Does your healthcare practice use a wireless network to send and receive Protected Health Information (PHI)? Well, you aren't alone. The vast majority of doctors' offices and healthcare practices now use WiFi to streamline their normal operations. After all, it's easier and more convenient to send a patient's file to a department via a wireless network as opposed to manually walking it to the department. But with the advent of wireless technology comes new hurdles regarding patient privacy.
The Health Insurance Portability and Accountability of Act (HIPAA) of 1996 was created for the sole purpose of protecting the privacy of healthcare patients. It consists of the Security Rule, Privacy Rule, and Breach Notification Rule, each of which has its own unique characteristics. The Security Rule, for instance, affects only Electronic Protected Health Information (EPHI), such as digital files and documents containing the personally identifiable information of healthcare patients.
If you dig deeper into the HIPAA Security Rule, you'll notice that it has requirements which can be applied to wireless technology. One such requirement is “unique user identification,” meaning that healthcare workers must use a unique username when accessing any system that passes EPHI. Assuming your practice's network transmits or receives EPHI over the wireless network, workers must be given unique login credentials to access the network.
Another requirement noted in the HIPAA Security Rule is the use of emergency access procedures. Under HIPAA, all covered entities are required to have a procedure in place which allows them to access PHI during an emergency. When speaking in the context of a wireless network, an emergency access procedure may consist of a local area network that remains live even when public Internet access is disabled. Workers and IT technicians may continue to log into the network to retrieve data, regardless of whether or not the network is connected to the Internet (assuming the data is stored locally).
The HIPPA Security Rule also requires covered entities to include automatic logoff procedures, which as the name suggests, means users are automatically disconnected from the system after a certain amount of time has passed without activity. This feature is relatively easy to implement with wireless networks, kicking users off as being idle for X minutes/hours.
While doctors and covered entities aren't prohibited from using wireless networks in their facilities, they must follow some basic measures in order to remain compliant with HIPAA. This includes the use of unique user identifications, emergency access procedures, and automatic logoffs.