The HIPAA Security and Privacy Rules require all covered entities to protect the EPHI that they use or disclose to business associates, trading partners or other entities. New standards and technologies have significantly simplified the way in which data is transmitted throughout the healthcare industry and created tremendous opportunities for improvements in the healthcare system. However, these technologies have also created complications and increased the risk of loss and unauthorized use and disclosure of this sensitive information.
The doctorPal Application is password/PIN protected. The data on the iDevice/Android cannot be accessed unless the PIN is entered correctly. When the phone returns to standby mode (default 1 min), the App is not accessible without re-entering the PIN. Moreover, we recommend locking the iDevice with a master PIN that is different than the one used to access the App.
We use highly sophisticated encryption of data as it resides on the iDevice/Android and utilized upon data transfer electronically. Data cannot be intercepted or read by anyone but the designated recipient, who will need to be provided an unlock password for data access. The recipient is required to enter into the secure doctorPal network to access to patient’s information
With data transmitted from the doctorpal WebApp Portal to any iDevice/Android, we use what we call "Throw Away Encryption" - this means we create a random encryption key, encrypt the data, and send the recipient the key to download on their iDevice/Android. When using the sharing feature, if your key matches the key of someone else, your data will be revealed to one another. This and only this key can decrypt the data (which is stored on the server for a limited time). Upon data decryption once (you only get one download) or 72 hours has passed, ALL data beyond this time limit is irrecoverably purged. None of our administrators can even access any of this information. Our site, portal, and servers use Starter SSL (TM) connections, satisfying HIPAA regulation. Data decryption requires use of the doctorpal Application and is otherwise impossible to access.
The data contained within the typical doctorPal record calls for the minimum information required to generate a super-bill, not a medical record. Charges are then sent via secure encrypted, zipped and PIN protected email to your billing staff. doctorPal is not an EMR and therefore not intended for the storage of data detailing history and physical findings.
Remote Data purging of a lost iDevice is a service provided by Apple within the MobileMe platform.
Secure data backup and restore is also done via encryption and protected by the native anti-virus and anti-spyware software on the user's personal computer via the iTunes and/or SyncDocs platforms.
As far as the safety of the data on the iDevice, devices should be using iOS 4.0 and greater and a password lock screen - this combination allows for the entire device to be secure, ensuring that even in the event of a lost iPhone the client data is securely encrypted and cannot be obtained.
This document provides a review of some strategies that may be reasonable and appropriate under the HIPAA Security Rule for offsite use of, or access to, EPHI. For a more detailed review of the HIPAA Security Rule, please visit www.cms.hhs.gov and follow the link under “Regulations and Guidance” for HIPAA Educational Materials. The “Security Series of Papers” provide an overview of the HIPAA Security Rule (www.cms.hhs.gov/EducationMaterials/ ). Please note that the HIPAA Privacy Rule also requires covered entities to implement appropriate administrative, technical, and physical safeguards for protected health information (PHI) in any form. These provisions are enforced by the Office for Civil Rights (OCR). For more information on the Privacy requirements please visit www.hhs.gov/ocr/hipaa or call the HIPAA Privacy Hotline at 1-866-627-7748 (TDD: 1-800-537-7697).