Can you imagine a world without mobile devices? Of course not. Mobile devices have taken over our world and are used everywhere. They are having a great influence in our life and are very convenient to help us stay connected. In health care, providers may use them to access electronic protected health information (ePHI). But is the use of mobile devices allowed by the Health Insurance Portability and Accountability Act (HIPAA)?
HIPAA mandates industry-wide standards for health care information on electronic billing and other processes and defines the protection and confidential handling of protected health information.
“The HIPAA Privacy regulations require health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, and electronic, etc. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.”
(source:https://www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.00WhatisHIPAA.aspx )
The HIPAA Security Rule defines standards for the confidentiality, integrity, and availability of electronic protected health information that apply to covered entities. When using mobile devices, covered entities must comply with the Rules’ requirements to protect the privacy and security of health information.
The HIPAA Rules don’t define specific types of technology, but “establish the standards for how covered entities and business associates may use or disclose ePHI through certain technology while protecting the security of the ePHI by requiring analysis of the risks to the ePHI posed by such technology and implementation of reasonable and appropriate administrative, technical, and physical safeguards to address such risks.”
Bottom line: If an organization allows the use of mobile devices for work, the organization is responsible for reasonable and appropriate policies and procedures. This includes any configuration requirements for mobile devices used by providers and professionals for work.
But what happens when a mobile device is lost or stolen? This is a common scenario due to their small size and portability, and it’s important to know what to do when this happens. The HIPAA Privacy Rule requires a Privacy Officer.
If you are allowed to store data on your mobile device, regularly back up the data to a secure server. If the mobile device is lost or stolen, the data will still be available on the secure server.
Also, make sure you install and enable encryption. “Encryption is the conversion of data into a form that cannot be read without the decryption key or password. It is important to encrypt data stored locally on your mobile device (data at rest) and data sent by your mobile device (data in motion) so that it is protected from unauthorized users.”
(source: https://archive.healthit.gov/providers-professionals/you-your-organization-and-your-mobile-device)
Finally, the key to protecting health information is privacy and security awareness and training as part of an ever-changing work environment. Sensitive health information will not be protected unless people working with it develop a sense of “security awareness.”
Check out PCG’s services to learn more about privacy and security awareness and training. PCG’s privacy and security toolkit provides access to a Virtual Privacy and/or Security Officer along with a library of policies and procedures, standardized training tools, documents, forms, and templates.
