Policies to Govern Securing Mobile Technology in Health Care

HIPAA Summit WestSeptember 2011

Angel Hoffman, RN, MSN

Session Objectives:

Describe the policies needed to address privacy and security concerns for mobile applications

Identify the issues to consider before adopting mobile applications

Identify how the use of mobile applications can contribute to improving quality of care

2

Wireless Mobile Devices

• Pagers• Cell Phone• PDA• Smartphones

– (Iphone, Blackberry, Android)• Tablet PC’s • Laptops• Ipad-Android based Tablets

3

Social Media and Clinicians• Health care organizations need to establish a road map and complete their

strategy, because Doctors and other clinicians are also implementing mobile devices to monitor:

Vital signs and chronic conditions such as high blood pressure and diabetesUse of mobile technology in health care for diagnostic testing, ordering medications and prescription refills

• Doctors are adopting smartphones at greater than twice the rate of the general population, and there are over 17,000 health care apps available for smartphones

• Overall the adoption of mobile technology’s use in health care is growing faster than anyone could anticipate

• The use of this technology (e.g. in hospitals) is having a direct impact on the mobile choices being made by IT departments today

4

Social Media in Health Care

• Keeping Medical Information Confidential?

• How Does the Industry Protect It?

• What Do We Want As Consumers?

• What If A Patient’s Picture or Medical History Is Posted?

• Compare What Is Posted With the 18 Identifiers?

5

Privacy and Security Issues

• Breaches and Breach Notification Requirement

• Risk of Exposure To Patient

• Risks to Organization

• Education

• Organizational Policies

• Sanctions 6

Legal Implications and Risks

• Confidentiality

• Breach of PHI (e.g. Pictures of Patients Without Authorization)

• Loss of Proprietary Information/Trade Secrets

7

What Employers Need to Know

• Know Your Employees (Generational Differences)

• Attitudes of Work Force (Social Mores)• Method of Communication (Technology Tool)• Responsibility to the Public• Importance of Social Media and Sanctions

Policies• Consequences for Loosely Distributed

Policies (Financial and Reputational Loss) 8

ETHICS

• What can we do?

• Can we control it?

• What does ethics have to do with this?

• Knowing right from wrong!

9

If Ethics isn’t everywhere…

it’s nowhere!

What does your organization say about Ethics?

10

Ethics

• Exercising self restraint• Robert Fulghum – book titled, “All I Really

Need to Know I Learned in Kindergarten”ShareKeep your hands to yourself

Be kind to your neighbor

• Ethics should not be so controversial • Being kind to others should be as easy as

breathing!11

Ethics

• Keep professional and social lives separate

• Offline behavior should follow through with online activity

• Do not make derogatory comments about your employer or coworkers; it could result in job loss

• Do not write or provide information that you would not want to defend in court 12

Ethics

• Need interaction between: Legal, HR, Marketing, Public Relations, Compliance and Ethics and IT

• Keep policy short, but easy to understand

• Set clear expectations for how employees are expected to conduct themselves

• Encourage exercising good judgment13

Social Media Strategies• Culture

• Code of Conduct

• Acceptable and Unacceptable Behavior

• Policies

• Sanctions 14

Education

• We have a responsibility to educate:

• The public

• Students

• Employees

• Patients

15

Social Media and EthicsTechnology is Here To Stay So…

• How Do We Deal With It As A Society?

• What Ethical Issues Have Arisen?

• Social Media + Ethics = A Social Dilemma and Need For Balance.

16

Creating a Policy for Employees

• Write a short and easy to understand policy

• Set clear expectations of how employees should conduct themselves

• Encourage exercising good judgment

• Use of same acceptable behavior whether offline or online

• Keep professional and social relationships separate

• Don’t use social media for personal reasons on work time 17

Creating a Policy (contd.)

• Policy requires input from: Legal, HR, Marketing, Public Relations, Compliance and Ethics and IT

• Can’t totally ban social media, but need to provide guidance through policy & education

• Your policy can hinder the types of messages and information sharing, if they know the consequences for exposing private and secure information 18

Risk & Security Issues• E-prescribing

• Patient Portals, Including Direct

• Communications with Providers

• Provider Portals

• Alerts to Providers

• Alerts to Patients

• Consultation/Referral Services

• Results Delivery (Tests, Imaging) 19

Strategies and Solutions: • Policies

Expectations and Boundaries for WorkforceOperational Guidelines for Social Media Workers and Others

• Patient and Provider Portals• Health Care Consumer Focus• Encryption• Cloud Computing• Software Solutions• Patient Advocacy

20

Social Media/Networking Best Practices Checklist

Is your organization taking ownership of what’s happening with social networking? Is your primary interest how to restrict the use of social media or how to enable it?Does your organization recognize that social networking is about COMMUNICATION, not the individuals who participate?Does your organization view social media as a highlyeffective information gateway?Have you asked your workforce: how can our organization take advantage of the benefits of social media and avoid the pitfalls? 21

Checklist (Cont’d)Does your organization recognize use of social media is a business decision, not a technology decision?

Has your organization developed a business case, supported at the appropriate levels, considering the organization’s Mission/Vision/Values, possible threats, technical capabilities, and potential benefits?

Does IT in organization understand that the goal should notbe to say “No” to social media, but to follow good security guidance,” with effective and appropriate information assurance security and privacy controls?

22

Checklist (Cont’d)

Does your organization have a policy addressing Social Media? Does the policy reflect the needs of various stakeholders (e.g. patient care, research, education constituents)?How does the policy support the Mission/Vision/Values of your organization?How does the policy relationships with business partners and vendors/contractors?How do you conduct training on the appropriate use of Social Media (at work and off work)? Are you including the appropriate use of Social Media in Security and Privacy Awareness Training Program?

23

Checklist (Cont’d)How will you capture the social media traffic, audit, analyze, and use it for security and privacy investigations, as appropriate?

Have you reviewed Regulatory Notice 10-06 from FINRA to determine its applicability to your organization and how you might use the recommendations to strengthen your Social Media program? (Note: FINRA provides guidance on the responsibilities of companies to supervise the use of social networking sites.)

How does your organization plan to use social media to generate new strategies, engage and learn?

Remember that a good policy is just the start. 24

Questions?

25

Angel Hoffman, RN, MSN Advanced Partners in Health Care

Compliance, LLC

Angel@aphccompliance.com

26