According to the Department of Health and Human Services, the HIPAA Security Rule outlines national standards designed to protect individuals’ electronic protected health information (“ePHI”) that is “created, received, used, or maintained by a covered entity.”6 Unauthorized disclosure of PHI is a risk because mobile devices store data on the device itself in one of two ways: (1) within the computer “onboard memory”; or, (2) within the SIM card or memory chip.7 Thus, mobile devices used to exchange ePHI retain a record of that data on the device. In addition, mobile devices may not restrict user access to data through the use of encryption software or authentication features. Therefore, covered entities must be aware of the unique security risk inherent in using mobile devices to exchange ePHI.
In addition, unlike laptops and PCs, clinicians are far more likely to use their own personal mobile devices, rather than employer-issued mobile devices, to access and exchange ePHI. An estimated 81 percent of 2,041 physicians surveyed use personal mobile devices, whether a BlackBerry, Android or iPhone, to access ePHI, such as patient records.9
12 Issues regarding each of these types of safeguards pertaining to mobile devices are summarized below.
Administrative Safeguards: Administrative safeguards “provide management, accountability and oversight structure for covered entities to ensure proper safeguards and policies and procedures are in place” to protect ePHI.13 Administrative safeguards include, but are not limited to, the following:
Physical Safeguards: It is important to provide physical safeguards to protect ePHI stored on and exchanged by mobile devices. In less than two years, from September, 2009 through May, 2011, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) reported “116 data breaches of 500 records or more from the loss or theft of a mobile device, exposing more than 1.9 million patients’ PHI.”16 Typical steps healthcare providers take to safeguard mobile devices include:
Technical Safeguards: Technical safeguards, such as encryption, can protect ePHI transmitted between healthcare provider and patient. Technical safeguards are the “automated processes used to protect data and control access to data.”18 Examples of technical safeguards for mobile devices include, but are not limited to, the following:
Clinicians and patients alike will continue to use mobile devices to communicate with each other and the exchange of ePHI is likely to continue to increase.
Your healthcare practice must have a technology company that meets HIPAA compliance standards. Ensure you have a technology partner who can take care of all your HIPAA consulting needs. We are here to help you.
Ready to speak with a member of our IT support and managed IT services team? Use the form to the right to book an initial consultation with your next Baltimore IT company.