Mobile devices (e.g., phones and tablets) are changing the way consumers access and request their health information. Some significant drivers of potential lawsuits against physicians or practices include mobile access by smartphones and tablets with Electronic Health Records (EHRs). Liabilities may incur for a reason of basic treatment errors and for the lack of office policies and systems. In the advent of mobile health care technology and its integration with EHRs, this raises new concerns for patient safety and medical professional liability claims.
When deciding whether to use mobile devices, consider how they will affect the risks (breach of data to the public) to Protected Health Information (PHI), and how to protect and secure health information and data breaches.
Conducting a risk analysis will help identify potential risks and determine what safeguards, and policy and procedures are needed. A mobile device risk management strategy could be to perform a risk analysis on a new mobile device, if a device has been lost or stolen; or, when it is suspected that health information has been compromised.
A mobile risk management strategy could include:
- Understanding how the user plans on using mobile devices and its applications
- Identifying potential unauthorized access to sensitive data
- Impact to the business based on lost devices and threats
- Impact to patient files based on lost devices and threats
- Policies and procedures to protect the business - strong passwords, encrypted data, current operating systems, antivirus
- Manageable procedural and technical controls and monitoring their effectiveness
When a mobile device is stolen, the law requires you to notify your patients when any identifying information is unencrypted. Unencrypted information includes any two-pieces of PHI, patient's first and last name, unique identification, social security number, passport number, driver's license number, credit card number, credit card PIN, etc.
HIPAA rules require that any breach of information, including lost or stolen information, be listed on your disclosure logs.
The Office of Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have collaborated to provide tips and information related to the protection and security of health information on mobile devices. For more information, visit:
Authored by
Allan Ridings
Senior Risk Management & Patient Safety Specialist
If you have questions about this article, please contact us. This information should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.