The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/657874
59 WWW.ILTANET.ORG Another administrative safeguard instructs organizations to have a defined procedure for terminating access to ePHI when employment ends. This safeguard is listed as "addressable" rather than "required," meaning the covered entity or business associate must assess whether the specification is reasonable and appropriate for the organization to implement. With law firms, this will almost always be appropriate. For mobile device policies, there are several ways to handle this safeguard. » Firms that use containerized solutions can wipe firm data from the device, leaving personal data in place. » Another option is to have a policy requiring employees using personal mobile devices to consent upfront to a device wipe upon leaving the firm. When evaluating individual mobile device apps, find out if data accessed within the app is stored on the device and, if so, whether the data can be accessed once credentials have been revoked. Pay close aention to apps and browser-based products that allow sharing and transferring of documents to people both inside and outside the firm. Also beware of cloud backup services associated with the various mobile device brands. These should be disabled since firms do not want their data replicating to any services outside their control or being restored to devices following device wipes. Technical Safeguards The encryption standards outlined in the HIPAA technical safeguards are specified as addressable; if firms deem encrypting data as not reasonable or appropriate, they must document why and implement an equivalent alternative measure. Seing up encryption for mobile devices and apps is relatively simple, since management soware from Microso's ActiveSync to the more granular third-party products can specify that device enrollment is contingent upon device encryption being enabled and complex passwords being set. HIPAA and Mobile Devices FEATURES REBECCA SATTIN Rebecca Sattin joined World Software Corporation in August of 2015 as CIO. She was formerly at Mitchell Silberberg & Knupp LLP for 18 years, where she was the director of information technology. She has more than 20 years of experience in the area of law firm technology. Contact Rebecca at rsattin@worldox.com. The more elusive goal is ensuring that transmied data are encrypted. When an email message is sent from a mobile device, the message may be encrypted between the device and the firm's email server; but, unless the firm has other products or features in place, the message is not encrypted once it exits the firm's server. Health care clients should be reminded never to send ePHI either in the body of an unencrypted email message or as an unencrypted aachment. One of the safeguards that falls across all three categories is the need for a clearance process — unique user access authorization, control and validation for access to ePHI. This safeguard restricts access to ePHI to the fewest number of people needing it to perform the service. Each user must have his or her own account and authentication to access it, with automatic logoffs for session termination and inactivity timeouts. Based upon their risk assessment, each firm can determine the period of inactivity that will trigger the timeout. Short inactivity timeouts might not be popular, so they can be implemented only for those who have access to ePHI. Review and Protect There are many mobile device apps that allow access to firm data. Some DMS products have apps or browser- based methods for accessing documents; litigation support products oen have browser-based methods or apps for document review or transcript management. As before, strong passwords and timeouts should be in place to prevent unauthorized access, and apps should be evaluated to determine whether any data viewed within the app or browser are retained on the device, even if only temporarily. When acting as a business associate to a covered entity, the best way to prevent compliance issues is not to transmit or store any of the client's PHI on your system. If only this were always possible! Since it is not, firms must enact and enforce policies that extend their security and access control from their internal systems to mobile devices. Understanding the way mobile applications store and transmit data and their behavior when access is revoked is critical when evaluating new apps or browser-based products accessible from mobile devices. P2P