[Staren]

Ok guys, I need some help making a choice. It's time for a new iPod. My old iPod Mini (yes Mini not Nano) is starting to show its age and I need video at this point. I'd like to get my media and my PIM into one device so I was thinking of replacing my Blackberry 8700 with an iPhone. Obvious anwser right?

Well here's the hitch. I'm a psychology graduate student who does counseling. This number is basically my work line. There's nothing inherently unethical about having work data and personal media on one device or having a camera with you in counseling sessions, but I have a bit of a problem with it personally. So that brought me to the iPod Touch, but that would mean still carrying a Blackberry and an iPod still.

My supervising professor and fellow students don't know what to tell me on this since this stuff is so new and we are kind of still coming up with the ethical issues of smartphones as we go here. So what do you all think I should get?

[BRussell]

I don't understand the ethical/personal problem you have about using the iPhone for personal and work-related purposes.

[MrForgetable]

There's a fine ethics line in psychology. But I would still get the iPhone.

[BRussell]

Originally Posted by MrForgetable 

There's a fine ethics line in psychology.

What's the line here?

[Staren]

Here is the main issue. If I used the calender to remind myself to look something up or to research something before the next session I had with someone, or a note to consult someone, even if the name of the client is no where on the phone, it's possible someone could find out who the reminder is about based on times.

Normally that isn't a problem because that info would be on a device that you would normally have no need to show to another person. But the iPod side of the phone I'd obviously have out when I'm just out and around. I know it's a ridiculously small possibility someone could click over and glance at the data when I'm just using iPod screens, but people have gotten sued for less.

[theDreamer]

This is a tough question for your field.
Personally I would go with play it safe and probably get the iPod touch, but that would put you back in the same spot with two devices.
Though if you take the risk and get the iPhone and someone does take a look you will be potentially risking the release of client/patient information.

Another solution would be a two device solution, but I see now way around just using one device so far. Unless there was some way to lock down parts of the calendar to where only if you insert a password or code could you view the contents of an event.

[Staren]

Originally Posted by theDreamer 

Unless there was some way to lock down parts of the calendar to where only if you insert a password or code could you view the contents of an event.

Which of course doesn't exist. And I'm not about to use a web app. Even if the data was on my own server, accessing it via campus wi-fi would be 10x worse of a security problem then I was already worried about.

[theDreamer]

Originally Posted by Staren 

Which of course doesn't exist. And I'm not about to use a web app. Even if the data was on my own server, accessing it via campus wi-fi would be 10x worse of a security problem then I was already worried about.

Oh I agree completely, do not trust any wifi network for accessing confidential data.
You could just get the iPhone and not let anyone ever touch your phone then.

[ghporter]

It looks like you're a lot more interested and aware of the HIPAA aspects of this issue than most healthcare professionals. Good for YOU!!! Just having the data on a device you can put in your pocket is not a real issue-as long as there aren't too many puzzle pieces a casual observer could put together. Saying you have an appointment with Mr. Smith tomorrow at 4:00 in your office says absolutely nothing about WHY Mr. Smith is visiting you. Listing what you've already talked about would, however, be Very Bad. And having notes about what you want to look up for Mr. Smith would be Very, VERY Bad in terms of security. Better to find a securable PDA for that sort of thing than to depend on obscuring the links you really need between whom, what, where, and why.

Far too many people covered by HIPAA think their information is "boring" or "nothing important" and they fail to take proper steps to protect it. Eventually, a few of them are going to have to visit the unfriendly man in the long black robes and explain why the psych records on Mr. Jones just happened to be completely unprotected when the temp janitor came through one day...and why Mr. Jones is now unable to get health insurance because those records included information that the insurance companies didn't need and weren't entitled to-but they were interested in anyway. Hundreds of thousands of dollars in fines (which can be "per disclosure") and YEARS in jail are not fun things to contemplate, are they? Didn't think so. Keep up paying attention to your ethical and professional responsibilities!

[vmarks]

Here's what I can tell you.

Besides the two-device-solution, there are a few other technological things you can do.

(a) no names, just times in the calendar.

(b) use the combination lock on the phone, prevents random people from unlocking it. This only locks the whole phone. There is no lock on a per application basis.

(c) the iSkin revo case ships with a small privacy filter screen to prevent eyes from a wider viewing angle. I would probably apply this over a full-face screen protector, because this one only covers the display.

If these aren't enough to satisfy your needs, then two-device-solution it is.

[BRussell]

Originally Posted by Staren 

But the iPod side of the phone I'd obviously have out when I'm just out and around.

I see - basically, the iphone is cooler and will attract more attention, and you'll want to have it out more, so the risk to any private information you've got on it is greater. I guess you could get a boring, ugly device that no one would care to look at.

But I really don't see how it's qualitatively different from your blackberry - you don't want other people to get in to that either. The temptation for others to look at it will be higher for the iPhone, but the security you desire for it doesn't change: Just as with your blackberry, you don't let other people get into it.

- BRussell (psychologist)

[Staren]

Originally Posted by BRussell 

I see - basically, the iphone is cooler and will attract more attention, and you'll want to have it out more, so the risk to any private information you've got on it is greater. I guess you could get a boring, ugly device that no one would care to look at.

