Before I delve into my answer let’s define some terminology.

GSuite confidential is a feature Google released in Q2 2019 to allow its customers to send emails that expire after a period of time and can require a single use passcode to unlock the contents of the email.

Does confidential mode improve the overall security of this email? Let’s break down what's happening:

• A user is generating an email using GSuite confidential mode and selecting an expiry date.
• Email expiry can only be set as low as 1 day by default unless the email is expired on demand.
• Users also have the option of requiring a single use passcode to open the email.

Passcodes sent via SMS

Unfortunately SMS (aka text messaging) is not a particularly safe or secure means of transmitting data – even if its a single use passcode. Why? Simple put the increase of SIM card hijacking has effectively made SMS an insecure means of receiving any type of passwords.

In short SIM card hijacking is a means by which a criminal attempts to take ownership of a victims account by means of social engineering – or convincing a telcos provider to transfer an active line from the victims phone to one in their possession..

There are a number of companies working to solve this issue and US telcos providers have banded together to develop ZenKey as a means to deter this from occurring but the fact remains that SMS is not a secure means of sharing information.

Email expiry

It’s great that GSuite allows users to expire an email but what happens if you accidentally send the email with PHI to the wrong recipient? Confidential mode does allow you to expire the email on demand but at that point you’re already in violation of HIPAA.

Why is that? Simply put the PHI you’re sending in the email is only encrypted in transit. A criminal could in theory get access to a recipients phone via SIM hijacking – use that to password reset the account you sent the email to with PHI to and view PHI.

Alternative solutions

Okay so dizzying technical jargon aside – should confidential mode be used to send PHI. From my professional perspective – no. The risk of having a data breach is too high and while confidential mode is certainly a handy tool – it’s not worth risking your patients PHI just for some flexibility.

PauBox or Virtru.

Both provide encrypted email solutions that integrate with GSuite and are HIPAA certified.

Better yet use a HIPAA compliant document management system like eFileCabinet or SmartVault and avoid sending PHI over email all together.

Looking for a HIPAA compliant mileage logging solution that won’t break the bank? Look no further – Milelogix is affordable and easy to use. Sign up for a free trial today!

I’ve mentioned a list of HIPAA compliant apps like Google Meet and Skype for Business in my ABA Tech Starter guide but generally those tools extend beyond the purview of messaging.

Messaging apps like WhatsApp, Facebook Messenger and the newly released Instagram Threads make it ridiculously easy for users to communicate. While I understand that sometimes employees want to blow off steam by complaining to other coworkers I don’t think that using the aforementioned messaging apps are appropriate for these reasons.

Now you see me now you ...

Privacy oriented messaging apps like Signal have built in features where the message is removed from the sender and receiver after a specific period of time. This is fine if you’re trying to make sure no one is copying your fantasy football strategy but risky for health practitioners. Even if your employees aren’t submitting PHI using these messaging tools – how can you prove to an auditor that isn’t happening?

With an ephemeral messaging scheme you really can’t.

Super fast thumbs

One of the nice things about messaging apps is that it’s a fairly rapid way of sending and receiving information. Pick an existing contact or just use an existing message thread and start typing away rapidly. Beyond getting chronic thumb pain, this rapid means of communication can also open the doorway for employees to start getting into arguments and devolving an entire discussion into a gossip gram.

Gossip Gram

I’m sure you’ve run into situations before where something happens at work and the gossip mill kicks off. We’re all human and asking someone not to gossip is almost like asking them not to think or breath. That said having apps with automatically disappearing messages poses a risk to a health provider. What happens if the discussion is regarding a patient? What used to be referred to as water cooler conversations are now being done over these messaging apps.

Can you be 100% sure PHI isn’t being exposed?

Training

Communication is a complex field. One could argue that messaging apps don’t really encourage real communication as there is a complete lack of tone, body language and shared attention. That said, while I do think health providers should allow employees to use messaging tools the following should be considered:

1. Use the right messaging tool. Signal, Facebook Messenger, WhatsApp and Instagram Threads are consumer grade messaging tools that are inappropriate for the workplace. Use tools like Google Meet, Slack or Skype For Business that allow you to maintain an audit trail of messages sent across the wire. Don’t forget to get a BAA from their respective vendors.
2. Set the right expectations with your employees. Help them understand that these messaging tools are to be used for business communication purposes only.
3. Provide HIPAA certification training to your employees. Give them the confidence to know what types of information are appropriate to be shared via these messaging tools.
4. Provide an alternative to messaging apps to allow your employees to blow off steam. Schedule team building events like Escape rooms to encourage teamwork and collaboration.

