Mobile Device Use

William R. Pupkis, CMPE, Healthcare Consultant

As patients and clinicians increasingly use mobile devices to communicate with each other, concerns about the security of protected health information (PHI) should be raised.  There are strict HIPAA compliance standards regarding the security of mobile devices whenever PHI is created, stored, accessed, sent, or received.

Unauthorized disclosure of PHI is a risk because mobile devices store data on the device itself in one of two ways, either within the computer’s “on board” memory, or within a SIM card or memory chip.  This data (including backup data) must be encrypted even while the mobile device is at rest and in transit.  If anyone in your medical practice uses a mobile device to send or receive PHI via non-encrypted transmission, he or she is in violation of HIPAA and therefore puts the practice at risk. Remember, “regular” e-mail is not encrypted and should never be used with or for any PHI.

Safe-Mobile-DeviceThere are many ways to safeguard electronic protected health information (ePHI) that is created, received, used, or maintained by a covered entity (your practice is considered a covered entity).  You can start by frequently applying security updates and using the most current operating system available.  Turn off Wi-Fi, location services, and Bluetooth functionality when not using the device.  It is possible for others to “discover” your device when these functions are enabled and your mobile device is in an unsecure internet environment.  Without proper security, unauthenticated devices could access and transfer data from your device.  Sign up for a service that can wipe your device clean if it is stolen or lost.  For example, with the iPhone that would mean installing the “Find my iPhone” app.

Capping the storage limit of your mobile device to 200 messages or 14 days of messages can help limit your liability.  To further reduce your practice’s liability, write and adhere to a policy of prohibiting users from installing and operating unauthorized software and hardware specific to PHI.  For practices with their own networks, IT staff or vendors should set up a virtual private network (VPN) between the network and all mobile devices.  A VPN lets you establish a secure internet connection and encrypts the information you send and receive.  You can also use a secure browser connection.  If you see “https” in the website address, the connection is secure.

In addition, your policy should prohibit storing PHI on thumb drives and other portable media devices unless these devices meet the necessary encryption standards.  Also, if PHI needs to be sent or exchanged outside the network, require the use of a secure file transfer tool or secure file transfer protocol.  When upgrading or disposing of mobile devices, be sure PHI is securely deleted or destroyed.

These are just some of the basics to address when documenting and specifying the security measures your practice will need to take.  Bear in mind that every practice has different needs that will require its own, customized plan to protect PHI.  Be sure you know the features of your mobile device(s) and take the necessary security measures to stay compliant, even on the go.

For more information and resources, visit:

Terms and Conditions

Statements and opinions expressed in the Newsletter, Preferred Talk, are those of the author(s) and do not necessarily reflect those of DT Preferred Group, LLC. DT Preferred Group, LLC makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. In publishing this Newsletter, neither the authors nor DT Preferred Group, LLC are engaged in rendering medical or other professional service. If medical advice or other expert assistance is required, the services of a competent professional should be sought. DT Preferred Group, LLC will not be liable for any losses, injuries, or damages from the display or use of this information. This policy is subject to change at anytime.


This entry was posted on Monday, June 30th, 2014 at 6:01 pm and is filed under Practice Management. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.