Are Mobile Devices HIPAA Compliant?

Guest Blog Post by Jim Sheldon-Dean

Healthcare providers are subject to all the same pressures to adopt new technologies that any modern business is, including using portable devices such as smart phones and tablets.  Such technologies can help improve patient care and the overall patient experience, while cutting costs and improving efficiencies of operation.  But providers also have obligations to protect patients’ “PHI”, or Protected Health Information¹ , under HIPAA.  Mobile devices have shown themselves to be a prime source of breaches, according to information published on the US Department of Health and Human Services Web site known informally as the “HIPAA Wall of Shame.”²

Under the HIPAA Security Rule, entities must consider the security of data in motion and at rest and take the necessary steps to protect it from improper uses or disclosures.³   When PHI is sent to a portable device, there are two considerations.  First, is the communication secure?  Do we know who are the parties that are communicating, and is the method of communication protected from interception or alteration?  Any transmission of PHI for professional purposes must be secured by encryption to manage the risks of exposure or alteration.  Second, once the information is on the device, is it protected from improper disclosures?  For mobile devices, this means not maintaining the data on the device, or encrypting or deleting any PHI so that if the device is lost the data cannot be accessed.

Mobile devices must be managed so that if they are lost or stolen, or simply used by another party, the PHI is protected.  Most mobile devices, straight out of the box, are not secured and can become the source of a significant breach of security that must be reported and can have significant repercussions for the organization.  But when properly configured and managed, most modern mobile devices can provide very good protection of PHI.  Once-exotic technologies such as fingerprint recognition and remote disabling of devices or removal of content are now commonplace.

A Mobile Device Management (MDM) tool can allow administrators, remotely, to set and enforce risk-based policies, control mobile security via centralized controls and dashboards, require encryption and strong passwords, and run risk analytics and compliance reports, so that compliance can be verified.  Security provided by MDM tools may include mobile app scanning and features to actively protect against malware, unauthorized data access and phishing.  Mobile application management allows the organization’s approved apps to be cataloged, pushed and deleted, so that only approved tools can be used for handling PHI.

Using secure VPN communications as part of a mobile device management solution isolates users from network attacks.  Patient information can be protected by encryption while in transit, and may be protected through an auto-destruct feature that deletes the PHI when a time limit is reached.  And, finally, if the device is lost or stolen, remote data-wiping and auto-disabling can be tightly managed.  But be sure to inform your users that they are responsible for backing up their personal information, and if the device is lost or stolen, or if their password is forgotten and an auto-wipe is triggered, they may lose their cherished photographs!

Whether an organization provides mobile devices to their staff or allows them to use their own device at work, the communications and apps used, and the mobile device management tools used to manage them, must help enable good compliance by enabling centralized, auditable controls that can ensure protection from issues relating to the confidentiality, integrity, and availability of PHI.

Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities.
Sheldon-Dean serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the WEDI 2011 Award of Merit.

HIPAA Regulation 45 CFR § 160.103 Definitions
HHS Web page, “Breaches Affecting 500 or More Individuals,”
HIPAA Regulation 45 CFR § 164.312 Technical Safeguards