There are several fundamental issues with today’s computer systems, and one of the primary ones is that the workstations and laptops in use in healthcare look identical to the ones we use at home. This fact, coupled with the term “PC” — as in “personal computer” — leads many users to mistakenly think they can make changes to their workstation and customize it at the ASC or medical facility just like they do at home. Doing so not only creates more headaches for the ASC’s IT staff, it can also put the facility at risk of a HIPAA security breach.
A proper AUP should cover several items, including the following:
- Make it clear that these computers belong to the business, which makes them BCs, not PCs. That means that the business has every right (and even the responsibility) to determine how they are used, what software can be installed on them and all other facets governing their use.
- Any data that is generated on, transmitted through or stored either temporarily or permanently on any computer or similar device is to be treated with the utmost care. That includes not only traditional computer devices like workstations and laptops, but also portable drives like USB keychain drives, other devices like PDAs, smartphones, pagers, digital scanners, voicemail systems and anything similar.
- Any computer devices — and specifically physicians’ laptops — that are occasionally brought into an ASC or medical practice, or which access the ASC’s network remotely, must be subject to the same AUP. This is particularly difficult, because their users tend to think of them as their own personal property. If they connect to the ASC’s network, even once, they are (or should be) governed under the AUP.
- Users should be prohibited from installing any software, and only software that is explicitly approved by the ASC management staff should be allowed on any workstation or laptop.
- Users should use “hard” login names and passwords. That means passwords that are a combination of letters and numbers. This is a royal pain for users, but it is necessary, both for the HIPAA Security Rule and for industry best practices.
- Users should be explicitly prohibited from doing such things as using unencrypted e-mail to transmit EPHI (electronic protected health information), posting certain types of information online, whether on a Web page or a social media site,
- All data and media should be carefully disposed of. No computers should be donated to charity or given to staff without the data being completely “wiped” from the system. (Note: Merely deleting the data from a hard drive does not remove it.)
You should work with properly trained IT professionals, in consultation with your human resources and legal teams, to craft and implement a proper AUP. Doing so will help reduce technology issues, as well as satisfy one of the important HIPAA Security Rule requirements.
Marion Jenkins, PhD, is founder and CEO of QSE Technologies, which provides IT consulting services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com.
