`

Are your mobile devices HIPAA compliant?

Mobile device use is becoming more commonplace in health care. With the increased use of mobile devices comes an increased opportunity for HIPAA technology compliance issues. In the recently launched initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, provides tips on ways to safeguard protected health information (PHI) when using mobile devices such as laptops, tablets and smart phones.

Mobile devices are everywhere; homes, schools, businesses, and are more and more prevalent  in health care environments in the growing Bring Your Own Device (BYOD) environments. Health care professionals use text messaging to communicate with each other about patient statuses. Medical schools now provide the residents with tablets to use as textbooks and to do rounds with patients. With the use of mobile devices increasing, HIPAA technology compliance issues are hidden everywhere. Recently the website HealthIT.gov posted a number of tips to ensure compliance.
Questioning Your HIPAA Compliance
Break out your HIPAA compliancy plan and check it over.  Keep these questions in mind.

  • Are the personal devices used for work registered?
  • Are you using a Virtual Privacy Network (VPN) to exchange information? 
  • Do you back up PHI from mobile devices on servers?
  • Who owns the devices?
  • Do your policies and procedures address mobile devices?
  • Is your workforce properly trained on their mobile devices? 
  • Can you remotely "wipe" (erase)  devices? 

The answers to these questions might surprise you. Depending on your most recent analysis, the security risk may not be fully considered in your current policies or training. Even if you require physicians and employees to use your mobile device, they could be using their personal phones to take pictures or text about your patients. A current assessment is warranted given the new OCR (Office for Civil Rights) and ONC (Office of the National Coordinator)  educational materials.

Security Tips for Mobile Device
OCR and ONC recommend the following measures to ensure that PHI is secure on mobile devices:

  • Use a password or other user authentication. You can also activate an automatic, timed screen lock on the device for added security
  • Install or enable security software
  • Install or enable encryption
  • Install or enable firewalls
  • Install or activate remote wiping and/or disabling
  • Keep your security software up to date
  • Research apps before downloading
  • Disable or do not use file-shared applications
  • Use adequate controls when using Wi-Fi Click here to more information
  • Maintain physical control
  • Delete all stored PHI before reusing or discarding a device
  • Remove devices that have not been used for a period of time

Consider implementing these security precautions as part of your policy development and training of workforce members. Although the changes are not required under HIPAA, they lay the foundation for best practices and should be at least analyzed and documented as part of a risk assessment under the HIPAA security rule.