Risk Management for Mobile Devices in Mental Health: Some Basics for Private Practice
If you work in private practice, chances are your personal email and your work email are fairly closely tied together. I’m not sure how it is for you, but in my workweek, people email me all manner of private information, whether or not I want them to. Clients don’t stick to my advice regarding emails, nor do physicians. This has simply become the way of things, placing a greater responsibility on the private practitioner to take reasonable steps to protect this method of communication. So what represent reasonable steps? This used to be a warning in the footer of your message, but I don’t believe this to be sufficient these days. For me, “reasonable” includes every effort that I would want to be able to present to any regulatory board in the very frightening prospect that my work email and / or storage accounts become compromised, and a complaint was filed. I would very much want to demonstrate that I had not been negligent, and had made good use of the tools that are available to me. The good news is, those tools are fairly easy to use. Here are some ideas that I have implemented in my own group practice. Feel free to use them as you see fit:
1.) Construct a Formal Policy and Use It.
After I had learned a bit about the privacy rule under HIPAA and how it applies to electronic communication, we established a brief but clear policy in my private practice regarding the use of any electronic device that was portable, and connected to cloud-based accounts containing patient data (which can be done, now that Google and Microsoft offer HIPAA compliant accounts). Our policy includes laptops, tablets, phones and usb drives. The policy outlines the use of security features such as encryption, password protection and security apps such as “Lookout”, which allows the user to locate their phone and erase all of the data remotely if it is lost or stolen. We reviewed this policy with the staff, demonstrated examples and will re-review this material on a semi-regular basis to help ensure compliance. The policy also describes the procedure for resetting all work-related passwords on cloud accounts if a device is lost.
2.) Learn a Little About Encryption
Does your laptop or tablet have the ability to encrypt the entire hard drive? Do you know how to enable this feature? Have you learned how to encrypt files on a thumb drive? These are the steps that will help you avoid a full-blown panic attack if you are working out of the office, and lose a device in a public place. Here are a few examples:
- I switched to a MacBook from a Windows laptop, and the FileVault feature encrypts the entire machine. This simply required me to check a box and set a solid password.
- There is a free piece of software called TrueCrypt, which will allow you to create an encrypted file container on a USB drive, to safely store data.
- Windows offers encryption software called BitLocker on several of its platforms.
- My Samsung phone and tablet also offer this as a security feature, with a simple checkbox.
- My Google Apps business account offers HIPAA compliant file storage.
Many of us have easy access to these tools, yet have simply not enabled them. I encourage you to spend a little time one evening (or during a cancelled appointment) familiarizing yourself with these settings, and writing them into your formal policy. While this will not allow you to start leaving your computer at Starbucks anytime soon, it’s a great step in the right direction.
3.) Practice With Your Location Apps
iPhones come with the ability to locate them remotely, through an iCloud account. It’s free, and fairly easy to use. If you lose your phone, you can locate it through a web browser, and secure it. You can also backup the contents, and remotely erase the data on the phone. Android phones can be used with the same protection through an app called Lookout, which charges a small monthly fee and can be used with multiple devices.
These apps only work if you set them up and know how to use them. If your work email forwards to your phone, you should have this feature enabled, and know what to do with it if you lose your device.
4.) Make Sure You are Communicating With the Highest Security Available
You don’t have to be perfect, and you cannot ensure that something unforeseen will never occur. You should, however, make use of what is available to provide “reasonable” protection for your patient data, including detailed referrals. This is one of the primary reasons EarlyByrd was developed. Business-card referrals lead to poor follow through between medical providers and mental health providers. Public directories and email do not make use of encryption, period. EarlyByrd provides a secure way for colleagues to find you, and refer patients in a way that no other solution provides. Whether hospitals use your website widget, a P2P link, or find you in the EarlyByrd Directory, the transmission of the referral will be protected with the most current security protocols available. This allows for the collaboration of a “handoff” referral, with a high level of security. The best part is, EarlyByrd is designed so that you can’t “accidentally” breach the security settings. It just works.
We’ll discuss cloud storage and the secure use of Gmail in an upcoming post. For now, I hope this gives you a few things to think about and perhaps implement in your own private practice.
Please feel free to distribute this to your friends and colleagues if you found it useful. If you have other ideas that I did not include, I encourage you to post them in the comments section of this blog post on the EarlyByrd website, under “Community”.