Looking to reduce employee stress and increase satisfaction? Provide MileLogix as an employee benefit to automatically generate mileage logs. Sign up for a free trial today!

That said I’d like to present a case against implementing a BYOD policy.

It's not really secure

Proponents of BYOD programs argue that it’s secure because both Apple iOS and Google Android allow IT administrators to set policies on the phone to prevent employees from copying/pasting data and installing non approved applications on the work profile.

Herein lies the problem – the employee is still using their own device and can install applications at will in their personal profile. While both iOS and Android have done a good job of separating personal and work profiles – you still run the risk of a rogue application running in the background that can potentially have access to work profile data.

—

Remote Wipe

Many BYOD policies come with a strict remote wipe clause. Basically if the IT admin deems it necessary the device can and will get remotely wiped. Imagine a scenario where this happens “accidentally”. Now you have to explain to your employee why all their pictures of their grandma’s 80th birthday are gone … forever.

Even if it doesn’t happen accidentally. What happens if the device is stolen or lost? How much time do you give the employee to find the device? An hour? Three hours? Do you really want to risk client data or worse yet PHI being exposed to the public?

With a work assigned device – if its reported lost or stolen it can be wiped immediately. No need to worry about Nana’s birthday pictures getting deleted either.

—

At will termination

Okay so your employees are really good at making sure their BYOD devices aren’t lost or stolen. They’re using good password creation policies and not installing rogue applications that can spy on your data and they’re on a corporate VPN when using public WIFI networks.

What happens when either they quit or you fire them? Some BYOD policies state that upon termination the employee will have their phones wiped. Others assume that post employment, if access to various services like email, shared drives, data collection systems are disabled there’s no way for an employee to access those systems.

Wrong

Consider this: In order to make apps run faster, many of them employ the use of a cache. A cache is like a virtual area on your device where large amounts of data that doesn’t change often (like data collection for a session that happened 2 weeks ago) can be stored and accessed quickly.

Good mobile apps that deal with PHI completely remove these cache files when data is no longer needed. Unfortunately all of this is highly dependent on the app developer. There’s no guarantee the data is actually removed short of completely wiping the device.

I’ll ask again – do you really want to risk PHI being exposed?

—

Employee privacy

Let’s face it, even though some people claim privacy is completely gone – it’s still kind of a big deal. While some employees may accept the idea of their device being remotely wiped at will – no one is going to be truly comfortable with their personal device being monitored and controlled by their employer 24x7.

—

Okay so you’re convinced but you still want to provide mobile devices to your employees to use.

• Buy a bunch of Android tablets managed with a strict device policy.
• Sign up for a telcos provided WIFI hotspot.
• Use a secure corporate VPN on the tablet.

Looking to reduce employee stress and increase satisfaction?

Provide MileLogix as an employee benefit to automatically generate mileage logs.

Sign up for a free trial today!

Sadly they don't but wouldn’t it be cool if they did?

Mileage trackers generally fall into these categories ...

Everything but the kitchen sink

I’m talking about those mileage trackers that not only come with a mobile app – but an actual device you insert into your vehicle called an OBD, short for onboard diagnostics. OBD’s range from $25 all the way up to $100.

That’s not including the time spent trying to install the device in your vehicle either.

To top it off – can you imagine having to tell your staff that just to track and log their mileage they have to install a “device” in their car?

I don’t think so. —

Requires a GPS running all the time

GPS (global positioning system) is amazing. I couldn’t imagine a world without it. Unfortunately it’s not foolproof. Stuck in an area where there isn't a line of sight to your mobile device? Then you’re sort of out of luck.

Some solutions require a mobile device with a GPS running all the time to accurately track mileage. I’ve got two words for you – low battery.

If you’ve got a decent smartphone it’ll disable GPS and pretty much run in bare minimum mode so you can at the very least make a phone call or three.

So much for accurate mileage tracking.

—

Uses a hybrid of cell tower location and GPS

Some of these mileage trackers use the combination of both GPS and the closest cell tower you’re located near, to track mileage. Beyond this being the ultimate privacy killer – your accuracy will vary.

Some of the mileage trackers use nearby WIFI (open/public WIFI) to also determine location.

