The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently issued guidance emphasizing the increased risks of using mobile devices in the workplace when the mobile devices contain or have access to sensitive data. Particularly, OCR warns of the risks of the use of mobile devices by healthcare organizations when the mobile devices are used to create, receive, maintain or transmit electronic protected health information (“ePHI”) that is protected by the Health Insurance Portability and Accountability Act (“HIPAA”).
Under the HIPAA Security Rule, covered entities and their business associates are required to conduct a risk analysis of the organization’s security risks and vulnerabilities and address identified vulnerabilities. OCR highlights that compliance with the Security Rule requires organizations to include mobile devices in the risk analysis and to address the inherent risks “to a reasonable and appropriate level.” A significant portion of reported settlements of alleged HIPAA claims have involved lost or stolen mobile devices that were not addressed in a risk assessment or not appropriately secured. In some cases, settlements for alleged non-compliance involving mobile devices have exceeded $2 million.
In addition to their inherent risk of being lost or stolen, OCR notes the following risks of using mobile devices to store or transmit ePHI:
- Use of personal mobile devices. The use of personal mobile devices by employees raises concerns because the organization is not entirely in control of the devices. OCR states that if an organization permits the use of personal mobile devices, the devices must be included and addressed in the organization’s risk analysis. Organizations must require that personal devices be secured in a manner that reduces the risk of breach and enforce the requirements. Ideally, an organization would have the ability to remotely access mobile devices, both personal and otherwise, in order to terminate access to ePHI if necessary. If an entity does not permit the use of personal mobile devices, it should have clear policies prohibiting their use and enforce the prohibition.
- Default vendor settings. OCR notes that mobile devices are often delivered with default settings that are unsecure. Organizations should evaluate the settings and ensure that the devices are secure prior to deploying them for use to store or transmit ePHI. For example, default settings may permit automatic connection to unsecure internet networks or make access available to other mobile device users.
- Workforce Errors. Errors by workforce members in using mobile devices that store or access ePHI is a significant risk. OCR emphasizes the important of training workforce members on the use of mobile devices, including the dangers of using unsecure internet networks and the risks of viruses and malware from improper use or downloads. OCR suggests prohibiting the downloading of third-party applications, securely separating ePHI from applications, and verifying that applications only have the minimum necessary access to the device.
At a minimum, mobile devices used to store or transmit ePHI should be password protected and encrypted. OCR suggests several other tips to help protect and secure ePHI on mobile devices, including the use of mobile device management software and deleting all epHI stored on a mobile device before disposing of or reusing the device. Finally, due to the evolving nature of technology and regular updates and upgrades to mobile devices, organizations should routinely reassess mobile device security as part of ongoing HIPAA compliance.