For all the complexity of HIPAA, the greatest provider liability often arises from easily correctable security lapses, such as the failure to password protect a physician’s BlackBerry. The failure of physicians to password protect PDAs used to store or transmit patient information is a glaring HIPAA violation, but, lamentably, one that still frequently occurs.
HIPAA Security Rule requirements for protected health information in electronic format apply not just with regard to computers in the office, but also personal laptops, home-based personal computers, PDAs and smart phones.
Remote access and use of ePHI should be strictly limited to legitimate business or medical purposes, and procedures should be put in place to mitigate identified risks. For example, to mitigate the risk of unauthorized access via portable devices, which are highly susceptible to theft due to their size, two-factor authentication is an advisable condition of access. To mitigate the risk of unauthorized viewing of what appears on the screen of a physician’s home desktop computer, which is susceptible to being viewed by other residents or visitors to the physician’s home, a session time-out should be set.