When Is HIPAA Security Required for Mobile Devices?

Question

Answer

HIPAA has a lot of implications and things you have to consider around using mobile devices. I'm going to consider mobile devices for us today to be a laptop, a tablet, a phone, or a smartwatch. We have to be very cognizant of all of the rules around these mobile devices.

Every practice needs to consider if they want to allow, by policy, their staff to access ePHI on mobile devices that the facility or practice does not own? That's your first decision. If you do allow that, then you need to make policies around those two separate pathways. Many entities that work in large medical facilities would never allow people to access ePHI on a personal device. They have a lot of rules around that and you have to log into a portal to be able to do anything using multi-step authentication. You have to determine what the rules are for your practice. Let's say you are allowing access to ePHI on a mobile device. You need to make sure that you use a password or user authentication. There have to be steps to be able to open the device itself before getting into the software. The first step is having to use a password to get into the laptop or other device.

You need to enable and install encryption. We should not be communicating any ePHI to any entity, including the patient, without going through an encrypted service. You can communicate with the patient about an appointment. You can communicate with the patient about services they need, such as a COVID test, what your policies are, or reminders. But you cannot communicate any ePHI, any test results, or anything specific to that patient without going through an encrypted service.

Install and activate remote wiping and/or remote disabling. I am an Apple person, so that's what I'm going to give an example of. Essentially,  that's where you find your iPhone and you kill your iPhone remotely. At any point in time, you can go to a third-party site and literally make that device a brick so that it doesn't actually function anymore. That's what you need to be able to do. If you have a device that is transmitting or storing ePHI, you need to be able to remotely shut that device down and remotely wipe it.

Disable and do not install or use file-sharing applications, such as Dropbox that multiple people, including people outside your facility, can access or utilize. This is especially important in your home or other location. You don't want to use file sharing when you're communicating about ePHI. The entity that might be file sharing with you may not be allowed access to that ePHI. The rule of thumb is to turn off all file sharing unless you're keeping everything internal-only in your practice. 

Install and enable a firewall as well as security software, such as Norton or another protection software. Keep your software up to date. When your service vendor provides a software update, whether that's Microsoft, Android, or Apple with an iOS update, make sure you download it and keep your software updated. Many times the iOS updates are around bugs and security fixes. That's why you always want to keep that up-to-date and current.

Maintain physical control. If you have a device that you're traveling with that stores or transmits ePHI, you want to make sure you keep that device on your person as much as possible. If you are doing work and accessing ePHI, you should not be on a public Wi-Fi network, whether that's at the library, Starbucks, or in your own hospital. You should never be doing report writing or communicating with your patients or anything that involves protected health information on a public unsecured network. Make sure that before you recycle a laptop, a tablet, your watch, or a phone you have completely wiped that device. Delete everything off the device before it's either recycled or destroyed. 

This Ask the Expert is an edited excerpt from the course, HIPAA for Allied Health Professionals, presented by Kim Cavitt, AuD.