Blog


← Back to BLOG

29
Jun
2018
Mobile Devices and HIPAA

Mobile Devices and HIPAA

According to the Department of Health and Human Services, the HIPAA Security Rule outlines national standards designed to protect individuals’ electronic protected health information (“ePHI”) that is “created, received, used, or maintained by a covered entity.”

Unauthorized disclosure of PHI is a risk because mobile devices store data on the device itself in one of two ways:

1.  Within the computer “onboard memory”

2.  Within the SIM card or memory chip

Thus, mobile devices used to exchange ePHI retain a record of that data on the device. In addition, mobile devices may not restrict user access to data through the use of encryption software or authentication features. Therefore, covered entities must be aware of the unique security risk inherent in using mobile devices to exchange ePHI.

Mobile devices are particularly vulnerable to loss and theft because of their small size and portability. The most common form of security breach is the theft of mobile devices. Mobile devices are typically small, light and highly visible to would-be thieves looking for an opportunity to take a phone left behind in a public space, such as at a restaurant.

In addition, unlike laptops and PCs, clinicians are far more likely to use their own personal mobile devices, rather than employer-issued mobile devices, to access and exchange ePHI. The use of mobile devices to access ePHI raises several risks to health care providers:

  • Authentication – Mobile device users do not tend to enter passwords or provide biometric identification to access information stored on the mobile device. The lack of authentication on mobile devices presents a risk that any user of the device could access ePHI stored on the device.

 

  • Encryption – Typically, data stored on personal mobile devices is not encrypted. Thus, ePHI stored on a mobile device could be retrieved and shared by anyone with access to the mobile device.

 

  • Wi-Fi Connection – Mobile devices that use public Wi-Fi or unsecure cellular networks to send and receive information risk exposing ePHI. Unless mobile device users connect to a secure web site to transmit data or connect using a VPN (“virtual private networking”), which encrypts data to and from the mobile device, there is a risk ePHI could be compromised.

 

The HIPAA Security Rule allows healthcare providers to communicate electronically with patients, such as through email, but the law requires covered entities to “apply reasonable safeguards when doing so.” Importantly for healthcare professionals and their employers, the Security Rule “requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.” Issues regarding each of these types of safeguards pertaining to mobile devices are summarized below.

Administrative Safeguards: Administrative safeguards “provide management, accountability and oversight structure for covered entities to ensure proper safeguards and policies and procedures are in place” to protect ePHI. Administrative safeguards include, but are not limited to, the following:

Conducting periodic risk assessments of mobile device use, include an assessment of whether personal mobile devices are being used to exchange ePHI and whether proper authentication, encryption and physical protections are in place to secure the exchange of ePHI;

Establishing an electronic process to ensure the ePHI is not destroyed or altered by an unauthorized third party; 

Establishing processes and procedures to appropriately protect ePHI in a mobile device environment, including establishing encryption and security breach protocols for mobile device use, among others;

Training clinicians on the processes and procedures to use when using mobile devices to access ePHI and educating clinicians on the risks of data breaches, HIPAA violations and fines.

Physical Safeguards: It is important to provide physical safeguards to protect ePHI stored on and exchanged by mobile devices. Typical steps healthcare providers take to safeguard mobile devices include:

Keeping an inventory of personal mobile devices used by healthcare professionals to access and transmit ePHI

Storing mobile devices in locked offices or lockers

Installing mobile management programs in help locate a lost or stolen mobile device

Using remote shutdown tools to prevent data breaches by remotely locking mobile devices

Technical Safeguards: Technical safeguards, such as encryption, can protect ePHI transmitted between healthcare provider and patient. Technical safeguards are the “automated processes used to protect data and control access to data.” Examples of technical safeguards for mobile devices include, but are not limited to, the following:

Installing and regularly updating anti-malicious software (also called malware) on mobile devices

Installing firewalls where appropriate

Applying encryption to ePHI and metadata

Installing IT backup capabilities, such as off-site data centers and/or private clouds, to provide redundancy and access to electronic health information

Adopting biometric authentication tools to verify the person using the mobile device is authorized to access the ePHI

Ensuring mobile devices use secure, encrypted Secure Hyper Text Transfer Protocol (“HTTPS”) similar to those used in banking and financial transactions to provide encrypted communication and secure identification of a network web server.

Have more questions and possibly feel overwhelmed with this information, feel free to reach out to Patrice at 973.448.0070 ext 311 or email pschaffer@navitend.com.  

Testimonials

  • "I look forward to working with you again in the future. Once again, thanks to your organization for your prompt response."

    Luke Wolters / Luke Wolters Tax Consultants
  • I am truly impressed by the focus the team places on the requests from our company. They listen, and no matter who I get on the phone, I get the answer that I am looking for. I can tell that they keep excellent notes, and it is because of this level of detail that engineers/technical support staff are always up to date on knowledge of our systems. They are patient, professional, and incredibly nice as individuals. They have provided assistance even on days when they were out of the office. With every request, they have made sure that they review the details with us to ensure that the information/questions were captured accurately. Truly an excellent team!!

    Josefina and Christian Abboud
  • "I appreciate that they didn’t just build the application. They made it better by bringing ideas to the table that not only made for a better user experience, but also kept the development costs down."

    Andy Lynch / North Star Marketing
  • “Navitend’s expertise helped our firm over the past year to effectively elevate our I.T. game, powering our website into a highly interactive tool. Well done to Frank and his team!”  

    Chuck Steege, CFP®, CEP, President, SFG Wealth Planning Services, Inc.
  • It works!!  You rock!!!!!!!!!!

    Robert Vogel, C12 Group San Antonio
  • Having had IT support in the past that left a lot to be desired, working with Navitend is a refreshing change! They are always responsive, knowledgeable, and courteous no matter whether the problem is huge or even user error. I am so grateful my organization changed to navitend!!

    United Way
  • "We've dedicated our lives to growing our retail and ecommerce business and it's a relief to have found a company like navitend who treats our business likes it's their own. navitend's personal approach to project management and problem solving are top-notch."

    Stamatis, Co-owner Twisted Lily, Fragrance Boutique and Apothecary
  • "Thanks so much!  You are a class act!  
    You and your team have really done an excellent job on this!"

    Steve Van Ooteghem, The C12 Group in Houston, Texas
  • "Thanks so much again for taking care of everything in such an expedient manner. It's a pleasure to work with navitend and its staff as always!"

    Lawrence Wolfin / Textol Systems, Inc.
  • "I am writing this to tell you how pleased the Township of Andover is with the services provided by navitend. It has been a wonderful working relationship, I am so impressed and they come with my most highest recommendation."

    Jayme Alfano / Andover Township
  • I highly recommend navitend for their professionalism, integrity, down-to-earth advice and thoughtful recommendations. Every solution that they offer is unique and the most appropriate to their customers' needs.

    Paula Muller
  • "You guys are OUTSTANDING! Thanks for all you’ve done to make this transition seamless."

    John Bryant, CEO, Christ's Home
  • "navitend has been a great IT partner for our company.  Their helpdesk response time is the best I have experienced in my 30 year career.  navitend has helped me to have great IT services without the need to have a full time, in house, technician at significant savings to our company."

    Bob Bradley, President, Bradley Graphics
  • "Our company is more efficient and has grown as a result of navitend’s work. navitend helped us get to the next level."

    Greg Niccolai / Madison Insurance
  • Do you need IT help? Are you tired of being frustrated by technology issues? Would you like to go to work everyday and know that all those headaches are being taken care of? Then look no further, navitend is your answer.

    Kathy Molyneaux - Friends Life Care Partners