The proliferation of smartphones, tablets, and other ultraportable digital devices is, from a data security perspective, a bad thing. It will inevitably lead to leaks and breaches of data, assuming proper BYOD security is not used — and, in some cases, even if it is used.
One question that the American Medical News is asking is “should doctors stop patients from taking smartphone pictures?” This does not imply by the way, that taking pictures using something other than a smarpthone is OK (for example, tablets also have cameras, as well as plain phones. And cameras can take pictures, of course).
Not HIPAA Violation: Patients Breaching Privacy
As the article points out, a ban on patients taking pictures is a tricky thing:
If picture-taking is left unfettered, patients could feel violated and sense that a practice doesn’t take patient privacy seriously. On the other hand, if patients want to break out the smartphone for a few shots, is a practice just picking a fight by instituting a no-pictures policy?
Plus, as the article points out, one patient violating another patient’s privacy is…well, it’s not a HIPAA violation. Nor a violation of any state or federal laws; at least, I don’t think there are any. Yet, “ultimately, practices are duty-bound to do all they can to create an environment that respects patients and their privacy” so some kind of arrangement must be reached.
Some highlights of the article:
There is a real risk of pictures of patients being distributed.
The key to creating a “no photo zone” means no exceptions.
There is a risk of a HIPAA violation: pictures could be distributed that show PHI.
Don’t give patients access to your WIFI. If you’re providing it, make sure it’s separate from what you and your staff use.
Smartphones in the Workplace: Policies Required
When people speak of protecting data in the age of smartphones and tablets, the discussion generally tends to veer towards technological solutions, like mobile antivirus, data compartmentalization, phone tracking, etc.
However, an important component of data security still lies in creating usage policies. This rather quaint and antiquated exercise is imperative because, among other things, it is (or at least, it should be) an analysis of where you need to secure data and why, and how you will achieve it.
Related Articles and Sites: