Smartphones, iPads, tablets, and laptop computers are common tools used by physicians in their medical practices. But these devices are lost or stolen every day, and when the devices contain sensitive health care information, it could trigger Health Insurance Portability and Accountability Act (HIPAA) confidentiality issues.
According to the Office of Civil Rights (OCR), the agency that enforces the HIPAA Privacy and Security Rules, in the past two years, 116 data breaches related to lost or stolen mobile devices have exposed more than 1.9 million patients’ health information to breaches.
Before the end of 2012, OCR anticipates an increase in HIPAA compliance audits and physician practices will be included in the upcoming audits. Physicians, as HIPAA covered entities, must be HIPAA compliant. Therefore, all mobile devices used to communicate Patient Health Information (PHI) must be secure.
Typically, data stored on personal mobile devices are not encrypted. Thus, PHI stored on a mobile device could be retrieved and shared by anyone with access to the mobile device. Physicians can protect sensitive patient information in a variety of ways. As practices recognize the advantages of PHI, it is important to:
- Conduct a risk assessment of your mobile device
- Implement policies and procedures that address what to do when a mobile device is lost or stolen
Suggestions for Protecting ePHI on a Mobile Device
- ENCRYPTION. Many mobile devices can be encryption-enabled with proper programming. The use of encryption creates an exemption from HIPAA fines.
- AUTO-LOCK. Configure the auto-lock screen to appear after a brief time of inactivity has passed.
- REMOTE WIPE. Set the remote wipe feature so it can be activated if the wireless device is lost.
- WI-FI CONNECTION. Enable Wi-Finetwork security (WPA-2). Mobile devices that use public Wi-Fi or unsecured cellular networks to send and receive information risk exposing ePHI. Unless mobile device users connect to a secure website to transmit data, or connect using a VPN (“virtual private networking”) which encrypts data to and from the mobile device, there is a risk ePHI could be compromised.
- PASSWORDS. Create a complex password on the device with a combination of uppercase and lowercase letters, symbols, and numbers.
- STORAGE. Only store ePHI on these devices when absolutely necessary for business purposes and delete it as soon as feasible. Set a policy to save ePHI on your mobile device for no more than one month.
- TEXT MESSAGES. Text messages create liability because they are not automatically encrypted and may be stored on the SIM card in the phone. Some physicians attempt to use initials or other unidentifiable information, to de-identify ePHI. This practice may increase medical error if the generic reference to a particular patient is misunderstood by the receiving party.
The inherent cost of ePHI breaches and the increasing regulatory enforcement make it a priority for physicians to assess their privacy and security policies concerning mobile devices.
WANT MORE HIPAA COMPLIANCE RESOURCES? Get our free HIPAA Compliance Action Guide, filled with step-by-step advice and a helpful checklist for ensuring your practice stays compliant. Download the HIPAA Compliance Action Guide.
Author Ann Whitehead is Vice President of Risk Management & Patient Safety for the Cooperative of American Physicians, Inc.
If you have questions about this article, please contact us. This information should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.