As physicians, nurses, therapists and health care providers continue to utilize new smart phones, tablets, and laptops in caring for patients, the Department of Health and Human Services (“HHS”) has responded with educational videos, worksheets and guidance to help health care providers  create a “culture of compliance and awareness” and to protect patients’ Protected Health Information (“PHI”).  While the material is focused on health care professionals, the information is also applicable to group health plan professionals and their business associates who use mobile devices to store and transmit PHI in connection with administration of group health plans.

In December 2012, HHS launched a new initiative called Mobile Devices: Know the RISKS.  Take the STEPSPROTECT and SECURE Health Information.  HHS also launched an educational webpage on safeguarding PHI on mobile devices.  The website includes five YouTube videos describing common compliance challenges with mobile devices.  The website also includes helpful resources that can be used to supplement HIPAA compliance training for employees of covered entities (and their business associates).  HHS’s educational website, videos and resources are available at www.HealthIT.gov/mobiledevices.  HHS cautions that these resources are only informational and do not guarantee compliance with HIPAA or other applicable laws.

By way of summary, HHS’s recommends the following five step plan that organizations can use to manage mobile devices:

  1. DECIDE: The health care provider must decide whether mobile devices will be used to access, receive, transmit, or store patient’s health information or be used as part of the organization’s internal networks or systems (e.g., Electronic Health Records system).
  2. ASSESS: The health care provider must consider how mobile devices affect the risks (threats and vulnerabilities) to the PHI that the health care provider holds.
  3. IDENTIFY: The health care provider must identify its mobile device risk management strategy, including privacy and security safeguards.
  4. DEVELOP, DOCUMENT, and IMPLEMENT: The health care provider must develop, document, and implement its mobile device policies and procedures to safeguard health information.
  5. TRAIN: The health care provider must train providers and professions on mobile device privacy and security awareness.

Regardless of whether the mobile device is personally owned and used at work (“bring your own device” or “BYOD”) or provided by the organization, a mobile device is susceptible to PHI privacy and security risks.  A mobile device can be lost or stolen.  An employee may inadvertently download viruses or other malware.  An employee may use a mobile device on an unsecured Wi-Fi network and may unintentionally disclosure PHI to unauthorized users.  HHS’s mobile device educational website offers the following tips to protect and secure health information:

  1. Use a password or other user authentication.
  2. Install and enable encryption.
  3. Install and activate wiping and/or remote disabling.
  4. Disable and do not install file-sharing applications.
  5. Install and enable a firewall.
  6. Install and enable security software.
  7. Keep security software up to date.
  8. Research mobile applications (apps) before downloading.
  9. Maintain physical control of your mobile device.
  10. Use adequate security to send or receive health information over public Wi-Fi networks.
  11. Delete all stored health information before discarding or reusing the mobile device.

Here is a link to HHS’s educational video series that provides scenarios of some common risks health care providers may face when using a mobile device for patient care. http://www.healthit.gov/providers-professionals/videos