As more and more business management and operational tasks are handled by computers and other devices, it is necessary to update your computer equipment every few years. If your business handles protected health information (PHI), you should think twice before purchasing Mac products. Although many people love Macs, and they are great for many other applications and industries, they can be a liability for health care providers and others who deal with PHI.
HIPAA: Patient Privacy Laws
Businesses and organizations that handle patient health information are subject to strict rules protecting patient privacy under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It sets out two basic rules that apply to healthcare entities, including doctors, dentists, insurers, clinics, and “clearinghouses” (entities that process patient health information): the Privacy Rule and the Security Rule. These rules work together to keep patient data confidential and protected from improper access or use.
To implement these rules, the Department of Health and Human Services (HHS) publishes HIPAA regulatory standards, policies, and procedures for handling PHI in all its forms (paper, electronic data, images, and any other formats). The HHS Office of Civil Rights (OCR) can leverage criminal and civil penalties for violations of these rules. If your organization doesn’t comply with these requirements, even unintentionally, you can face significant consequences.
Why Don’t Macs Fit Into HIPAA Compliance?
Hardware isn’t in and of itself HIPAA-compliant or non-compliant; a business must use both software and security practices to ensure compliance. One significant area where Windows-based devices have an advantage is that it is possible to establish an automated global oversight process rather than handling security on a machine-by-machine basis. You can implement secure processes on a universal, organizational level, ensuring uniformity and regulating compliance. It’s not possible to exercise that kind of global oversight on Macs; they need to be individually secured. An IT manager can’t globally control what users have permission to see or do on the device or network, and cannot restrict shares by user; they can only be allowed or disallowed by device. For an office with one computer, it could be possible to ensure HIPAA compliance; for an organization that has multiple devices, this kind of old-school IT management is irresponsible at best and a recipe for disaster at worst.
Further, it’s not possible to remotely restrict viewing of a Mac screen, i.e., there’s no global device lockout that can be deployed to protect the device from being used or viewed by an unauthorized person in a clinical setting. Anyone can walk up to the device and do what they want with it if it’s logged in. Even for a single-computer office, this vulnerability leaves open the potential for misuse and noncompliance if the machine is stolen or simply left unattended for a moment.
Can’t Software Help Ensure Compliance?
The CASPER management system is a platform that allows IT administrators to manage Mac OS X computers (including overseeing inventory, software distribution, settings and security). However, it is far less universal and much more cumbersome than platforms currently available to manage Windows-based machines. It’s still not possible to manage software deployment on a Mac, including universally allowed applications, disallowed applications, or anti-virus software.
Plus, Macs offer no way for an IT administrator to restrict web access. Many websites run nefarious scripts that can harm computers or install viruses and malware. On Windows, an IT manager can restrict web browsing activity to safe sites and run web traffic through a filter like Cisco umbrella; Windows users can be restricted from having the system permission necessary to override this filter, but Mac users cannot. Taken all together, the currently available enterprise management tools are simply not adequate to safely deploy Macs in a HIPAA environment.
Mac Practice software addresses a significant number of HIPAA-compliance concerns, but it can’t overcome the limitations of the hardware for an organization with multiple machines and users. Mac Practice does use encryption for its data, and offers certain features to help users comply with both security and privacy issues; on a limited basis, it can be HIPAA-compliant, but for most users, it’s safer to use a Windows-based system.
It’s also impossible for an IT administrator to restrict what a Mac can download or the bandwidth it uses when it decides to do so. (This means, for example, that if all the Macs in your office decide to download the latest updates to their operating system in the middle of the business day, you’re pretty much shut down until they’re done.) While this isn’t directly an issue with HIPAA compliance, it’s still a risk for your business and a strike against choosing Macs for your workplace.
Ask the Experts
Organizations that need to ensure they are HIPAA-compliant often use third-party IT experts to implement and adhere to the law’s rigorous policies and procedures. Dymin’s IT professionals can help you assess your HIPAA needs and develop a compliance plan for your business, along with the hardware, software, and tech support you need. Contact us today to get started.