- BRussell (psychologist)

The difference is the fact that I would have actual media content on an iPhone. With my current set-up I can have someone else listen to a song on my iPod or show someone a clip on my laptop without risking someone seeing anything possibly sensitive because it's on my Blackberry in my bag.

[CorpITGuy]

This is probably something you should ask an attorney. If it's like most laws, you just have to show in court (God forbid it) that you did everything you could reasonably be expected to do to secure the iPhone; i.e. you locked it with a passcode and didn't allow someone to run off with it for a few minutes. The real question is whether you could get into legal trouble, not whether it's ethical. HIPAA and ethics have very little in common, in my experience (IT). :-/

[Staren]

Actually general ethics are just as impotent as the legal issues from a consequence standpoint. Even if you won in court, you could still lose your license to practice. Public courts don't decide that, your peers from professional organizations do. And if you get someone doing that review who doesn't "get" tech, you can see the problem there.

[vmarks]

Then perhaps you have a phone for yourself, and a nano or touch that is strictly for use by clients.

If that's the cost of keeping your license when those around you cannot understand technology, so be it.

[theDreamer]

I must say, this is the major downside to technology and working in a non tech field (even some tech fields).
Co-workers, others in your field do not understand things many times with newer technology and fear that it will cause problems thus staggering behind in upgrading. While they can be correct that it might be "different" or at first cause problems, the ability to adjust is always something that is to slow and causes for problems/delays than it should.

Best solution so far:
~Use the pin code for unlocking the phone.
~Only put enough information so you know what is going on, and is to vague for anyone else to understand.

If problems do ever arrive, you can always buy a cheap (used also) PDA device for $50 and use it for client information which then only you have access to in and no one else ever sees.

[angaq0k]

Originally Posted by Staren 

Ok guys, I need some help making a choice. It's time for a new iPod.

Being a psychologist myself, working with new technologies (counselling over the Internet among others), I can tell you you do not have many choices.

The issue will always be one of boundaries. If you were to handle client data from your home computer, you would make certain that no one from your family would be able to access it. Would you use that computer as your multimedia center?

I would not, simply to reduce the risk of going over the border of personal/professional boundary.

Personally, I have NO client data on any of my personal devices. 4 digit passwords are easy to crack, data can be retrieved by hackers, but mostly, the idea of having a portable device with confidential data being lost, even though the persons finding the device would be unable to access it, I would not take a chance for that trouble.

My employer is also very careful at erasing the data from any of our computers we use for counselling: hard drives are destroyed, and computers are "recycled". We are very strict in terms of confidentiality.

My suggestion: do not mix the personal stuff with the professional's. If you need a gadget, your clients certainly are not looking for the consequences of their data at risk.

Yet, if you are a bit imaginative, there is probably a compromise. If you need a portable electronic device to process client data, remove all personal identifiers that could lead to guess the names of your clients. That is the least you should do.

Hope this helps,

[Staren]

angaq0k, ghporter, thanks a lot you two. That really helped. My major professor was thinking along the lines of an older blackberry. If you have a list of things needed for your 4 pm and your personal contact list on the same device, what's the problem? No one else is going see it and it will be locked down when not in use anyway. I think I was right that it is going to be a bigger problem when you start adding personal use stuff even with no identifier information.

I think I will stick with the Touch and a separate blackberry for work data.

[Cadaver]

My laptop, which contains both personal and HIPAA protected data, is encrypted with FileVault, has a strong alphanumeric password, has the firmware lock applied to help prevent unauthorized booting from an external device, has secure virtual memory enabled, requires password when waking from sleep and screen saver, and has the firewall on with no unnecessary open ports.

I have taken all reasonable procedures to prevent unauthorized access. It is unreasonable for me to leave the machine in one location, so I've done these steps to protect confidential information.

I feel I'm on solid ground legally and professionally, and my machine is way more secure than the machines of some of my peers.

[ghporter]

Originally Posted by Cadaver 

I feel I'm on solid ground legally and professionally, and my machine is way more secure than the machines of some of my peers.

You are leagues and leagues ahead of most people in the HIPAA area. WAY ahead. Having been a computers security professional and now being in training to be a healthcare professional, I can see both sides of the issue-and it's really a no-brainer. The information about patients and clients is THEIRS, and they trust you with it. It is valuable to THEM, and much of that value is in its confidentiality. Healthcare providers that handle protected information without this attitude fail to respect their patients or clients as human beings with real feelings, goals and lives.

And it's absolutely trivial to do "the right thing" by simply putting away charts, not trying to "talk around" protected information when it's just as easy (or easier) to simply move the conversation to a controlled environment, and (here's the thread-relevant part) taking appropriate precautions to prevent electronic records from being disclosed. I'd say you're more than "on solid ground" with the precautions you've taken; you're a shining example of realistic and pragmatic protection of protected patient information.

Nobody plans on having their computer stolen. Nobody plans to blab about Mr. Smith's polyp being malignant. And nobody plans to allow the temp janitor to read Ms. Jones' chart. But stuff happens, and taking steps to minimize the damage that stuff can cause is just being realistic.