Skip to content Skip to navigation

HIPAA and Handhelds

January 1, 2003
by root
| Reprints
What to do about personal digital assistants (PDAs) when complying with HIPAA by Dan Jacob
BY DAN JACOB As nursing homes struggle to ensure that older information technology systems are HIPAA-compliant, they also need to consider how HIPAA will impact new technologies, including personal digital assistants (PDAs, i.e., handheld devices such as Palm Pilots and Visors), used increasingly in facilities to record patient information. Personal digital assistants offer enormous convenience and flexibility to nursing homes in the general area of record keeping.

Although there are, in fact, more than 500 healthcare-specific applications for PDAs, most function as either reference databases or calculators. Since these types of applications don't typically use protected health information (PHI; i.e., such patient information as diagnoses, encounter reports, procedures, prescriptions, and lab and test results), there is no HIPAA impact. In those cases in which nursing home employees use PDAs to record PHI, safeguards must be put in place to ensure that the information is not compromised. Reasonable safeguards should include: Employee confidentiality agreements. Nursing home employees who use PDAs to access and record patient information should be asked to sign employee confidentiality agreements in which they agree to safeguard patient information, take responsibility for its protection and face sanctions if it is compromised.

Password protection. Most PDAs have a password-protection utility, requiring the user to enter a password before accessing any of its functions. All nursing home em-ployees who use PDAs to access patient information should be required to use the password-protection feature. This simple safeguard ensures that patient information is protected in the event that the PDA is lost, stolen, or accessible by someone other than the nursing home employee.

Synchronization. Many PDAs are equipped with the capacity to upload information from the device to a personal computer (PC) via a communication port, a process called "synchronization." Protected health information uploaded to a PC can be vulnerable to inappropriate disclosure; remind nursing home staff engaging in synchronization that PHI uploaded to a PC should be password protected and, if possible, encrypted. Also, the PDA user should maintain an auditable log of all data uploaded to a PC. In those cases in which a nursing as-sistant uploads the information on behalf of a more senior member of the medical staff, again, he/she should make sure that the data uploaded are password protected, encrypted, and reflected on a tracking log.

PDA repairs. PDAs, like any electrical device, can and will malfunction and require repairs. Before sending the PDA for repair, make sure that any PHI it contains has been erased from storage and rendered completely inaccessible to service technicians.

Beaming. Many PDAs have the ability to transmit or "beam" information to another PDA via an infrared information stream. When beaming in the presence of other PDAs, it is possible for another device to inadvertently pick up the transmission. We recommend that beaming take place in the presence of only two PDAs, and that they be held two inches apart for the duration of the transmission.

Wireless transmissions. Increasingly, PDAs are equipped with the capacity to send and receive information via wireless transmission. In those cases in which PHI is sent over any form of open network, it needs to be encrypted, and a mechanism established to ensure that the intended recipient received it. NH
Dan Jacob, founder of Healthcare Solutions, is a HIPAA expert serving the long-term care and assisted living community. For questions regarding the applicability of HIPAA to nursing homes, e-mail Jacob_Dan@hotmail.com. To comment on this article, please send e-mail to jacob0103@nursinghomesmagazine.com.
Topics