Not particularly comforting especially if we’re shooting for data privacy here. —

Uses calendar location data with Google and Bing Maps

Bonus points for not requiring any funky hardware to install in your car or relying on a stable GPS signal. Accuracy is excellent as well. Unfortunately most of these scheduling solutions rely heavily on Google and Bing Maps to calculate mileage and drive time.

Neither of those services are HIPAA compliant and you run the risk of exposing your PHI to advertisers and companies that purchase this data.

Don’t take my word for it. Read Google Maps terms of service – section 3.2.2. —

Uses calendar location data with a private mapping engine

The only way to be sure that your client PHI (address data) isn’t being leaked is to rely on a HIPAA compliant mileage tracker that uses a private mapping engine where none of your data is sold,copied or transmitted to the public – ever.

— MileLogix is a HIPAA compliant, calendar based mileage tracker that uses a private mapping engine to calculate mileage and drive time.

Interested in trying it out?

Sign up for a free trial today!

I wrote this tech starter guide to help budding ABA business owners and experienced ones who want a set of proven technology that can act as a force multiplier to their agency.

Regardless of the type of software you're selecting to use – if you’re going to be storing any kind of protected health information – you need to make sure the solution you’re using is HIPAA compliant and that the vendor will sign a BAA.

Here are some are highly recommended software solutions for ABA business owners just starting out that I've split into several categories. If you need the TL;DR skip to the end of the guide.

• Office Suite

While Microsoft is certainly the 800 lb gorilla in this space I am quite partial to Google Suite (GSuite) for a number of reasons. GSuite has an interface that’s a lot easier to use and in general their documentation is much more facilitated to users who are new to managing users and groups.

Best of all if you allow your employees to use their own devices (BYOD) you can create a policy which restricts the types of apps they can use with their work profile.

If you do setup a BYOD program I highly recommend having a policy whereby if an employee loses their mobile device – you’ll issue a remote wipe to ensure no chance of PHI ever being put into the wrong hands.

If you do sign up for GSuite make sure you request a BAA from Google.

• Telehealth

Another reason why I love GSuite is that it comes with Google Meet. Google Meet is a HIPAA compliant video/chat solution that you can use in your sessions. As an added bonus Google Meet also includes a conference bridge that people can dial into.

Honorary mentions go out to Skype for Business and VSee.

• Laptop

If you’re looking for a low cost, secure, easy to use laptop then look no further than a Chromebook. Google has put a tremendous amount of effort into making their Chromebooks secure by including features like full disk encryption and automatic security updates.

Chrome OS is designed to prevent malware from infecting your system. Best of all it fully integrates with GSuite so you can manage your employee laptops easily.

Once you start hiring employees sign up for Chrome OS Enterprise to restrict application installs (no one needs to be playing Candy Crush during work hours) and make sure all your laptops in the field are updated with the latest security patches.

My only issue with Chromebooks are that they typically have a 3 to 4 year security patch lifespan – which may not be an issue given that Chromebooks are typically within a $200-$400 price range. Many of them come with touchscreens so your laptop can double as a tablet as well.

As for a vendor – most of them offer the same bells and whistles. I’m partial to Lenovo’s because their laptops are well built and offer a much more professional aesthetic than other Chromebook vendors.

• Tablets

Hands down the best tablets that are out there are the ones made by Apple. If you can afford to buy iPads I highly recommend doing so. That said with a premium quality tablet comes a premium sticker price.

The alternative are Android tablets. Avoid tablets that come with a lot of bloatware on them like the ones made by Samsung or Huawei. I recommend the Lenovo Tab – they come with stock editions of Android so you’ll get a brisk experience using the device.

• GPS Navigation

Some of you might be wondering why this category of software is here especially with the advent of Google and Bing Maps. These are great consumer grade solutions but remember that an address is considered one of the 18 types of PHI.

Don’t take any chances of having your client addresses get exposed to the public domain. Use an offline mapping solution and leave Google and Bing Maps for trips to the beach.

• Security Training

Required training videos is something most people dread to have to watch. That said there’s a lot of important information to disseminate about best security practices and HIPAA compliance.

I recommend using a vendor like KnowBe4. Best of all they have a ton of free tools that let you test how security savvy your employees are.

If you want to save money and just want to train your employees on how to avoid malware attacks then consider PhishMe Free instead.

Whew – that was a lot of information to go over. Here’s a handy table summarizing everything I’ve talked about.

Looking for a fast, easy to use mileage tracker that's HIPAA compliant? Look no further.

Sign up for a free trial of MileLogix today!