I start this post with a warning. I am going to discuss a few aspects of HIPAA as it relates to our use of Google Apps for Business. This is not meant to be an authoritative or complete analysis of the HIPAA requirements for protecting medical information. As lawyers, you are ultimately responsible for taking any necessary steps to keep medical records confidential, as you are obligated to keep pretty much any client information confidential. I am merely posting some thoughts that might help with your efforts to protect client confidentiality while using the firm's online resources.
Even if you do not deal directly with medical records, you may find parts of this article helpful in ensuring protection of client confidentiality in your storage and transmission of electronic records.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed, among other things, to create an obligation for heath care professionals and insurance companies to ensure the privacy of client medical records. A law firm which handles such records is not covered directly by HIPAA, but is considered a "Business Associate" of those covered and therefore must take care to protect the privacy of medical records in our possession.
If you wish to read more about the HIPAA Privacy Rule in general, I recommend this page at HHS as a good place to start. At its most basic level, the idea is that we take care to make sure that medical records are not disclosed to anyone who should not have them. HIPAA seems to be maddeningly vague and exactly what level of security or care is really required though. We often get questions about compliance from some of our clients. We need to make sure that we comply with whatever the client requires of us.
On question that we sometimes get is whether our email system is compliant. Gmail has a HIPAA Business Associate Agreement which Google says ensures compliance with HIPAA with the use of Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms), Google Sites, and Google Apps Vault services. Notably, some Google Apps for Business services including, Google+, Google Groups, and Google Voice are not covered by this Agreement. Google also publishes an Implementation Guide which gets into more detail about what can be used and what settings best comply with privacy requirements.
Gmail
Some clients have asked about our ability to send and receive encrypted email communications. Gmail requires encrypted communications between our terminals and the Google servers. This allows us to create or read an email over an encrypted connection.
However, when an email travels between any two different email systems, they must be unencrypted or else the receiving system will not be able to read the message. HHS, which is responsible for enforcement of HIPAA, does not prohibit use of unencrypted emails. (See, e.g., HHS FAQ). Some clients, however, wish to have fully encrypted end to end communications with the firm. To set up secured connections, we must have a shared encryption key with the other organization's domain. Gmail includes the ability to set up a shared key. If a client demands this, I can work with their IT staff to get it set up. Doing so would encrypt correspondence between our two firms. However, anything sent to a third party would not be protected by this encryption.
Google Drive
Another important concern for many people is Google Drive (which includes Google Docs). This can be a great online collaboration tool. You can upload document to a drive, share it with others, who can then download them to their system. With a limited document types you can even edit the documents online and work collaboratively.
There is relatively little written about privacy requirements here. But certainly, when setting your share settings, you would not want to make the document public, which would expose them to anyone on the Internet. There is an option to share documents to "anyone with a link". This is essentially public, but hides the documents from search engines. Someone could not simply run a search and come across your documents. It would be pretty difficult to find those document without a clickable link leading directly to them. But since you have not control over who might be forwarded those links, it is not a good idea to share any confidential data at this level.
Google indicates it is acceptable to share confidential files to specific authorized users. When you set a share for a specific email address, the user will receive an email with a link to the shared document or folder. The email address of the other users need not be a Gmail address, but the user will have to register his or her email address with Google, if not already registered, in order to access the documents.
Typically, you would only give a user read only access unless you are working collaboratively. Otherwise, the user can edit or delete your files. Even if a file is read only, the user can still download the file and make changes to a copy offline. They simply cannot edit the online version of your document.
Secure Your Devices
Even if Google remain secure, if you end device, (your laptop, phone, or tablet) is not secured, you are creating a major security hole. Make sure your devices are protected by a finger print or password if you receive or maintain any confidential information on that device. Also, firm cell phones are secured with Mobile Device Management. If your phone is lost or stolen, we have the ability to wipe the contents remotely. Be sure to tell us if a device is missing. We need to wipe the data before the carrier cuts off service to the device. So call us before Verizon.
No comments:
Post a Comment