The use and transmission of protected health information (“PHI”) over mobile devices such as cell phones and tablets has increased dramatically over recent years. Common uses include texting patients, e-mailing nurses, or accessing medical records on an iPad. These tools can increase efficiency; however, they can also increase the risk of a security breach. Common security breach examples include lost or stolen devices, hacking, or unauthorized web access.
The HIPAA Security Rule generally allows health care practices to communicate electronically with mobile devices provided reasonable safeguards are in place to protect against breaches. In order to help protect PHI, HIPAA covered entities that use mobile devices should consider the following steps to minimize liability risks associated with using mobile devices:
Covered entities must use technical safeguards to protect PHI. Covered entities should use a variety of technical safeguards, including:
- Mobile Apps: For all mobile devices, limit the apps that can be installed on the device to ensure that a security flaw isn’t inadvertently downloaded onto the device.
- Text Messaging: Text messaging is insecure and should not be used unless specific software is purchased that secures the text messaging.
- Encryption: HIPAA guidance strongly emphasizes the importance of encrypting data. In the event of an audit, auditors will likely focus on whether the covered entity encrypted its data. Several applications can be used to encrypt data including TouchDown.
- Mobile Device Hardware Features: Mobile devices usually have a wide variety of hardware features that will help protect PHI. These include password protection, automatic locking, remote wiping, firewalls, and location-tracking software. These features should be required at all times.
- Standards for Passwords/Locking/Remote Wiping: Covered entities should set minimum standards for the features described above. For example, passwords or PINs should consist of at least five (5) characters. Staff should change passwords at least once every three months. Automatic locks on mobile devices should activate after two (2) minutes or less of inactivity. Finally, the device should be set to automatically wipe after five (5) unsuccessful login attempts.
- Factory Restore Features: Disposing of mobile devices properly is a frequent issue for covered entities. When a covered entity disposes of mobile devices, it should factory restore features prior to discarding to remove all sensitive data.
Covered entities also need to take advantage of physical safeguards to ensure the security of their PHI. Mobile devices can pose greater risks than workstations because of how employees may take them off-site. Covered entities should adopt several physical safeguards for mobile devices, including:
- Limiting Access: Covered entities should take steps to ensure that on-site mobile devices are physically secure. For example, limit access to the building generally and especially to sensitive areas. Covered entities may also wish to limit access to on-site mobile devices and workstations by keeping them in locked cabinets or safes while not in use.
- Security Monitoring: The worksite should be protected by physical security systems, such as burglar alarms, surveillance cameras, or security guards.
- On-Site Storage: Mobile devices pose unique challenges, especially when staff have access to PHI on personal devices. If your practice uses company-provided mobile devices, consider requiring employer owned mobile devices to be stored on-site.
In addition to taking physical and technical steps to safeguard PHI on mobile devices, the covered entity must adopt administrative safeguards. These steps include:
- Inventory PHI. A key step to safeguarding PHI is to determine all of the places where PHI is stored and the ways in which it can be accessed. Your practice should keep an inventory of all mobile devices used that contain PHI, which will help ensure that all risk areas are identified.
- Monitor downstream mobile device policies. A covered entity may be liable for data breaches by a business associate if the covered entity knew about wrongful use or disclosure issues and did not take steps to resolve them. This liability could potentially include a business associate’s wrongful use of mobile devices. There are a number of ways to address these risks, including:
- Purchasing cyber-liability insurance coverage;
- Using a remote use agreement (especially where employees or business associates use their own devices); or
- Developing a policy with business associates that prohibits unsecured use of devices.
- Establish policies and procedures. Policies and procedures on mobile device security should be in place and updated regularly. These policies should include ongoing (at least annual) staff education. Regular compliance reminders should be posted throughout the office.
- Involve all levels of the organization in compliance. OCR examines covered entities closely to determine whether compliance is taken seriously at all levels of the organization. Involving senior management in compliance planning has two important advantages: it can help minimize the risk of a breach and lead to more favorable outcomes from audits and other investigations.
- Establish breach reporting procedures. The loss or theft of a mobile device that contains confidential information must be immediately reported to the employee’s supervisor. Employees should authorize the Company to install software that will enable the Company to remotely wipe data from any mobile device connected to its network
Covered entities continue to find new and innovative ways to use mobile devices in healthcare. As a result, HIPAA will continue to be an issue for medical mobile device users. By taking the above steps, covered entities can help to minimize the risks associated with the increased use of mobile devices.