The Department of Health and Human Services (HHS) recently published additional guidance for compliance with the HIPAA Security Rule in order to address concerns raised by recent security breaches—i.e., laptop theft and the use of other portable or mobile devices that contain or store electronic protected health information (EPHI). With this guidance, covered entities are now required to conduct risk planning, implement policies, and provide training for the use of portable devices and remote access devices.

The HIPAA Privacy and Security Rules require covered entities to protect the EPHI it maintains or discloses to business associates. Generally, HIPAA defines the term "covered entity" to include any health care provider, health plan, or health care clearinghouse that creates, stores or transmits protected health information (PHI). Changes in technology allow for improvements in storing and transmitting data but also create additional risks of loss and unauthorized disclosure of EPHI. For example, use of flash drives, home-based personal computers, PDAs, public computer workspaces, e-mail, and remote access devices can leave electronic data vulnerable and subject to loss or breach. With these risks in mind, covered entities that create, store or transmit EPHI using various portable devices are now required to: 

  • Conduct a Risk Analysis associated with these risks, and create Risk Management Strategies to protect health information and reduce the threat of unauthorized disclosure;
  • Create necessary policies and procedures for safeguarding the information and access to data under these new systems and technology;
  • Modify security incident procedures to address the risk of loss of EPHI via portable media or systems; and
  • Create training programs on these new policies and procedures.

Offsite use of or remote access to EPHI is permitted, but should be limited to situations where it is clearly determined to be necessary, and where policies, procedures and training that are compliant with the HIPAA Privacy Rule are also in place