Should Staff Ever Use Personal Devices to Access Patient Data
Incident at Oklahoma Dept. of Veterans Affairs Spotlights Tough Choices
Is it ever acceptable to allow healthcare workers to use their personal smartphones to access patient information? How about for delivering patient care during a network outage?
These are some of the key questions emerging from a recent controversy involving leaders at the Oklahoma Department of Veterans Affairs who reportedly made the decision to temporarily allow employees at two VA healthcare facilities in the state to use their personal smartphones to access patients records for several hours during a network outage in July.
Approximately 50 VA clinicians were granted temporary access via their personal mobile devices to the records of patients in two Oklahoma VA facilities during the six-hour outage, he says.
“Access was given only so those patients could get their medications. Otherwise, these patients wouldn’t have been able to get their medications,” he says. There are a total of about 500 patients at the two VA facilities that were impacted by the situation, and only some of those patients needed their medications during the outage, he says.
HIPAA violation or not, is it ever a good idea to allow healthcare employees to use their personal smartphones to access patient records? What about during a crisis situation?
…. Companies have to develop a strategy that balances appropriate risks as well as business needs, the attorney adds.
Providing healthcare workers with access to patient records via a personally owned device is acceptable “under the right conditions,” says Keith Fricke, partner and principal consultant at tw-Security.
“Risk exists with permitting any mobile devices access to sensitive information, regardless of who owns the device, if it is not properly secured.”
—Keith Fricke, tw-Security
“Specifically, the device must be properly secured with mobile device management software. This becomes a case of balancing security and privacy with the needs of delivering patient care,” he says. “Risk exists with permitting any mobile devices access to sensitive information, regardless of who owns the device, if it is not properly secured. Some MDM solutions offer a way to compartmentalize access to company information, separating it from personal data on a personally owned device.”
…..”Access to the electronic medical records from mobile devices was authorized on a limited basis to address an emergency need, for the treatment of patients in care,” the report says.
“This access was performed by vetted and authorized [VA] staff who have access to electronic protected health information and personally identifiable information in their normal course of duties and are required to maintain compliance to [VA] HIPAA privacy and security training, policies and procedures.”
The outage occurred on July 25 when the Oklahoma Office of Management and Enterprise Services was overseeing telecommunications maintenance “on the state fiber, for a scheduled outage,” the report notes. The outage had an “unintended impact” on two Oklahoma VA sites, it says.
Some security experts note that with proper continuity planning, access to patient records might have been enabled without the use of employees’ personal devices.
“Replicating systems to another data center can provide access via workstation or laptop instead of from a smartphone,” Fricke notes.