HIPAA compliant and, therefore, unacceptable. The app should be able to upload records to the cloud or your EHR using secure, encrypted channels. Again, the minimum standard here is AES-256. Email and FTP are not secure.
4. Offsite (“Cloud”) Backup
Business continuity and disaster recovery are certainly important in any operation but, surprisingly, one of the more commonly overlooked elements of HIPAA’s security requirements. Any device or app should include an integrated failsafe backup to secure offsite storage such as in the “cloud.” Not only does HIPAA require this backup to be encrypted using AES-256, should a 3rd party be responsible for this backup, you must have a formal Business Associate (“BA”) Agreement with the vendor where the secure backups are stored. This means solutions such as Dropbox or Google Docs are unacceptable and do not meet HIPAA’s requirements, as these vendors will not sign an independent BA agreement with you for anything you store on their servers; they just don’t want the liability.
5. Remote Password Lock
One of the most common ways confidential patient records can be exposed is the possibility that your device is lost or stolen. When looking at any patient record solution, it’s critical that you’re able to change your device and app password, remotely, should you no longer have physical possession of the device.
Just like a credit card, the moment you know the device is out of your control, you can change the password, and the app will become inaccessible to would-be hackers. It is important to note that according to HIPAA, simply changing the password for the device, in general, is not sufficient. Should confidential patient information be exposed, you must be able to change the application password that is responsible for maintaining your patients’ records.
This may seem like a lot to think about when selecting a device as simple as a digital recorder. The good news is dedicated apps designed from the start to meet the demanding needs of doctors and hospitals, such as SMARTMD, have done the hard work for you. Check for yourself. If your current solution does not meet all five of these stringent requirements, it may not be HIPAA compliant.SHARE