According to the Department of Health and Human Services, the HIPAA Security Rule outlines national standards designed to protect individuals’ electronic protected health information (“ePHI”) that is “created, received, used, or maintained by a covered entity.”6 Unauthorized disclosure of PHI is a risk because mobile devices store data on the device itself in one of two ways: (1) within the computer “onboard memory”; or, (2) within the SIM card or memory chip.7 Thus, mobile devices used to exchange ePHI retain a record of that data on the device. In addition, mobile devices may not restrict user access to data through the use of encryption software or authentication features. Therefore, covered entities must be aware of the unique security risk inherent in using mobile devices to exchange ePHI.
In addition, unlike laptops and PCs, clinicians are far more likely to use their own personal mobile devices, rather than employer-issued mobile devices, to access and exchange ePHI. An estimated 81 percent of 2,041 physicians surveyed use personal mobile devices, whether a BlackBerry, Android or iPhone, to access ePHI, such as patient records.9
12 Issues regarding each of these types of safeguards pertaining to mobile devices are summarized below.
Administrative Safeguards: Administrative safeguards “provide management, accountability and oversight structure for covered entities to ensure proper safeguards and policies and procedures are in place” to protect ePHI.13 Administrative safeguards include, but are not limited to, the following:
- Conducting periodic risk assessments of mobile device use, include an assessment of whether personal mobile devices are being used to exchange ePHI and whether proper authentication, encryption and physical protections are in place to secure the exchange of ePHI;
- Establishing an electronic process to ensure the ePHI is not destroyed or altered by an unauthorized third party; 14
- Establishing processes and procedures to appropriately protect ePHI in a mobile device environment, including establishing encryption and security breach protocols for mobile device use, among others;15
- Training clinicians on the processes and procedures to use when using mobile devices to access ePHI and educating clinicians on the risks of data breaches, HIPAA violations and fines.
Physical Safeguards: It is important to provide physical safeguards to protect ePHI stored on and exchanged by mobile devices. In less than two years, from September, 2009 through May, 2011, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) reported “116 data breaches of 500 records or more from the loss or theft of a mobile device, exposing more than 1.9 million patients’ PHI.”16 Typical steps healthcare providers take to safeguard mobile devices include:
- Keeping an inventory of personal mobile devices used by healthcare professionals to access and transmit ePHI; 17
- Storing mobile devices in locked offices or lockers;
- Installing radio frequency identification (“RFID”) tags on mobile devices to help locate a lost or stolen mobile device; and,
- Using remote shutdown tools to prevent data breaches by remotely locking mobile devices.
Technical Safeguards: Technical safeguards, such as encryption, can protect ePHI transmitted between healthcare provider and patient. Technical safeguards are the “automated processes used to protect data and control access to data.”18 Examples of technical safeguards for mobile devices include, but are not limited to, the following:
- Installing and regularly updating anti-malicious software (also called malware) on mobile devices;
- Installing firewalls where appropriate;
- Applying encryption to ePHI and metadata;19
- Installing IT backup capabilities, such as off-site data centers and/or private clouds, to provide redundancy and access to electronic health information;
- Adopting biometric authentication tools to verify the person using the mobile device is authorized to access the ePHI; an d,
- Ensuring mobile devices use secure, encrypted Hypertext Transfer Protocol Secure (“HTTP”) similar to those used in banking and financial transactions to provide encrypted communication and secure identification of a network web server.
Clinicians and patients alike will continue to use mobile devices to communicate with each other and the exchange of ePHI is likely to continue to increase.
Your healthcare practice must have a technology company that meets HIPAA compliance standards. Ensure you have a technology partner who can take care of all your HIPAA consulting needs. We are here to help you.